ipfw

MNIHKLOM · Feb 11, 2013

Hi,

I am learning to understand ipfw by reading ipfw(8) but I can not understand the diagram in the PACKAGE FLOW both two vertical lines, horizontal lines and some descriptions within that diagram.

So also that description that look like table under RULE FORMAT that says Layer2, Ipv4, Source, Direction, Transmit, Misc. on the left hand side of a table like texts.

But for the first asking, I only need some lights or helps on the diagram in the first paragraph of my post.

My system is

Code:

[MNIHKLOM] ~% uname -a
FreeBSD MNIHKLOM.jesgroup.in.th 9.1-STABLE FreeBSD 9.1-STABLE #4 r245872: Sun Jan 27 10:07:55 ICT 2013
root@:/kaitag/obj/usr/src/sys/THUNYALICE  amd64

Any helps and hints are welcome and appreciate.

With best regards,
MNIHKLOM

wblock@ · Feb 11, 2013

PACKET FLOW, you mean? Make sure you are looking at it with a monospaced font:

Code:

                  ^    to upper layers    V
                  |                       |
                  +----------->-----------+
                  ^                       V
            [ip(6)_input]           [ip(6)_output]     net.inet(6).ip(6).fw.enable=1
                  |                       |
                  ^                       V
            [ether_demux]        [ether_output_frame]  net.link.ether.ipfw=1
                  |                       |
                  +-->--[bdg_forward]-->--+            net.link.bridge.ipfw=1
                  ^                       V
                  |      to devices       |

It's in ipfw(8). (Use [man=8]ipfw[/man] for tags.)

MNIHKLOM · Feb 11, 2013

wblock@ said:

PACKET FLOW, you mean? Make sure you are looking at it with a monospaced font:

Code:

                  ^    to upper layers    V
                  |                       |
                  +----------->-----------+
                  ^                       V
            [ip(6)_input]           [ip(6)_output]     net.inet(6).ip(6).fw.enable=1
                  |                       |
                  ^                       V
            [ether_demux]        [ether_output_frame]  net.link.ether.ipfw=1
                  |                       |
                  +-->--[bdg_forward]-->--+            net.link.bridge.ipfw=1
                  ^                       V
                  |      to devices       |

It's in ipfw(8). (Use [man=8]ipfw[/man] for tags.)

Yes, I mean this one. Oh apologized me for the wrong section number and tag and thanks for suggestion.

What I do not understand are the four lines in three directions and the texts in the diagram.

It looks like sysctl variables for those texts on the right most for example net.link.bridge.ipfw=1 and so on.

What are the meaning of ``to devices'' and ``to upper layers'' actually ? If I understood correctly, the left line represent packets flow from physical device (nic) to upper level of ``ISO layer'' but why it is ``input'' since it is going to go out to the internet or to the external machine.

Many thanks indeed for your prompt response and for your valuable times.

With best regards,
MNIHKLOM

wblock@ · Feb 11, 2013

"Input" and "output" are relative terms. In this case it's relative to the firewall, or to the machine the firewall is on. Packets coming in from the Ethernet cards are input, packets going out to the network are output.

MNIHKLOM · Feb 12, 2013

wblock@ said:
"Input" and "output" are relative terms. In this case it's relative to the firewall, or to the machine the firewall is on. Packets coming in from the Ethernet cards are input, packets going out to the network are output.

Hi,

Thanks for your clarification on `direction' . Your helps make reading ipfw(8) more easy. But I afraid that I need a lot of basic knowledge in reading this man page because I do not know what the meaning of those terms or texts in the diagram and where to find for further reading, I am reading FreeBSD Handbook along though.

Apologized me for my English which is not my native language.

I really thanks wblock@ for your great helps and for your valuable times indeed.

With best regards,
MNIHKLOM

wblock@ · Feb 12, 2013

Firewalls can be difficult to configure and use. There are good examples in /etc/rc.firewall.

m_zebardast · Feb 23, 2013

http://forums.freebsd.org/showpost.php?p=210368&postcount=5

MNIHKLOM · Feb 24, 2013

m_zebardast said:
http://forums.freebsd.org/showpost.php?p=210368&postcount=5

Hi,

I have heard a lot of `monowall' but I can not find where to install this software. I thank you very much for the link.

With best regards
MNIHKLOM

wblock@ · Feb 24, 2013

It is m0n0wall, with zeros. pfSense is a descendant of it.

MNIHKLOM · Feb 25, 2013

wblock@ said:
It is m0n0wall, with zeros. pfSense is a descendant of it.

My first attention is to ipfw as I said in the first post

...description that look like table under RULE FORMAT that says Layer2, Ipv4, Source, Direction, Transmit, Misc. on the left hand side of a table like texts.

in which I can not know which text on the left correspond to the text on the right :e.

Anyway, I really thanks for all helps and hints indeed.

With best regards,
MNIHKLOM