[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-ipfw
Subject:    Re: Difference between "src to dst" and "dst to src"
From:       "Crist J. Clark" <cjc () FreeBSD ! ORG>
Date:       2002-02-19 3:41:53
[Download RAW message or body]

On Mon, Feb 18, 2002 at 07:10:18PM -0800, Bing Li wrote:
> Hi,
> 
> Is there any difference between the two as follows:
> 
> add 100 allow tcp from src to dst 22
> add 101 allow tcp from dst 22 to src

Uh, well, let's use hostname examples,

  add 100 allow tcp from client to server 22
  add 101 allow tcp from server 22 to client

The first rule passes packets TCP with a source address of "client,"
and destination address of "server" and destination port 22. The
second rule passes TCP packets with a source address of "server" and
source port of 22, and destination address of "client."

> I was confused with the output of "ipfw show":
> 
> 00100    1532    112460 allow tcp from src to dst 22
> 00101    1101    275166 allow tcp from dst 22 to src
> 
> Why are the values of second columes different?
> So are the values of third columes. The traffic was
> generated only by ssh from src to dst.

A TCP connection is a duplex connection. Traffic must flow in both
directions.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


[prev in list] [next in list] [prev in thread] [next in thread]