From cagney@tpgi.com.au  Wed Jul 29 17:47:01 1998
Received: from andrew1.lnk.telstra.net (andrew1.lnk.telstra.net [139.130.51.121])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA16006
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 29 Jul 1998 17:46:58 -0700 (PDT)
          (envelope-from cagney@tpgi.com.au)
Received: (from cagney@localhost) by andrew1.lnk.telstra.net (8.8.8/8.7.3) id KAA00980; Thu, 30 Jul 1998 10:48:37 +1000 (EST)
Message-Id: <199807300048.KAA00980@andrew1.lnk.telstra.net>
Date: Thu, 30 Jul 1998 10:48:37 +1000 (EST)
From: Andrew Cagney <cagney@tpgi.com.au>
Reply-To: cagney@tpgi.com.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPFW doco unclear about in/out
X-Send-Pr-Version: 3.2

>Number:         7437
>Category:       docs
>Synopsis:       IPFW doco unclear about in/out
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 29 17:50:01 PDT 1998
>Closed-Date:    Tue Apr 27 21:49:46 CDT 1999
>Last-Modified:  Tue Apr 27 21:50:42 CDT 1999
>Originator:     Andrew Cagney
>Release:        FreeBSD 2.2.6-RELEASE i386
>Organization:
>Environment:

	IPFW configured into the kernel.
	Dual homed machine.

>Description:

	The documentation on IPFW isn't clear about its behavour
	when handling a packet that is traversing a host acting
	as a gateway.

>How-To-Repeat:

	Look through the IPFW doc for a clear explanation of when/how
	the packet filtering rules are applied.

	Look through the IPFW doc for a clear explanation of what
	meta information is attached to a packet when it is presented
	to the packet filter.
	

>Fix:
	
The first part is to precisely describe the meta information
associated with a IPFW IP packet. I think it is:

	o	interface(s) (recv, xmit)

	o	direction

as well as the obvious:

	o	IP address

	o	packet type

	o	port address (tcp/udp)

	o	estab

	o	....

The second part is to explain that every packet is put through the
IPFW rules as part of traversing an interface.  (I.e. twice for a
routed packet).

If someone wants to work with me I'll make comments (at least) on the
changes.

			Andrew

PS: The doco don't need to be an explanation on how to operate a
firewall, rather how this specific firewall is implemented.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ghelmer 
State-Changed-When: Tue Apr 27 21:49:46 CDT 1999 
State-Changed-Why:  
Changed the ipfw(8) man page in -CURRENT to reflect desired information. 
>Unformatted:
