Re: Packet chain traversals

[Joel Newkirk <netfilter@newkirk.us>]

On Sunday 27 October 2002 01:50 pm, Oskar Andreasson wrote:
> Hi Joel,
>
> On Sun, 27 Oct 2002, Joel Newkirk wrote:
> > I've been working on a chain traversal diagram (primarily for my own
> > reasons, but if anybody likes it they are welcome to use it
> > non-commercially) and have a few questions.
> >
> > First, the current form of the diagram is (temporarily) at
> > http://newkirk.no-ip.org:83/Traversal-sm.png
>
> Mmmmm, reminds me of that trip on LSD I took the other day.... =) just
> kidding. 

mmm.  about the resemblance, or the other day?  :^) (just kidding too :^)

> It does look good really, except you made it rather confusing in
> one aspect... I don't know if it's just me, but why do you have two "out"
> and two "in"?

Two reasons mostly:  That seems to reflect a common arrangement, where there 
is a single connection to the internet and a single connection to local 
network(s).  (feel free to label the top one 'ppp0' and the bottom 'eth1')  
It also allows the diagram to more clearly illustrate (to me at least) the 
situation where a packet can be sent back out the same interface it arrived 
from, such as a local DNAT redirection to another local IP.  Also, one or 
three (or more) would ruin the pretty symmetry...

In my mind, I always think of the local machine (local processes) as being 
'inside' the firewall, with the individual interfaces being separated by it, 
or the LAN being 'behind' it.  I can't think of a useful, non-degenerate 
example where this isn't a valid perspective, so I've held to it so far.

> > and the basic rule is that a packet cannot cross a black line.  The
> > choices of colors are meaningless, except to differentiate chains.

> > Also, I wanted to ask for clarification on a point in the latest
> > iptables-tutorial "Traversing of tables and chains" section:  At one
> > point it seems that packets pass through mangle-forward THEN
> > filter-forward, (diagram) yet elsewhere it seems to be the reverse.
> > (table 1)  Which is correct?
>
> I just fixed this today actually. If you want to make absolutely certain,
> run the script attached to the tutorial (I added an updated version to
> this mail since the one in the released tutorial doesn't contain the
> mangle5hooks.patch fixes), tail -f the proper logfile
> and then send ping's from different locations and directions (e.g., ping
> across the firewall, ping to the firewall and ping from the firewall).
> That way you will be able to make sure how it works.

Thanks.
> > Thanks for any input, examples, diagram criticism (artistic or logical)
> > etc. If your response seems to you to be useless to the list in general
> > then please just send it to me directly.
>
> no problem. Don't take me too seriously though, I am a lousy "artist"
> so... :)

I may be as well, but I've tired of always referring to a visualization that 
suited my perspective, and decided to try to make a printed version.  (BTW, 
my actual intention is to tweak then fade the colors out about 70% before 
printing a 'keeper', otherwise I'll have to cover it late in the evening... 
:^)

j