[Firehol-support] Is it correct to think of interfaces vs routers as in "where the packet ends up going"?

Phil Whineray phil at firehol.org
Thu Jan 3 18:41:00 GMT 2019


On Thu, Jan 03, 2019 at 01:06:38PM +0100, Wojtek Swiatek wrote:
> Hello everyone
> I am trying to make sense again of interface vs router after reading a few
> times https://firehol.org/guides/firehol-welcome/
> If we assume the following topology with three hosts, the middle one having
> two interfaces:
> [] --- [eth0 =   eth1 =] --- []
> there are services which produce and consume packets on each of the
> interfaces (on each of the hosts). I will try to summarize the possible
> cases fot traffic families:
> -> - managed via "router" because the packets enter eth0
> and leave via eth1 without other interactions with the firewall
> -> - managed by "interface" as all traffic is local,
> never leaves the firewall
> -> - managed "interface" as the packet enters the
> firewall but stops at the entering interface
> Now the ones I struggle with:

For an "interface" firehol generates INPUT and OUTPUT iptables rules
and for a "router" it generates FORWARD rules.

The rest of the behaviour is determined by netfilter and Linux. What
does that mean in practice?

1. Any packet which is destined for this host winds up in an interface
   (or gets dropped for not matching an interface)

2. Any other packet is handled by a router (or is dropped for not
   matching one)

> -> - I do not know: on the one hane the traffic goes
> through the firewall (or at least - leaves it), but on the other hand it
> does not "cross" it, that is only one interface is used

This case is simple - it is just (1) above.

> -> - I do not know: the packet enters the firewall,
> goes from one interface to another but does not leave the firewall (again,
> no "crossing")
> In other words: is the rule that a packet must come in and out from a
> firewall to be managed by "router" and any other case is managed by the
> "interface" which eventually receives the packet (even if it went through
> another one on the way)?

That's a fair summary except for the last bit:

The packet does not really cross the firewall in any sense, when it
arrives it doesn't matter what physical (or virtual) device it arrives
on, if the IP matches any belonging to the machine it will be handled
via INPUT, so it is still (1).

The IPs assigned to devices only really matter for the network
communications themselves, i.e. what IP to give to an outgoing
connection, what ARP responses to give etc.

For those who want to understand how NAT affects things, the DNAT
(prerouting NAT) gets applied before the destination (INPUT or FORWARD)
decision is made and the SNAT (postrouting NAT) after the FORWARD/OUTPUT
decision. This diagram shows the gory detail:


Hope that helps

More information about the Firehol-support mailing list