From owner-freebsd-ipfw@FreeBSD.ORG Mon May 18 11:06:54 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8163106567C for ; Mon, 18 May 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D3F618FC14 for ; Mon, 18 May 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n4IB6s3H075696 for ; Mon, 18 May 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n4IB6srV075692 for freebsd-ipfw@FreeBSD.org; Mon, 18 May 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 May 2009 11:06:54 GMT Message-Id: <200905181106.n4IB6srV075692@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 57 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 14:53:01 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB8C2106567A for ; Thu, 21 May 2009 14:53:01 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f166.google.com (mail-gx0-f166.google.com [209.85.217.166]) by mx1.freebsd.org (Postfix) with ESMTP id 870588FC24 for ; Thu, 21 May 2009 14:53:01 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by gxk10 with SMTP id 10so2272869gxk.19 for ; Thu, 21 May 2009 07:53:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=Lu06t8p3TjW1wUgj7oKimh/+wLeL7sszvCA+9/VD/WA=; b=A8W+WEGfq7woi+qg5j01wSGQL5xBwjpLB+FXl11el2cgaqynxHF+6NAOdDAHRKHise 3wf4lwo+BPvJ+R0UTJMsdgh4uw37y6ShZPmgb6cdagO/odiaFMppkVoUW6AX7jFDgFSu eohBpwF0UQM8lXJ6bh4SOahzvGoCvynGbpc8U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=tPAlADG3aXlaN+w4QyNAyrIcyHvhlRO5LeBXdtYuhtzCw7LAokdJYd3D5YZ3h1mGQS 1DR9+sI3Fn1VYRovbZDi6gr6VkQSpRk45wsqZMPGT3f0cKRsNrusE9ziAxas+ZdXSII2 wcnrfS3x70+YU7V3YvQqHyRvUWDv7sIu9a4NY= MIME-Version: 1.0 Received: by 10.151.123.1 with SMTP id a1mr5258351ybn.182.1242915668131; Thu, 21 May 2009 07:21:08 -0700 (PDT) From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Thu, 21 May 2009 16:20:48 +0200 Message-ID: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 14:53:02 -0000 Hello, can ipfw use somehow interface groups as pf(4) can? >From a quick glance at documentation and not so through look at code it does not but i am sending this just if i missed something during my search! Thanks, -- Ermal From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 15:12:14 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A06A106567C for ; Thu, 21 May 2009 15:12:14 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129]) by mx1.freebsd.org (Postfix) with ESMTP id 0D6D08FC26 for ; Thu, 21 May 2009 15:12:14 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id C034D730A1; Thu, 21 May 2009 17:01:13 +0200 (CEST) Date: Thu, 21 May 2009 17:01:13 +0200 From: Luigi Rizzo To: Ermal Lu?i Message-ID: <20090521150113.GA47160@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 15:12:15 -0000 On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: > Hello, > > can ipfw use somehow interface groups as pf(4) can? > >From a quick glance at documentation and not so through look at code > it does not but i am sending this just if i missed something during my > search! something like ... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ... is perhaps not so nice but does the job. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 15:45:22 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2275A106566B for ; Thu, 21 May 2009 15:45:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id D24BB8FC25 for ; Thu, 21 May 2009 15:45:21 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so715816yxb.13 for ; Thu, 21 May 2009 08:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=iUp/+YlzGp8N0eX5k9dSKUHUrgeCRlmcmp87HGwYWWw=; b=i3bpT0blC0QpRsWLrutI6NSVxwKNNRPD0VMouzt2NbGLuMs0//gxCvs5AzvDM4Z3WG j8yeZD5Cag8rX7NHicfzajHiClR2NeGjmbt13pOZn/tpRI24fQrVrvDKTtbth66RNqRp owoYQ3CF/+nvxbavVN2Thq2HPY8jexPza+myQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=BfUqy5bzePGyzzXrMpVNNZ5rXjjqF8O0ruZf2QP/mAzVd5ul0aA231dUVC874iGgVY 0wWAYqN6titg3Qh+ukjHBNJiP7gZPVNUjmavwqsQVVDjUviWkGE/SzmI4Av68aAwT5cK O505Rrv2HZj9zuXkLPxaK5LMZwzgTMRGhNrvo= MIME-Version: 1.0 Received: by 10.150.158.16 with SMTP id g16mr5477941ybe.97.1242920721188; Thu, 21 May 2009 08:45:21 -0700 (PDT) In-Reply-To: <20090521150113.GA47160@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Thu, 21 May 2009 17:45:01 +0200 Message-ID: <9a542da30905210845g1f9c15een24855a34ce1d79e1@mail.gmail.com> To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 15:45:22 -0000 On Thu, May 21, 2009 at 5:01 PM, Luigi Rizzo wrote: > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >> Hello, >> >> can ipfw use somehow interface groups as pf(4) can? >> >From a quick glance at documentation and not so through look at code >> it does not but i am sending this just if i missed something during my >> search! > > something like > > =A0 =A0 =A0 =A0... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ..= . > is perhaps not so nice but does the job. > Hmmm forgot about glob(3) goodness. Thanks, --=20 Ermal From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 16:06:17 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97FE3106566B for ; Thu, 21 May 2009 16:06:17 +0000 (UTC) (envelope-from dado@cnt.korolev-net.ru) Received: from cnt.korolev-net.ru (mail.korolev-net.ru [89.222.185.1]) by mx1.freebsd.org (Postfix) with ESMTP id 52C748FC17 for ; Thu, 21 May 2009 16:06:17 +0000 (UTC) (envelope-from dado@cnt.korolev-net.ru) Received: by cnt.korolev-net.ru (Postfix, from userid 100) id EDED52ABA32; Thu, 21 May 2009 19:43:34 +0400 (MSD) Date: Thu, 21 May 2009 19:43:34 +0400 From: Evgenii Davidov To: freebsd-ipfw@freebsd.org Message-ID: <20090521154334.GJ84154@korolev-net.ru> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20090521150113.GA47160@onelab2.iet.unipi.it> User-Agent: Mutt/1.4.2.1i Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 16:06:17 -0000 úÄÒÁ×ÓÔ×ÕÊÔÅ, On Thu, May 21, 2009 at 05:01:13PM +0200, Luigi Rizzo ÐÉÛÅÔ: > > can ipfw use somehow interface groups as pf(4) can? > > ... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ... i use vlan20* :) -- Evgenii V Davidov From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 16:21:41 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E2A110656C8 for ; Thu, 21 May 2009 16:21:41 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-gx0-f166.google.com (mail-gx0-f166.google.com [209.85.217.166]) by mx1.freebsd.org (Postfix) with ESMTP id EA6548FC15 for ; Thu, 21 May 2009 16:21:40 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by gxk10 with SMTP id 10so2375933gxk.19 for ; Thu, 21 May 2009 09:21:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=+99L0f+QXHY+QLyMnG9ql7u008fDp3NLB84HQcH91a8=; b=n3tgVIHPeefXThGBFXtzLHgRf+QAeq/Npe0T61N2Sj/0e7Ej06TMJBSxl8AdS2B18n 9t9EmNonLZeVQtMU+zAOecTFzyLgfMT5vUxWPlQGgWn+EVn3tGV5kLtMjYElBOaXuY8I GQum+/MV7lTi+HD2Qln5a42G5YcRmkTBLYASo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=p1lQN1zZM5IZvSgMUJAeIEEWuG4T0d29ZaiEX/IK4JDFPwNqBO80ZoaZMwpkhJZDRS 6IsKdl54G0fPS4CfpBXqrIQCLuV+s2MjsJyfA87N1+4G5jFrXbPN37f6CeDiHz+mEAEQ jnGAnJcc4AvmDjGgAwOVZgz1Vp0/bazDu3H70= MIME-Version: 1.0 Received: by 10.150.215.20 with SMTP id n20mr5353788ybg.326.1242920970563; Thu, 21 May 2009 08:49:30 -0700 (PDT) In-Reply-To: <20090521150113.GA47160@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> Date: Thu, 21 May 2009 08:49:30 -0700 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 16:21:41 -0000 On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote: > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >> can ipfw use somehow interface groups as pf(4) can? >> From a quick glance at documentation and not so through look at code >> it does not but i am sending this just if i missed something during my >> search! > > something like > =C2=A0 =C2=A0 =C2=A0 =C2=A0... { recv ed0 or recv xl1 or recv ath4 or rec= v vlan0 } ... > is perhaps not so nice but does the job. Seriously??!! Luigi, you just made my day. :) Writing duplicate sets of rules for multi-homed firewalls where the only thing that's different is the incoming interface has been a pain ... Thanks for the info!! --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 16:36:40 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD05B1065692 for ; Thu, 21 May 2009 16:36:40 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129]) by mx1.freebsd.org (Postfix) with ESMTP id 59DD08FC16 for ; Thu, 21 May 2009 16:36:37 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 1499873098; Thu, 21 May 2009 18:42:25 +0200 (CEST) Date: Thu, 21 May 2009 18:42:25 +0200 From: Luigi Rizzo To: Freddie Cash Message-ID: <20090521164225.GB50606@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 16:36:55 -0000 On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote: > On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote: > > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: > >> can ipfw use somehow interface groups as pf(4) can? > >> From a quick glance at documentation and not so through look at code > >> it does not but i am sending this just if i missed something during my > >> search! > > > > something like > > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ... > > is perhaps not so nice but does the job. > > Seriously??!! > > Luigi, you just made my day. :) Writing duplicate sets of rules for > multi-homed firewalls where the only thing that's different is the > incoming interface has been a pain ... you can always put multiple rules that check the variant part and skipto the common one ipfw add 100 skipto 2000 in recv xl1 ipfw add 100 skipto 2000 in recv bge0 ... ipfw add 100 count // interface not recognised ipfw add 2000 ... // do the common part cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 17:08:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D0D2106566B for ; Thu, 21 May 2009 17:08:13 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from cohiba.eagle.ca (cohiba.eagle.ca [208.70.104.203]) by mx1.freebsd.org (Postfix) with ESMTP id 291068FC12 for ; Thu, 21 May 2009 17:08:12 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 24336 invoked by uid 89); 21 May 2009 16:41:32 -0000 Received: from unknown (HELO ?192.168.1.114?) (steveb@eagle.ca@208.70.104.100) by cohiba.eagle.ca with ESMTPA; 21 May 2009 16:41:32 -0000 Message-ID: <4A158432.5050303@ibctech.ca> Date: Thu, 21 May 2009 12:41:22 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Freddie Cash References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010506080703000006060504" Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 17:08:13 -0000 This is a cryptographically signed message in MIME format. --------------ms010506080703000006060504 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Freddie Cash wrote: > On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote= : >> On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >>> can ipfw use somehow interface groups as pf(4) can? >>> From a quick glance at documentation and not so through look at code >>> it does not but i am sending this just if i missed something during m= y >>> search! >> something like >> =C2 =C2 =C2 =C2 ... { recv ed0 or recv xl1 or recv ath4 or recv vla= n0 } ... >> is perhaps not so nice but does the job. >=20 > Seriously??!! >=20 > Luigi, you just made my day. :) Writing duplicate sets of rules for > multi-homed firewalls where the only thing that's different is the > incoming interface has been a pain ... Aside from Luigi's piece of trickery, if you are accustomed to making frequent changes to live rulesets (and then promptly forgetting/neglecting to add them into your startup scripts), might I recommend something that has become very useful to me: I have /etc/ipfw.rules which contains the variable definitions and all table configurations as my primary startup script. At the bottom of that file, I have: =2E /etc/ipfw.include This instructs the sh script to pick up the data from the ipfw.include file, and process it as well. Instead of implementing the rules live, and then adding them into the startup script manually, I simply (from time-to-time) run this (copy/paste into CLI): ipfw list | \ perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \ > /etc/ipfw.include chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include That then makes a copy of your current live ruleset into your /etc/ipfw.include file, which will be loaded upon next reboot. Steve --------------ms010506080703000006060504 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCC AtowggJDoAMCAQICEEs5xg/J3t77QWJ4SatV1HcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDUwNzIzMTYxMFoX DTEwMDUwNzIzMTYxMFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0G CSqGSIb3DQEJARYQc3RldmVAaWJjdGVjaC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJSTRAjP1RVa87/mnZn+PBTbENgyhhBJ4rWApmaNcthzRdk2DB/49KrXx3EQP60w Lj4KU0DFkiGNVj9BnVxRAx/WDXKxGC3uGGEG6gjyWv8KFMWMsH9mL7y7uNow1HueT6pZUf9o yY8Ewd+01QpGi7FfXOae7lGHhbEwnEJGwz08ytRfLmH0KtEzlZanZZhwDGX5s1kIHnyxdACh 3byXY6Z2bOrx0rcrQHCnHJppxddR60F7igjaMuBFstE51h9XTgXDNKJbglqTug5ghGihNuP6 VsBN7ue62y96UGIE22TvKEcAQ665vQGjHqZeSzZYy+hWNOa27pWFmhlqFjx0x8MCAwEAAaMt MCswGwYDVR0RBBQwEoEQc3RldmVAaWJjdGVjaC5jYTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 DQEBBQUAA4GBAMOmjxjp2Xzk6ZHLwTgFDzVhm98RjRT3UXotKjNIR7SgwfWF5wkJrx4I+dXu ui5ztMEq4bTTRgJ344MqE6uZiZlg+tBIFHZGCJfKdzsX4QuV2jmw0sR5dMaYxG6tlDB0YUMv gTqzV7ZDpiusTMOZe9pP1PdxFhOcIJXtMQDj5LhuMIIC2jCCAkOgAwIBAgIQSznGD8ne3vtB YnhJq1XUdzANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA3MjMxNjEwWhcNMTAwNTA3MjMxNjEwWjBCMR8wHQYD VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBzdGV2ZUBpYmN0 ZWNoLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlJNECM/VFVrzv+admf48 FNsQ2DKGEEnitYCmZo1y2HNF2TYMH/j0qtfHcRA/rTAuPgpTQMWSIY1WP0GdXFEDH9YNcrEY Le4YYQbqCPJa/woUxYywf2YvvLu42jDUe55PqllR/2jJjwTB37TVCkaLsV9c5p7uUYeFsTCc QkbDPTzK1F8uYfQq0TOVlqdlmHAMZfmzWQgefLF0AKHdvJdjpnZs6vHStytAcKccmmnF11Hr QXuKCNoy4EWy0TnWH1dOBcM0oluCWpO6DmCEaKE24/pWwE3u57rbL3pQYgTbZO8oRwBDrrm9 AaMepl5LNljL6FY05rbulYWaGWoWPHTHwwIDAQABoy0wKzAbBgNVHREEFDASgRBzdGV2ZUBp YmN0ZWNoLmNhMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAw6aPGOnZfOTpkcvB OAUPNWGb3xGNFPdRei0qM0hHtKDB9YXnCQmvHgj51e66LnO0wSrhtNNGAnfjgyoTq5mJmWD6 0EgUdkYIl8p3OxfhC5XaObDSxHl0xpjEbq2UMHRhQy+BOrNXtkOmK6xMw5l72k/U93EWE5wg le0xAOPkuG4wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEEs5xg/J3t77QWJ4SatV 1HcwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDkwNTIxMTY0MTIyWjAjBgkqhkiG9w0BCQQxFgQUK2u6+gXz6GIGvwFI0BJy6kGy FEswUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0Fi eEmrVdR3MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0FieEmrVdR3MA0GCSqGSIb3DQEBAQUABIIB ABsFZeP+CQQc7HsqFINj49TqMr/MeXa5c9/UdW80sTiorwu0QrrT2CblSs4WQuARMnLb7syU 8DoU69Zjl9afLwpeVMMkd+y/uYjGH4VzjRB60v2PZEVluxITRRC1Z6wiHIcoXKG470ut8ZFN H3FC0ysLdlpUGOY8EGObnTcGEgAKV7JjoyiI6rJiNIFPYtgZKoF8PSzIUepZFZ9FkxfQavIe WLHi5OdyUQ0uTBpntDjC3nQmuFClWNdP1uPTN4PNuvy2ct6dWJbZOaCdqACksDO9Bdn4mTYu SrsfA561//HkPr2oEjpFclJ7vo5MO7B/9jNAsD0AiIJKZe2u+GzsXpsAAAAAAAA= --------------ms010506080703000006060504-- From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 17:20:41 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D18AF1065670 for ; Thu, 21 May 2009 17:20:41 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id 8AA978FC3C for ; Thu, 21 May 2009 17:20:41 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so747335ywe.13 for ; Thu, 21 May 2009 10:20:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=mfkupuMIvWKOiTjdoUQcE6cC0vdRpFMozwDMi1mkhXU=; b=RZ/znFSaWGfDmBjNejqa33pj9LEza8y6C4EnV2vFOyAhfG09rDjPQRZaFDJ4PL0wfW M5hbUVkai8MZ4F0dPR1UZwOrzlWneN2sJO8jaHbMqo9z4b6gi0OTs5Ha/mdoRCq4ooBY QA+dv8LmzLzRV4lPaQLzI7oCur6s6F0ZhKOSU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=q9lFKNadMU3fndB0OLoPAACAiZZcG5RxIrZ/HBw/id6EkFq1cwuHx+L7YjY8cMAGYs /NWXYVK/ZtnoAiBoKqug2BdvDYXSRn/gDlJcW2HU74czkZ6Ro5TPyr16gGBh0/d1Neec ivQ82qIfqjhDlxUR5eXteGVfQL8MypmVoPV8w= MIME-Version: 1.0 Received: by 10.151.73.7 with SMTP id a7mr5615438ybl.148.1242926440861; Thu, 21 May 2009 10:20:40 -0700 (PDT) In-Reply-To: <4A158432.5050303@ibctech.ca> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> <4A158432.5050303@ibctech.ca> Date: Thu, 21 May 2009 10:20:40 -0700 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 17:20:42 -0000 On Thu, May 21, 2009 at 9:41 AM, Steve Bertrand wrote: > Freddie Cash wrote: >> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote: >>> On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >>>> can ipfw use somehow interface groups as pf(4) can? >>>> From a quick glance at documentation and not so through look at code >>>> it does not but i am sending this just if i missed something during my >>>> search! >>> something like >>> =C3=82 =C2=A0=C3=82 =C2=A0=C3=82 =C2=A0=C3=82 ... { recv ed0 or recv xl= 1 or recv ath4 or recv vlan0 } ... >>> is perhaps not so nice but does the job. >> >> Seriously??!! >> >> Luigi, you just made my day. =C2=A0:) =C2=A0Writing duplicate sets of ru= les for >> multi-homed firewalls where the only thing that's different is the >> incoming interface has been a pain ... > > Aside from Luigi's piece of trickery, if you are accustomed to making > frequent changes to live rulesets (and then promptly > forgetting/neglecting to add them into your startup scripts), might I > recommend something that has become very useful to me: > > I have /etc/ipfw.rules which contains the variable definitions and all > table configurations as my primary startup script. At the bottom of that > file, I have: > > . /etc/ipfw.include > > This instructs the sh script to pick up the data from the ipfw.include > file, and process it as well. We do something similar, with a global config file with all the common variables, tables, queues, etc; and a master script with the rules for the firewall itself and the master NAT setup, which then pulls in separate scripts for each 1-to-1 NAT for servers at the sites. We make very heavy use of shell variables, tables, and the like. > Instead of implementing the rules live, and then adding them into the > startup script manually, I simply (from time-to-time) run this > (copy/paste into CLI): > > ipfw list | \ > perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \ >> /etc/ipfw.include > chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include > > That then makes a copy of your current live ruleset into your > /etc/ipfw.include file, which will be loaded upon next reboot. We do something similar every now and again to keep a backup of the live rules, just in case. But it's only used to compare against the live rules at a later date. Due to the heavy use of variables and formatting in our scripts, there's no way we'd consider using this output as an input script. :) It's hard enough to read the output of ipfw when it's running ... I wouldn't want to have to wade through that to add/update rules saved to a file. :) --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 17:22:59 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25BA81065673 for ; Thu, 21 May 2009 17:22:59 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id D338F8FC14 for ; Thu, 21 May 2009 17:22:58 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so748075yxb.13 for ; Thu, 21 May 2009 10:22:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=CszPKtGWEVBihhCHhJxTb/Ltr+tfffN5AGUpEEwPLKU=; b=cnBJrXTXeXM7lNjUARWpWL4s8tn8gWy6fzXdgoqGn56q5OMGdKoPkT6Gk5WP0ZTCIY IojeyBUhg4UzaWKlkFkqFmx/5pGmymKdv1/S02YX70cvPBfTnJJBsqGDwWgkXxbUcTr3 s2LwyHDq9KvNcfeAwK0kdAKR/UhwBvK/+gnRY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=eGKKErie/CzvX+kwKpR7eUizvh4mo9j2leHkTkwUgjrdlLEnwzHZVg3ZJjAvfjGj0G pnrd0SzYiEtUYKPsYFXCyU+zcLWY5Ydt/tjcdBTS5VzzxIYn7AiiYjjj9tPVkQcfYuLf t6cOKIWjk9Z4nbFfaRfXJ1SKqroxoc2efn5JU= MIME-Version: 1.0 Received: by 10.151.119.9 with SMTP id w9mr5621465ybm.141.1242926578400; Thu, 21 May 2009 10:22:58 -0700 (PDT) In-Reply-To: <20090521164225.GB50606@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> <20090521164225.GB50606@onelab2.iet.unipi.it> Date: Thu, 21 May 2009 10:22:58 -0700 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 17:22:59 -0000 On Thu, May 21, 2009 at 9:42 AM, Luigi Rizzo wrote: > On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote: >> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote: >> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >> >> can ipfw use somehow interface groups as pf(4) can? >> >> From a quick glance at documentation and not so through look at code >> >> it does not but i am sending this just if i missed something during m= y >> >> search! >> > >> > something like >> > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ... >> > is perhaps not so nice but does the job. >> >> Seriously??!! >> >> Luigi, you just made my day. =C2=A0:) =C2=A0Writing duplicate sets of ru= les for >> multi-homed firewalls where the only thing that's different is the >> incoming interface has been a pain ... > > you can always put multiple rules that check the variant part > and skipto the common one > > =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 skipto 2000 in recv xl1 > =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 skipto 2000 in recv bge0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0... > =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 count // interface not recognised > =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 2000 ... =C2=A0// do the common part Skipto is very powerful, and we use it in some cases. But I try not to use it very often, as it can lead to spaghetti rules that are hard to follow. :) We have one firewall where it takes a good 10 minutes to track the path a packet takes through the rulelist, as there are so many skipto rules and multiple interfaces/vlans (it's scheduled for a rewrite this summer). --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 17:54:32 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC878106566B for ; Thu, 21 May 2009 17:54:32 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outM.internet-mail-service.net (outm.internet-mail-service.net [216.240.47.236]) by mx1.freebsd.org (Postfix) with ESMTP id 945E38FC0C for ; Thu, 21 May 2009 17:54:32 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 71B6314DCCF; Thu, 21 May 2009 10:54:32 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 0881F2D600F; Thu, 21 May 2009 10:54:31 -0700 (PDT) Message-ID: <4A159558.5030608@elischer.org> Date: Thu, 21 May 2009 10:54:32 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> In-Reply-To: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 17:54:32 -0000 Ermal Luçi wrote: > Hello, > > can ipfw use somehow interface groups as pf(4) can? >>From a quick glance at documentation and not so through look at code > it does not but i am sending this just if i missed something during my > search! > > Thanks, no, but you can do "em*" From owner-freebsd-ipfw@FreeBSD.ORG Thu May 21 18:12:40 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20CAC1065674 for ; Thu, 21 May 2009 18:12:40 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outF.internet-mail-service.net (outf.internet-mail-service.net [216.240.47.229]) by mx1.freebsd.org (Postfix) with ESMTP id 062CD8FC29 for ; Thu, 21 May 2009 18:12:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 2F2D314DCFD; Thu, 21 May 2009 11:12:40 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 3A3E42D6012; Thu, 21 May 2009 11:12:39 -0700 (PDT) Message-ID: <4A159997.9080604@elischer.org> Date: Thu, 21 May 2009 11:12:39 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Freddie Cash References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> <20090521164225.GB50606@onelab2.iet.unipi.it> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 18:12:40 -0000 Freddie Cash wrote: > Skipto is very powerful, and we use it in some cases. But I try not > to use it very often, as it can lead to spaghetti rules that are hard > to follow. :) We have one firewall where it takes a good 10 minutes > to track the path a packet takes through the rulelist, as there are so > many skipto rules and multiple interfaces/vlans (it's scheduled for a > rewrite this summer). don't forget you can now do a skipto tablearg :-) From owner-freebsd-ipfw@FreeBSD.ORG Fri May 22 18:41:24 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 471DF1065679 for ; Fri, 22 May 2009 18:41:24 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id EE4718FC20 for ; Fri, 22 May 2009 18:41:23 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1151119ywe.13 for ; Fri, 22 May 2009 11:41:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=pK3gg07okql65j3PGLRIpkWKvLI0jNO5Mrn9bsmrLTo=; b=I2iIs7BBaeRPGv69zOnw5+dhxHBs1uXclyjvlqfe/FAoyQXvoA+kn/EpOBtNBXXDoM j1NGBoOakz8TiWqSAvrkYg5t6FSCXPfw8hSlYd74F7B/RPeoRFJMyrwdNhoH4RB5nCpN v3F9HXrgy4BjFZlYJ2cY9gO13CAIYL9KxBnmk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=OLTyZf+mrEjwOgYiBBhV+d9+CHpuJi7slareYI1rZS/41NSDOh3wBOnvzKezYSajqY blueKIvQkHYPclNbFGmt7vRnb/z/6W8qTHTdpPVVLMnI3QIgdCna1TE7RTRzyNmL6ZaW h/9Hjj7xskNPpX9J1HQRoKFzqHhp6nfMLq7+M= MIME-Version: 1.0 Received: by 10.151.130.8 with SMTP id h8mr8161226ybn.247.1243017683476; Fri, 22 May 2009 11:41:23 -0700 (PDT) In-Reply-To: <20090521150113.GA47160@onelab2.iet.unipi.it> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> Date: Fri, 22 May 2009 11:41:23 -0700 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Does ipfw support interface groups? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 May 2009 18:41:24 -0000 On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote: > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >> can ipfw use somehow interface groups as pf(4) can? >> >From a quick glance at documentation and not so through look at code >> it does not but i am sending this just if i missed something during my >> search! > > something like > > =C2=A0 =C2=A0 =C2=A0 =C2=A0... { recv ed0 or recv xl1 or recv ath4 or rec= v vlan0 } ... > is perhaps not so nice but does the job. Just tested this on one off our firewalls, and can report that it works wonderfully. Now to compress the rules a bit using this. :) Thanks again, Luigi!! --=20 Freddie Cash fjwcash@gmail.com