From owner-freebsd-ipfw@FreeBSD.ORG Sat May 21 16:36:06 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50E8516A4CE for ; Sat, 21 May 2005 16:36:06 +0000 (GMT) Received: from aurynhome1sv1.zirakzigil.org (host48-93.pool8288.interbusiness.it [82.88.93.48]) by mx1.FreeBSD.org (Postfix) with SMTP id 5AB5443D64 for ; Sat, 21 May 2005 16:36:03 +0000 (GMT) (envelope-from auryn@zirakzigil.org) Received: (qmail 36188 invoked by uid 85); 21 May 2005 16:36:04 -0000 Received: from unknown (HELO zirakzigil.org) (gferro@giulioferro.it@192.168.0.122) by 0 with SMTP; 21 May 2005 16:36:03 -0000 Message-ID: <428F6367.4020004@zirakzigil.org> Date: Sat, 21 May 2005 18:35:51 +0200 From: Giulio Ferro User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Subject: Multiple match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 16:36:06 -0000 After many years I've been using ipfw I've suddently realized it doesn't do what I would expect... Let's keep it to this simple example. On my firewall box I have 2 nics, with machines attached to either side of it: Client 1 ----------rl0-|IPFW BOX|-rl1------------Client2 (let's suppose that both Client1 and Client2 know about their respective routes...) I have a sigle rule: in ipfw add 10 allow icmp from any to any in via rl1 (the ping won't come back, but it doesn't matter here) What I expected, until yesterday, is that if I ping from Client2 to Client1, my ping _ONLY_ passed through interface rl1, _NOT_ rl0! So, if I had wanted to make it pass throght the whole firewall I would had set 2 rules: add 10 allow icmp from any to any in via rl1 add 20 allow icmp from any to any out via rl0 If I set the logs, I notice that the rule 10 will be matched twice: 10 Allow ...in via rl1 10 Allow ...out via rl0 I don't like it. It doesn't give me enough control over the flows of traffic. What do you think about this?