Date: Wed, 15 Jan 1997 15:07:35 -0800 (PST) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: Poul-Henning Kamp <phk@critter.dk.tfs.com> Cc: Nate Williams <nate@mt.sri.com>, current@FreeBSD.ORG Subject: Re: ipfw cannot do this... Message-ID: <Pine.BSF.3.95.970115144424.8754A-100000@harlie> In-Reply-To: <28373.853360497@critter.dk.tfs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 15 Jan 1997, Poul-Henning Kamp wrote: > >> Actually, what I really want is an ipfw add skip XXX ... where if > >> something matches the rule, skip all other rules below XXX (yes, I always > >> number my rules:-) > > > >If you get a match, it *will* skip all the other rules. I don't want it to skip *ALL* the rules, only the ones I don't want applying to the current packet. Ah, I see where the misunderstanding is. I'm referring to something like this. /sbin/ipfw add 100 skip 300 from any to any via ed0 # the following rules do not apply to anything coming in via ed0, but do # apply to all other interfaces /sbin/ipfw add 200 deny log all from localnet1 to any /sbin/ipfw add 201 deny log all from localnet2 to any # at this point, these rules would apply to all interfaces /sbin/ipfw add 300 accept from all to mymachine admittedly not a good example of why I want something like this, but I'm trying to clear up the missunderstanding. > In essence what I needed was to skip only some rules, but reversing > the logic certainly did the trick for me. Here's one that can be pretty convoluted with the current rules. We use ipfw accounting to track the T1 usage of virtual servers and colocated equipment. The tracking is done on our primary web server, and all colocated equipment routes through this web server, though the rest of our equipment isn't behind this machine. However, we don't want to track "in-house" traffic. So, in order to do this using the current rules, we could do this one of two ways. 1) using the skip to rule XXX idea, tell it to skip the accounting rules if both source and destination are in our class C 2) handle all blocking (most of which is done by the router to the T1, so this is feasible), then accept all remaining from and to local addresses, then do the accounting, then accept the rest To me, method one looks cleaner. Then again, I'm really not saying that we desperately need this, just explaining why I'd be interested. Then again, the not would work nice for cleanwalling if you could say "not eth0" or such, ie /sbin/ipfw add 200 deny log all from localnet to any not eth0 where eth0 is the interface to localnet Hate to say it, but Linux's ipfwadm, with it's seperate input, forward, and output lists, makes cleanwalling and firewalling on the same machine quite simple, though not quite as simple as the "not eth0" form.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970115144424.8754A-100000>