Date: Thu, 3 Apr 2003 19:34:55 -0800 From: Sereciya Kurdistani <sereciya@kurdistan.ath.cx> To: freebsd-ipfw@freebsd.org Subject: Sereciya :: Some thoughts on IPFW(2) Message-ID: <20030404033455.GA31867@kurdistan.ath.cx>
next in thread | raw e-mail | index | archive | help
Hello,
I hope that it is not inappropriate or out of place contacting
you directly. I would like to thank you for all the effort
you put into ipfw, you're greatly simplifying my life!
Thank you! Thank you! Thank you!
Before we had block style features of ipfw2, we had to make
extensive use of the skipto clause to achieve the same
functionality ; that meant lots and lots of ipfw entries.
Now, instead of having to do:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ipfw add 10001 skipto 10012 all from ${myhost} to not ${myhost} out via ${oif_1}
ipfw add 10011 skipto 10020 all from any to any
ipfw add 10012 add allow ah from any to any rtsp out via ${oif_1}
ipfw add 10013 add allow udp from any to any rtsp out via ${oif_1}
ipfw add 10014 add allow tcp from any to any rtsp out via ${oif_1}
ipfw add 10021 add ...
We can finaly do:
^^^^^^^^^^^^^^^^
ipfw add 10011 skipto 10013 all from from ${myhost} to not ${myhost} out via ${oif_1}
ipfw add 10012 skipto 10020 all from any to any out via ${oif_1}
ipfw add 10013 add allow \{ ah or udp or tcp \} from any to any rtsp out via ${oif_1}
ipfw add 10021 add ...
Additionaly, I have one comment, and one question/request.
Comment:
^^^^^^^
Unlike the documentation in the manpage*, the following syntax -- defined
block/portnumber list/block -- is not correct:
ipfw add NNNN allow tcp from some_ip to another_ip \{ port_num1, portnum2 \}
I have found that when using port numbers, the brackets {}'s or ()'s will cause
an error; it does work if you omit them.
*I'm tracking 4.7 STABLE, I'm currently up to 4.8-RC
Request/Question:
^^^^^^^^^^^^^^^^
Something that would be extremely useful would be support for an implied "and" clause...
Imagine using:
ipfw add 10011 add allow \{ ah or udp or tcp \} from ${myhost} to \{ not ${myhost} \} rtsp out via ${oif_1}
Instead of:
ipfw add 10011 skipto 10013 all from from ${myhost} to not ${myhost} out via ${oif_1}*
ipfw add 10012 skipto 10020 all from any to any out via ${oif_1}
ipfw add 10013 add allow \{ ah or udp or tcp \} from any to any rtsp out via ${oif_1}
ipfw add 10021 add ...
*For those who are paranoid and want to make sure that a packet is not coming back to
the originating host... (I know rtsp is a bad example, imagine this with dns, or ssh
or something else if you so choose ;)
Also...
^^^^
I know that there was an instance where I would have found support for an "and" clause
within the definition blocks -- for instance a list of ip addresses -- very useful ;
However, unfortunately I can not remember it!
ipfw add 10013 add allow \{ ah or udp or tcp \} from ${myhost} to \{ ${somehost} and ${anotherhost} \} out via ${oif_1}
I am certain that this would cut down on some skipto's somewhere.
Once again, thank you for all your efforts on ipfw. We are all very appreciative ;)
-Sereciya Kurdistani
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030404033455.GA31867>