From owner-freebsd-net Thu Apr 4 17:43:31 2002 Delivered-To: freebsd-net@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 1EE3737B41D for ; Thu, 4 Apr 2002 17:43:20 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g351hGS11713; Thu, 4 Apr 2002 17:43:17 -0800 (PST) (envelope-from rizzo) Date: Thu, 4 Apr 2002 17:43:16 -0800 From: Luigi Rizzo To: Christophe Prevotaux Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPFW Max Rule Discrete Number Limit Message-ID: <20020404174316.A11314@iguana.icir.org> References: <20020403205923.27d35e11.c.prevotaux@hexanet.fr> <20020403111545.A98202@iguana.icir.org> <20020404222556.5ddeb117.c.prevotaux@hexanet.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20020404222556.5ddeb117.c.prevotaux@hexanet.fr> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 10:25:56PM +0200, Christophe Prevotaux wrote: > Luigi Rizzo wrote: > > On Wed, Apr 03, 2002 at 08:59:23PM +0200, Christophe Prévotaux wrote: > > > ... > > > I have reached the 655 firewalling rules limit (with discrete values) > > ... > > you know you can assign explicit numbers to rules ? > ... > yes I know , do you seriously think I will do this ? any serious ipfw usage (especially with the hundreds of rules you mention) involves skipto rules so you can make your search paths shorter than having to scan all rules sequentially. In such a context autonumbering is useless because you need to know where to jump, and so you want to assign number yourself. Additionally, you can have multiple rules with the same number, which is useful e.g. when you have a block of rules which you want to scan sequentially. A typical large configuration could be something like this: # bunch of demux rules ipfw add 1000 skipto 5000 udp from any to any ipfw add 1000 skipto 5500 tcp from any to any ipfw add 1000 skipto 6000 icmp from any to any # all other traffic ipfw add 1000 skipto 6500 ip from any to any # udp specific rules ipfw add 5000 allow udp from any to any 53,137,138 ipfw add 5000 allow udp from any 53,137,138 to any ipfw add 5000 deny ip from any to any # tcp specific rules ipfw add 5500 deny tcp from any to ${my-net} 23 ipfw add 5500 allow tcp from ${my-proxy} to any ipfw add 5500 allow tcp from any to ${my-proxy} ipfw add 5500 deny tcp from any to any 80 ... ipfw add 5500 deny ip from any to any # icmp rules ipfw add 6000 pipe 10 icmp from any to any ipfw add 1000 skipto 11000 ip from ${net2} to any ipfw add 1000 skipto 11500 ip from any to ${net2} # ... you get the idea > What happens when I insert new rules ? of course you number them manually it if is just single rules, and if it is dozens of them you insert them in the script that loads your configuration, and rerun the script. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message