From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 17:43:50 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 457F716A4CE; Tue, 14 Dec 2004 17:43:50 +0000 (GMT) Received: from ran.psg.com (ip192.186.dsl-acs2.seawa0.iinet.com [209.20.186.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A98043D5D; Tue, 14 Dec 2004 17:43:50 +0000 (GMT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.43 (FreeBSD)) id 1CeGiD-000CoH-9v; Tue, 14 Dec 2004 09:43:49 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16831.9812.789804.36697@ran.psg.com> Date: Tue, 14 Dec 2004 09:43:48 -0800 To: Andre Oppermann References: <20041213124051.GB32719@cell.sick.ru> <20041214085123.GB42820@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <41BEE0E7.BD2316EB@freebsd.org> cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 17:43:50 -0000 >> As i also said before, i agree that when the number of interfaces >> becomes large, managing ipfw lists can become difficult (though i >> see no way your technique can help without the assistance of scripts >> generating the actual lists for each interface making sure that the >> 'common' checks are in sync, etc.) > > This is one of the difficulties of per-interface ACL's like in Cisco > and Juniper. grown-up operators generate their configs programmatically. life just does not scale any other way. randy