Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 May 2009 10:22:58 -0700
From:      Freddie Cash <fjwcash@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Does ipfw support interface groups?
Message-ID:  <b269bc570905211022y2a6fe928v5501edabc1e42dce@mail.gmail.com>
In-Reply-To: <20090521164225.GB50606@onelab2.iet.unipi.it>
References:  <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> <b269bc570905210849s202084d2h15e991683d1b112b@mail.gmail.com> <20090521164225.GB50606@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, May 21, 2009 at 9:42 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote:
>> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
>> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
>> >> can ipfw use somehow interface groups as pf(4) can?
>> >> From a quick glance at documentation and not so through look at code
>> >> it does not but i am sending this just if i missed something during m=
y
>> >> search!
>> >
>> > something like
>> > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ...
>> > is perhaps not so nice but does the job.
>>
>> Seriously??!!
>>
>> Luigi, you just made my day. =C2=A0:) =C2=A0Writing duplicate sets of ru=
les for
>> multi-homed firewalls where the only thing that's different is the
>> incoming interface has been a pain ...
>
> you can always put multiple rules that check the variant part
> and skipto the common one
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 skipto 2000 in recv xl1
> =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 skipto 2000 in recv bge0
> =C2=A0 =C2=A0 =C2=A0 =C2=A0...
> =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 100 count // interface not recognised
> =C2=A0 =C2=A0 =C2=A0 =C2=A0ipfw add 2000 ... =C2=A0// do the common part

Skipto is very powerful, and we use it in some cases.  But I try not
to use it very often, as it can lead to spaghetti rules that are hard
to follow.  :)  We have one firewall where it takes a good 10 minutes
to track the path a packet takes through the rulelist, as there are so
many skipto rules and multiple interfaces/vlans (it's scheduled for a
rewrite this summer).

--=20
Freddie Cash
fjwcash@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b269bc570905211022y2a6fe928v5501edabc1e42dce>