From owner-freebsd-questions@FreeBSD.ORG Mon Nov 5 09:28:50 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C9D416A41A for ; Mon, 5 Nov 2007 09:28:50 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id 18E3C13C4A8 for ; Mon, 5 Nov 2007 09:28:50 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id E155014222F; Mon, 5 Nov 2007 11:28:39 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id 93B2114221A; Mon, 5 Nov 2007 11:28:37 +0200 (EET) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Mon, 5 Nov 2007 11:30:27 +0200 User-Agent: KMail/1.9.7 References: <968423.23711.qm@web45616.mail.sp1.yahoo.com> In-Reply-To: <968423.23711.qm@web45616.mail.sp1.yahoo.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200711051130.28295.nvass@teledomenet.gr> Cc: Juri Mianovich Subject: Re: ipfw rule question ... all possible interfaces ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2007 09:28:50 -0000 On Monday 05 November 2007 02:10:12 Juri Mianovich wrote: > Is there a way to tell ipfw: > > "all interfaces currently configured on this system" ? That's not possible directly, I think. > I have a laptop and at any time I could plug in a USB > NIC or plug in a pccard, in addition to the onboard > LAN and WIFI, either of which may or may not be > configured at boot time. Being configured or not isn't a problem for ipfw. The interface is just a string and can be anything regardless of validity, such as rl0, fxp0, blah etc. Asterisks can be also used to denote a shell-like interface-name matching e.g. rl* > > So the point is, the active, configured interfaces > changes regularly. > > So if I have a rule like: > > allow ip from any to any via iwi0 > > that won't work well, and neither will: > > allow ip from any to any via iwi0,abc0 I am not sure you have understood correctly the "via" keyword. Read the ipfw manual. Not all packets have receive or transmit interfaces so that might a problem you haven't considered. Is "via" what you want? > So is there any way to say "all interfaces currently > configured" and have that rule apply to new interfaces > automatically as they are added and subtracted from > the system ? You can use "me" which is an alias for "my IP addresses". allow ip from any to me allow ip from me to any This ruleset effectivelly allows all trafic from you to the world and from the world to you. Ofcourse there is not interface checking. HTH, Nikos