Date: Tue, 13 Feb 2001 08:55:40 -0800 From: Julian Elischer <julian@elischer.org> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c ip_fw.h src/sbin/ipfw ipfw.8 ipfw.c Message-ID: <3A89670C.82B8DAA9@elischer.org> References: <51205.982073676@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote: > > In message <200102131412.f1DECdZ12064@freefall.freebsd.org>, Poul-Henning Kamp > writes: > >phk 2001/02/13 06:12:37 PST > > > > Modified files: > > sys/netinet ip_fw.c ip_fw.h > > sbin/ipfw ipfw.8 ipfw.c > > Log: > > Introduce a new feature in IPFW: Check of the source or destination > > address is configured on a interface. This is useful for routers with > > dynamic interfaces. It is now possible to say: > > > > 0100 allow tcp from any to any established > > 0200 skipto 1000 tcp from any to any > > 0300 allow ip from any to any > > 1000 allow tcp from 1.2.3.4 to me 22 > > 1010 deny tcp from any to me 22 > > 1020 allow tcp from any to any > > > > and not have to worry about the behaviour if dynamic interfaces configure > > new IP numbers later on. > > > > The check is semi expensive (traverses the interface address list) > > so it should be protected as in the above example if high performance > > is a requirement. > > It would be more elegant to have multiple lists of ipfw rules: > One input list per interface > One output list per interface > One list for packets being forwarded > One list for packets arriving locally > One list for packets originating locally > > And it would be trivial to implement this in a backwards compatible > fashion, but I guess that is bikeshed coloring material so I'll > just leave that thought to fester here in case anyone feels like > looking at it.... I agree, though it is possible to break the single list in to these using skipto rules.. (we did that at whistle.) the first rule immediatly jumped to rule 8000 or something if it was an external incoming packet. It's not perfect but it does aproximate what you are talking about.. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000-2001 ---> X_.---._/ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A89670C.82B8DAA9>