Date: Sat, 21 May 2005 18:35:51 +0200 From: Giulio Ferro <auryn@zirakzigil.org> To: freebsd-ipfw@freebsd.org Subject: Multiple match Message-ID: <428F6367.4020004@zirakzigil.org>
next in thread | raw e-mail | index | archive | help
After many years I've been using ipfw I've suddently realized it doesn't do what I would expect... Let's keep it to this simple example. On my firewall box I have 2 nics, with machines attached to either side of it: Client 1 ----------rl0-|IPFW BOX|-rl1------------Client2 (let's suppose that both Client1 and Client2 know about their respective routes...) I have a sigle rule: in ipfw add 10 allow icmp from any to any in via rl1 (the ping won't come back, but it doesn't matter here) What I expected, until yesterday, is that if I ping from Client2 to Client1, my ping _ONLY_ passed through interface rl1, _NOT_ rl0! So, if I had wanted to make it pass throght the whole firewall I would had set 2 rules: add 10 allow icmp from any to any in via rl1 add 20 allow icmp from any to any out via rl0 If I set the logs, I notice that the rule 10 will be matched twice: 10 Allow ...in via rl1 10 Allow ...out via rl0 I don't like it. It doesn't give me enough control over the flows of traffic. What do you think about this?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?428F6367.4020004>