Date: Fri, 22 Oct 2004 08:50:19 -0700 (PDT) From: Jon Simola <jon@abccom.bc.ca> To: Martes Wigglesworth <martes.wigglesworth@earthlink.net> Cc: ipfw-mailings <freebsd-ipfw@freebsd.org> Subject: Re: ipfw address-listing woes Message-ID: <20041022083605.J20686-100000@tyberius.abccom.bc.ca> In-Reply-To: <1098339493.1973.44.camel@Mobile1.276NET>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 22 Oct 2004, Martes Wigglesworth wrote:
> Do you know if it is possible to list two interfaces in this rule?
Apparently you can stick anything after via and ipfw doesn't care:
# ipfw add 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
# ipfw add 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
# ipfw show |grep ^37
37000 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37001 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
These rules don't match any of my traffic, even on the existing em1
interface.
> I have gotten the address listing to work, however, I think that when I
> included the double address listing, it confuses ipfw. I would love to
> see an example of how to list multiple interfaces in these types of
> rules.
Well, I don't think you can list multiple interfaces unless you're
matching "in recv xl0 out xmit fxp0" and via appears to just use a text
string without comparing to interfaces actually existing or not.
Instead of:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state
Use two seperate rules, one for each interface:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0 setup keep-state
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via rl0 setup keep-state
And you'll get past that bug (feature?).
> Do you have any nifty sites of interest, or maybe some more
> clarification, to offer, for this issue?
I cannot clarify anything until I get a better description of what I'm
looking at. Most of my ipfw expereince comes from a few years for working
with it daily and some detailed examination of the code.
---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
Systems Administrator | reach out to the stars, electrons and light
ABC Communications | flow throughout the universe." -- GITS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041022083605.J20686-100000>