From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 16 00:10:21 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A313D6BD
 for <freebsd-questions@freebsd.org>; Tue, 16 Dec 2014 00:10:21 +0000 (UTC)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6AEF614C
 for <freebsd-questions@freebsd.org>; Tue, 16 Dec 2014 00:10:20 +0000 (UTC)
Received: from breakaway.dreamchaser.org (breakaway.dreamchaser.org.
 [192.168.151.122])
 by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id sBG0AHNp031261;
 Mon, 15 Dec 2014 17:10:17 -0700 (MST)
 (envelope-from freebsd@dreamchaser.org)
Message-ID: <548F7869.2040705@dreamchaser.org>
Date: Mon, 15 Dec 2014 17:10:17 -0700
From: Gary Aitken <freebsd@dreamchaser.org>
Reply-To: freebsd@dreamchaser.org
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: s m <sam.gh1986@gmail.com>,
 freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: can ipfw check all permit rules without search termination?
References: <CAA_1SgF1Fa4wV0uRpOWqD1k2zUqtugbNhnDF+h-HCoAn7fjsAw@mail.gmail.com>
In-Reply-To: <CAA_1SgF1Fa4wV0uRpOWqD1k2zUqtugbNhnDF+h-HCoAn7fjsAw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
 (nightmare.dreamchaser.org [192.168.151.101]);
 Mon, 15 Dec 2014 17:10:18 -0700 (MST)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 00:10:21 -0000

On 12/15/14 00:49, s m wrote:

> i want to define multiple rules for ipfw. i wanna know if there is any way
> to ipfw check all permit rules without termination search until it sees and
> deny rule??? i want to search terminate only when a deny rule meet.
> is there any option or sysctl variable to doing this for me? i read ipfw
> man page but find nothing.

If you don't want the search to terminate except on a deny rule, simply put
all the deny rules first.  Then put all your allow rules after that, with a
final deny rule to catch whatever didn't match the allow rules.

Perhaps I don't understand what you are trying to accomplish...

If what you want to do on an allow rule is skip the rest of the allow rules 
through the following deny rule, and continue matching with the first 
rule after the deny rule, you can use the "skipto" action for the allow rules:
 
  add 100 skipto 1000 ip from <goodguy> via <if>
  add 200 deny ip from <badguy> via <if>
  ...
  add 1000 skipto 2000 ...

I've never used skipto so I may have the syntax a bit wrong.

Gary