Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Sep 2012 14:47:58 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        questions@freebsd.org
Subject:   Re: question for ipfw2 experts
Message-ID:  <CAHu1Y73MVkKD2bvrH5H6Ht_2j5qtB97kz-AeqzTDCx55Aa1rDw@mail.gmail.com>
In-Reply-To: <alpine.GSO.2.00.1209241528240.7618@shell1>
References:  <alpine.GSO.2.00.1209241528240.7618@shell1>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 24, 2012 at 12:35 PM, Darrel <levitch@iglou.com> wrote:

> Can someone please send an exmaple of how to properly use tables?

Quick, trivial example - this doesn't help you understand tableargs,
this is just efficiently to handle a very large list of sparse nets.

PEERS="/etc/ipfw/permitted_hosts.txt"
cat $PEERS | awk '/^[1-9][0-9\.][0-9\.]*/ { print "ipfw table 1 add", $1 }' | sh

$FW add 01000 check-state

[ a bunch of rules ]

$FW add 05000 allow tcp from table\(1\) to me 7514 in recv $OUTSIDE_IF
setup keep-state
$FW add 06000 deny tcp from any to me in recv $OUTSIDE_IF

Now, if you want to atomically change tables without altering
instantiated dynamic rules, you can use separate tables and swap
rulesets.  You can use tableargs (the second parameter when adding an
entry to the table) as a rule number to skipto, or as a tag in
logging, etc.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73MVkKD2bvrH5H6Ht_2j5qtB97kz-AeqzTDCx55Aa1rDw>