From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 24 21:48:00 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 51354106566C
	for <questions@freebsd.org>; Mon, 24 Sep 2012 21:48:00 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com
	[209.85.212.172])
	by mx1.freebsd.org (Postfix) with ESMTP id D87138FC08
	for <questions@freebsd.org>; Mon, 24 Sep 2012 21:47:59 +0000 (UTC)
Received: by wibhq12 with SMTP id hq12so1915941wib.13
	for <questions@freebsd.org>; Mon, 24 Sep 2012 14:47:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:x-gm-message-state;
	bh=YUGxRKmpzOl9FrfAwDZpNsdrh+85GYcdu7qaIcgm03o=;
	b=IPzp03D72i8GX+/y1PpZmmlcE2GwOpgVrlVJvCSc/IthRFRP/Ct/qH7YmN8/gLkgSq
	HUMc8n6tPw2Ju4JhMd3HLot6Bdh8I7eODYT16Wf4+fH9jlLMyW/i2u8BDTHLyDWT2uwe
	vXRusqKixxGxpDVOeVr+5xqLKduC0PVLBjEfNPqPiyKjIkMBQNnSPG+kNwUGqGtguGFV
	wCNd8+siyKFp/pmKY2NSYCYZAGGt8AC6kJr2WXUuC+5KF5hjgsWY7L8t4ae4SREOugTQ
	T8OC0ZmeVoVzgKGltz15JlfdUpSNPjciqNWgwNjthWdLuBO40IFQEoWiWVG30TUGKsYh
	9+bw==
MIME-Version: 1.0
Received: by 10.180.109.199 with SMTP id hu7mr9017077wib.21.1348523278798;
	Mon, 24 Sep 2012 14:47:58 -0700 (PDT)
Received: by 10.223.129.3 with HTTP; Mon, 24 Sep 2012 14:47:58 -0700 (PDT)
In-Reply-To: <alpine.GSO.2.00.1209241528240.7618@shell1>
References: <alpine.GSO.2.00.1209241528240.7618@shell1>
Date: Mon, 24 Sep 2012 14:47:58 -0700
Message-ID: <CAHu1Y73MVkKD2bvrH5H6Ht_2j5qtB97kz-AeqzTDCx55Aa1rDw@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkYVoqlYGw6jjjbAZXBgd14k1mp2VnkLqtVIutnCkJ4U6ZiGh1pfqvOYoLS0Xp3OzEXui3t
Cc: 
Subject: Re: question for ipfw2 experts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 21:48:00 -0000

On Mon, Sep 24, 2012 at 12:35 PM, Darrel <levitch@iglou.com> wrote:

> Can someone please send an exmaple of how to properly use tables?

Quick, trivial example - this doesn't help you understand tableargs,
this is just efficiently to handle a very large list of sparse nets.

PEERS="/etc/ipfw/permitted_hosts.txt"
cat $PEERS | awk '/^[1-9][0-9\.][0-9\.]*/ { print "ipfw table 1 add", $1 }' | sh

$FW add 01000 check-state

[ a bunch of rules ]

$FW add 05000 allow tcp from table\(1\) to me 7514 in recv $OUTSIDE_IF
setup keep-state
$FW add 06000 deny tcp from any to me in recv $OUTSIDE_IF

Now, if you want to atomically change tables without altering
instantiated dynamic rules, you can use separate tables and swap
rulesets.  You can use tableargs (the second parameter when adding an
entry to the table) as a rule number to skipto, or as a tag in
logging, etc.