Date: Thu, 21 May 2009 18:42:25 +0200 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Does ipfw support interface groups? Message-ID: <20090521164225.GB50606@onelab2.iet.unipi.it> In-Reply-To: <b269bc570905210849s202084d2h15e991683d1b112b@mail.gmail.com> References: <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com> <20090521150113.GA47160@onelab2.iet.unipi.it> <b269bc570905210849s202084d2h15e991683d1b112b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote:
> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
> >> can ipfw use somehow interface groups as pf(4) can?
> >> From a quick glance at documentation and not so through look at code
> >> it does not but i am sending this just if i missed something during my
> >> search!
> >
> > something like
> > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ...
> > is perhaps not so nice but does the job.
>
> Seriously??!!
>
> Luigi, you just made my day. :) Writing duplicate sets of rules for
> multi-homed firewalls where the only thing that's different is the
> incoming interface has been a pain ...
you can always put multiple rules that check the variant part
and skipto the common one
ipfw add 100 skipto 2000 in recv xl1
ipfw add 100 skipto 2000 in recv bge0
...
ipfw add 100 count // interface not recognised
ipfw add 2000 ... // do the common part
cheers
luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090521164225.GB50606>