Site Navigation

Date:      Thu, 21 May 2009 12:41:22 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Does ipfw support interface groups?
Message-ID:  <4A158432.5050303@ibctech.ca>
In-Reply-To: <b269bc570905210849s202084d2h15e991683d1b112b@mail.gmail.com>
References:  <9a542da30905210720y50fafe59ld3459c9e76ef5824@mail.gmail.com>	<20090521150113.GA47160@onelab2.iet.unipi.it> <b269bc570905210849s202084d2h15e991683d1b112b@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Freddie Cash wrote:
> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
>> On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
>>> can ipfw use somehow interface groups as pf(4) can?
>>> From a quick glance at documentation and not so through look at code
>>> it does not but i am sending this just if i missed something during my
>>> search!
>> something like
>> �  �  �  � ... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ...
>> is perhaps not so nice but does the job.
> 
> Seriously??!!
> 
> Luigi, you just made my day.  :)  Writing duplicate sets of rules for
> multi-homed firewalls where the only thing that's different is the
> incoming interface has been a pain ...

Aside from Luigi's piece of trickery, if you are accustomed to making
frequent changes to live rulesets (and then promptly
forgetting/neglecting to add them into your startup scripts), might I
recommend something that has become very useful to me:

I have /etc/ipfw.rules which contains the variable definitions and all
table configurations as my primary startup script. At the bottom of that
file, I have:

. /etc/ipfw.include

This instructs the sh script to pick up the data from the ipfw.include
file, and process it as well.

Instead of implementing the rules live, and then adding them into the
startup script manually, I simply (from time-to-time) run this
(copy/paste into CLI):

ipfw list | \
perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \
> /etc/ipfw.include
chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include

That then makes a copy of your current live ruleset into your
/etc/ipfw.include file, which will be loaded upon next reboot.

Steve


[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


���0��0�C�
K9�����AbxI�U�w0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��

	
steve@ibctech.ca0�
"0
	*�H��



�
0�

�

��D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC���
��^K6X��V4��j<t��

�-0+0U0�steve@ibctech.ca0U

�00
	*�H��


��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0��0�C�
K9�����AbxI�U�w0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��

	
steve@ibctech.ca0�
"0
	*�H��



�
0�

�

��D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC���
��^K6X��V4��j<t��

�-0+0U0�steve@ibctech.ca0U

�00
	*�H��


��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0�?0���


0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��



��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q�
��P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`��

���0��0U

�0

�
0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 �010UPrivateLabel2-1380
	*�H��


��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`

0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
090521164122Z0#	*�H��

	1+k����b�
H�r�A�K0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0��*�H��

	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0
	*�H��



�
e��	�{*�c���2��yv�s��uo4�8���B���&�J�B�2r��̔�:��c�֟/
^T�$w쿹���s�z���dEe�E�g�"�(\���K��MqB�+vZT�<c��7
W�c�(��b4�Ob�*�|=,�Q�Y�E��j�X����rQ
.Lg�8��t&�P�X�O���7�ͺ��rޝX��9�����3����6.J������>��:ErR{��L;��3@�=��Je���l�^�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A158432.5050303>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact