On Thu, May 21, 2009 at 9:42 AM, Luigi Rizzo <ri...@iet.unipi.it> wrote: > On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote: >> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <ri...@iet.unipi.it> wrote: >> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: >> >> can ipfw use somehow interface groups as pf(4) can? >> >> From a quick glance at documentation and not so through look at code >> >> it does not but i am sending this just if i missed something during my >> >> search! >> > >> > something like >> > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ... >> > is perhaps not so nice but does the job. >> >> Seriously??!! >> >> Luigi, you just made my day. :) Writing duplicate sets of rules for >> multi-homed firewalls where the only thing that's different is the >> incoming interface has been a pain ... > > you can always put multiple rules that check the variant part > and skipto the common one > > ipfw add 100 skipto 2000 in recv xl1 > ipfw add 100 skipto 2000 in recv bge0 > ... > ipfw add 100 count // interface not recognised > ipfw add 2000 ... // do the common part
Skipto is very powerful, and we use it in some cases. But I try not to use it very often, as it can lead to spaghetti rules that are hard to follow. :) We have one firewall where it takes a good 10 minutes to track the path a packet takes through the rulelist, as there are so many skipto rules and multiple interfaces/vlans (it's scheduled for a rewrite this summer). -- Freddie Cash fjwc...@gmail.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"