Date: Tue, 14 Dec 2004 09:43:48 -0800 From: Randy Bush <randy@psg.com> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters [summary] Message-ID: <16831.9812.789804.36697@ran.psg.com> References: <20041213124051.GB32719@cell.sick.ru> <20041214085123.GB42820@cell.sick.ru> <20041214015603.A75019@xorpc.icir.org> <41BEE0E7.BD2316EB@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>> As i also said before, i agree that when the number of interfaces >> becomes large, managing ipfw lists can become difficult (though i >> see no way your technique can help without the assistance of scripts >> generating the actual lists for each interface making sure that the >> 'common' checks are in sync, etc.) > > This is one of the difficulties of per-interface ACL's like in Cisco > and Juniper. grown-up operators generate their configs programmatically. life just does not scale any other way. randy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16831.9812.789804.36697>