From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 13 15:57:57 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 612F916A41C for ; Wed, 13 Jul 2005 15:57:57 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id B544343D48 for ; Wed, 13 Jul 2005 15:57:56 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (vidqfm@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6DFvrOK024296 for ; Wed, 13 Jul 2005 17:57:54 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6DFvrSY024295; Wed, 13 Jul 2005 17:57:53 +0200 (CEST) (envelope-from olli) Date: Wed, 13 Jul 2005 17:57:53 +0200 (CEST) Message-Id: <200507131557.j6DFvrSY024295@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: "or" blocks in IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 15:57:57 -0000 Hi, I'm using IPFW2 on FreeBSD 4-stable (only a few days old). This is a small router with multiple interfaces. I would like to write a rule that matches packets that enter the router on fxp0 _or_ leave it on fxp0. My first idea was to simply use "via fxp0", but that would also match routed packets that leave the system on some other interface (and have entered the system on fxp0 pre- viously). This is not what I want. My next idea was to use "or" blocks, according to the ipfw manpage, to combine "in recv fxp0" with "out xmit fxp0". However, when I enter the command, the parser of ipfw(8) seems to move the braces to different locations: # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \} 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0 Of course, now the rule does something completely different which doesn't even make any sense. Most confusingly, I don't get an error message or even a warning from the parser. Is this a bug in ipfw, or a bug in the manpage, or do I just misunderstand things? Do I have to write two separate rules? Thanks in advance! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman