Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Apr 2002 17:43:16 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        Christophe Prevotaux <c.prevotaux@hexanet.fr>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: IPFW Max Rule Discrete Number Limit
Message-ID:  <20020404174316.A11314@iguana.icir.org>
In-Reply-To: <20020404222556.5ddeb117.c.prevotaux@hexanet.fr>
References:  <20020403205923.27d35e11.c.prevotaux@hexanet.fr> <20020403111545.A98202@iguana.icir.org> <20020404222556.5ddeb117.c.prevotaux@hexanet.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Apr 04, 2002 at 10:25:56PM +0200, Christophe Prevotaux wrote:
> Luigi Rizzo <rizzo@icir.org> wrote:
> > On Wed, Apr 03, 2002 at 08:59:23PM +0200, Christophe Prévotaux wrote:
> > > ...
> > > I have reached the 655 firewalling rules limit (with discrete values)
> > ...
> > you know you can assign explicit numbers to rules ?
> ...
> yes I know , do you seriously think I will do this ? 

any serious ipfw usage (especially with the hundreds of rules you
mention) involves skipto rules so you can make
your search paths shorter than having to scan all rules sequentially.
In such a context autonumbering is useless because you need to know
where to jump, and so you want to assign number yourself.

Additionally, you can have multiple rules with the same number,
which is useful e.g. when you have a block of rules which you
want to scan sequentially.

A typical large configuration could be something like this:

	# bunch of demux rules
	ipfw add 1000 skipto 5000 udp from any to any
	ipfw add 1000 skipto 5500 tcp from any to any
	ipfw add 1000 skipto 6000 icmp from any to any
	# all other traffic
	ipfw add 1000 skipto 6500 ip from any to any

	# udp specific rules 
	ipfw add 5000 allow udp from any to any 53,137,138
	ipfw add 5000 allow udp from any 53,137,138 to any
	ipfw add 5000 deny ip from any to any

	# tcp specific rules
	ipfw add 5500 deny tcp from any to ${my-net} 23
	ipfw add 5500 allow tcp from ${my-proxy} to any
	ipfw add 5500 allow tcp from any to ${my-proxy}
	ipfw add 5500 deny tcp from any to any 80
	...
	ipfw add 5500 deny ip from any to any

	# icmp rules
	ipfw add 6000 pipe 10 icmp from any to any
	ipfw add 1000 skipto 11000 ip from ${net2} to any
	ipfw add 1000 skipto 11500 ip from any to ${net2}
	# ... you get the idea

> What happens when I insert new rules ? 

of course you number them manually it if is just single rules, and
if it is dozens of them you insert them in the script that loads
your configuration, and rerun the script.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020404174316.A11314>