From owner-freebsd-ipfw  Fri Mar  9 16:24:31 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from VL-MS-MR002.sc1.videotron.ca (relais.videotron.ca [24.201.245.36])
	by hub.freebsd.org (Postfix) with ESMTP id 1E00337B718
	for <freebsd-ipfw@freebsd.org>; Fri,  9 Mar 2001 16:24:29 -0800 (PST)
	(envelope-from patrick@netzuno.com)
Received: from jacuzzi ([24.200.106.26]) by
          VL-MS-MR002.sc1.videotron.ca (Netscape Messaging Server 4.15)
          with ESMTP id G9YH4N05.3GD for <freebsd-ipfw@freebsd.org>; Fri,
          9 Mar 2001 19:24:23 -0500 
Received: from cognac (cognac.local.mindstep.com [192.168.10.4])
	by jacuzzi (Postfix) with SMTP id 2EC333DA5
	for <freebsd-ipfw@freebsd.org>; Fri,  9 Mar 2001 19:00:17 -0500 (EST)
From: "Patrick Bihan-Faou" <patrick@netzuno.com>
To: <freebsd-ipfw@freebsd.org>
Subject: interface specification extension for ipfw
Date: Fri, 9 Mar 2001 19:25:49 -0500
Message-ID: <HJEEKLMFLKEOKHOKNPBMKEMNCLAA.patrick@netzuno.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

I am currently building a firewall using ipfw, and I am facing a small
issue. In order to group my rules in some meaningfull way (to me), the first
thing I do is split the packets per interface. Depending on the recv
interface, I go to a different region of the ruleset using "skipto".
Now, according to the ipfw man page, packets generated by or destined to the
local host will not have recv or xmit interface information respectively.

This make it a bit difficult to separate the traffic for the localhost from
the rest. In order to make this easy, being able to specify the interface in
a negative way would be required:

ipfw count from any to any in recv !any

Alternativelly, using a separate interface keyword to identify the locally
generated or destined packets would be nice too, although it would be a bit
less powerfull than the negation (the keyword would only be equivalent to
"!any" and it would not allow something like "!ed0").

Now is something like this already implemented (in that case I guess it is
undocumented), or is it something that people (beside me) would find useful
?


Patrick.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message