Date: Fri, 9 Mar 2001 19:25:49 -0500 From: "Patrick Bihan-Faou" <patrick@netzuno.com> To: <freebsd-ipfw@freebsd.org> Subject: interface specification extension for ipfw Message-ID: <HJEEKLMFLKEOKHOKNPBMKEMNCLAA.patrick@netzuno.com>
next in thread | raw e-mail | index | archive | help
Hi, I am currently building a firewall using ipfw, and I am facing a small issue. In order to group my rules in some meaningfull way (to me), the first thing I do is split the packets per interface. Depending on the recv interface, I go to a different region of the ruleset using "skipto". Now, according to the ipfw man page, packets generated by or destined to the local host will not have recv or xmit interface information respectively. This make it a bit difficult to separate the traffic for the localhost from the rest. In order to make this easy, being able to specify the interface in a negative way would be required: ipfw count from any to any in recv !any Alternativelly, using a separate interface keyword to identify the locally generated or destined packets would be nice too, although it would be a bit less powerfull than the negation (the keyword would only be equivalent to "!any" and it would not allow something like "!ed0"). Now is something like this already implemented (in that case I guess it is undocumented), or is it something that people (beside me) would find useful ? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HJEEKLMFLKEOKHOKNPBMKEMNCLAA.patrick>