Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Oct 2004 08:50:19 -0700 (PDT)
From:      Jon Simola <jon@abccom.bc.ca>
To:        Martes Wigglesworth <martes.wigglesworth@earthlink.net>
Cc:        ipfw-mailings <freebsd-ipfw@freebsd.org>
Subject:   Re: ipfw address-listing woes
Message-ID:  <20041022083605.J20686-100000@tyberius.abccom.bc.ca>
In-Reply-To: <1098339493.1973.44.camel@Mobile1.276NET>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 22 Oct 2004, Martes Wigglesworth wrote:

> Do you know if it is possible to list two interfaces in this rule?

Apparently you can stick anything after via and ipfw doesn't care:

# ipfw add 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
# ipfw add 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
# ipfw show |grep ^37
37000          0            0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37001          0            0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic

These rules don't match any of my traffic, even on the existing em1
interface.


> I have gotten the address listing to work, however, I think that when I
> included the double address listing, it confuses ipfw.  I would love to
> see an example of how to list multiple interfaces in these types of
> rules.

Well, I don't think you can list multiple interfaces unless you're
matching "in recv xl0 out xmit fxp0" and via appears to just use a text
string without comparing to interfaces actually existing or not.

Instead of:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state

Use two seperate rules, one for each interface:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0 setup keep-state
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via rl0 setup keep-state

And you'll get past that bug (feature?).

>  Do you have any nifty sites of interest, or maybe some more
> clarification, to offer, for this issue?

I cannot clarify anything until I get a better description of what I'm
looking at. Most of my ipfw expereince comes from a few years for working
with it daily and some detailed examination of the code.

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20041022083605.J20686-100000>