From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 22 15:51:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 162C816A4CE for ; Fri, 22 Oct 2004 15:51:03 +0000 (GMT) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id C96BE43D55 for ; Fri, 22 Oct 2004 15:51:02 +0000 (GMT) (envelope-from jon@abccom.bc.ca) Received: (qmail 27351 invoked by uid 1000); 22 Oct 2004 15:50:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Oct 2004 15:50:19 -0000 Date: Fri, 22 Oct 2004 08:50:19 -0700 (PDT) From: Jon Simola To: Martes Wigglesworth In-Reply-To: <1098339493.1973.44.camel@Mobile1.276NET> Message-ID: <20041022083605.J20686-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 15:51:03 -0000 On Fri, 22 Oct 2004, Martes Wigglesworth wrote: > Do you know if it is possible to list two interfaces in this rule? Apparently you can stick anything after via and ipfw doesn't care: # ipfw add 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter # ipfw add 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic # ipfw show |grep ^37 37000 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter 37001 0 0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic These rules don't match any of my traffic, even on the existing em1 interface. > I have gotten the address listing to work, however, I think that when I > included the double address listing, it confuses ipfw. I would love to > see an example of how to list multiple interfaces in these types of > rules. Well, I don't think you can list multiple interfaces unless you're matching "in recv xl0 out xmit fxp0" and via appears to just use a text string without comparing to interfaces actually existing or not. Instead of: allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state Use two seperate rules, one for each interface: allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0 setup keep-state allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via rl0 setup keep-state And you'll get past that bug (feature?). > Do you have any nifty sites of interest, or maybe some more > clarification, to offer, for this issue? I cannot clarify anything until I get a better description of what I'm looking at. Most of my ipfw expereince comes from a few years for working with it daily and some detailed examination of the code. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS