From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 18:33:52 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11B9C16A4CE for ; Mon, 13 Dec 2004 18:33:52 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 480FA43D5A for ; Mon, 13 Dec 2004 18:33:51 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iBDIXi5A050623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 13 Dec 2004 21:33:44 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iBDIXhDA037060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Dec 2004 21:33:44 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iBDIXhmr037059; Mon, 13 Dec 2004 21:33:43 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Mon, 13 Dec 2004 21:33:43 +0300 From: Gleb Smirnoff To: Julian Elischer Message-ID: <20041213183343.GA36707@cell.sick.ru> References: <20041213124051.GB32719@cell.sick.ru> <41BDDB4D.2050201@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <41BDDB4D.2050201@elischer.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 18:33:52 -0000 On Mon, Dec 13, 2004 at 10:11:25AM -0800, Julian Elischer wrote: J> I do this now with the current ipfw unchanged.. J> my rules always start with something like: J> J> add 100 skipto 1000 ip from any to any in recv fxp0 J> add 101 skipto 2000 ip from any to any out xmit fxp0 J> J> add 110 skipto 3000 ip from any to any in recv fxp1 J> add 111 skipto 4000 ip from any to any out xmit fxp1 J> J> add 120 skipto 5000 ip from any to any in recv fxp2 J> add 121 skipto 6000 ip from any to any out xmit fxp2 J> J> This allows me to have a dedicated set of rules for each logical flow. J> J> Sometimes I even go one step further and define subsections for J> "out recv fxp0 xmit fxp1" and "from any to me in recv fxp1" .. etc I often do the same way. We should admit that this is a workaround. And the fact that people are doing above setup means that it is claimed. This workaround is not error-prone, you can mess up rule numbers, not separated lists may collide, etc. And you can't have some interfaces without filter processing at all. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE