Date: Mon, 13 Dec 2004 21:33:43 +0300 From: Gleb Smirnoff <glebius@freebsd.org> To: Julian Elischer <julian@elischer.org> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <20041213183343.GA36707@cell.sick.ru> In-Reply-To: <41BDDB4D.2050201@elischer.org> References: <20041213124051.GB32719@cell.sick.ru> <41BDDB4D.2050201@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 13, 2004 at 10:11:25AM -0800, Julian Elischer wrote: J> I do this now with the current ipfw unchanged.. J> my rules always start with something like: J> J> add 100 skipto 1000 ip from any to any in recv fxp0 J> add 101 skipto 2000 ip from any to any out xmit fxp0 J> J> add 110 skipto 3000 ip from any to any in recv fxp1 J> add 111 skipto 4000 ip from any to any out xmit fxp1 J> J> add 120 skipto 5000 ip from any to any in recv fxp2 J> add 121 skipto 6000 ip from any to any out xmit fxp2 J> J> This allows me to have a dedicated set of rules for each logical flow. J> J> Sometimes I even go one step further and define subsections for J> "out recv fxp0 xmit fxp1" and "from any to me in recv fxp1" .. etc I often do the same way. We should admit that this is a workaround. And the fact that people are doing above setup means that it is claimed. This workaround is not error-prone, you can mess up rule numbers, not separated lists may collide, etc. And you can't have some interfaces without filter processing at all. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041213183343.GA36707>