ipfw address-listing woes

Jon Simola jon at abccom.bc.ca
Fri Oct 22 08:51:03 PDT 2004 

On Fri, 22 Oct 2004, Martes Wigglesworth wrote:

> Do you know if it is possible to list two interfaces in this rule?

Apparently you can stick anything after via and ipfw doesn't care:

# ipfw add 37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37000 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
# ipfw add 37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
37001 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic
# ipfw show |grep ^37
37000          0            0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via teleporter
37001          0            0 count ip from 192.168.3.0/24,192.168.1.0/24 to any via em1,magic

These rules don't match any of my traffic, even on the existing em1
interface.


> I have gotten the address listing to work, however, I think that when I
> included the double address listing, it confuses ipfw.  I would love to
> see an example of how to list multiple interfaces in these types of
> rules.

Well, I don't think you can list multiple interfaces unless you're
matching "in recv xl0 out xmit fxp0" and via appears to just use a text
string without comparing to interfaces actually existing or not.

Instead of:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state

Use two seperate rules, one for each interface:
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0 setup keep-state
allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via rl0 setup keep-state

And you'll get past that bug (feature?).

>  Do you have any nifty sites of interest, or maybe some more
> clarification, to offer, for this issue?

I cannot clarify anything until I get a better description of what I'm
looking at. Most of my ipfw expereince comes from a few years for working
with it daily and some detailed examination of the code.

---
Jon Simola <jon at abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

More information about the freebsd-ipfw mailing list