Multiple match

[Giulio Ferro]

After many years I've been using ipfw I've suddently realized it doesn't 
do what I
would expect...

Let's keep it to this simple example. On my firewall box I have 2 nics, 
with machines
attached to either side of it:

Client 1 ----------rl0-|IPFW BOX|-rl1------------Client2

(let's suppose that both Client1 and Client2 know about their respective 
routes...)

I have a sigle rule: in ipfw

add 10 allow icmp from any to any in via rl1
(the ping won't come back, but it doesn't matter here)

What I expected, until yesterday, is that if I ping from Client2 to 
Client1, my ping _ONLY_ passed
through interface rl1, _NOT_ rl0! So, if I had wanted to make it pass 
throght the whole
firewall I would had set 2 rules:

add 10 allow icmp from any to any in via rl1
add 20 allow icmp from any to any out via rl0


If I set the logs, I notice that the rule 10 will be matched twice:
10 Allow ...in via rl1
10 Allow ...out via rl0

I don't like it. It doesn't give me enough control over the flows of 
traffic.

What do you think about this?