Does ipfw support interface groups?

[Steve Bertrand]

Freddie Cash wrote:
> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
>> On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
>>> can ipfw use somehow interface groups as pf(4) can?
>>> From a quick glance at documentation and not so through look at code
>>> it does not but i am sending this just if i missed something during my
>>> search!
>> something like
>> Â  Â  Â  Â ... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ...
>> is perhaps not so nice but does the job.
> 
> Seriously??!!
> 
> Luigi, you just made my day.  :)  Writing duplicate sets of rules for
> multi-homed firewalls where the only thing that's different is the
> incoming interface has been a pain ...

Aside from Luigi's piece of trickery, if you are accustomed to making
frequent changes to live rulesets (and then promptly
forgetting/neglecting to add them into your startup scripts), might I
recommend something that has become very useful to me:

I have /etc/ipfw.rules which contains the variable definitions and all
table configurations as my primary startup script. At the bottom of that
file, I have:

. /etc/ipfw.include

This instructs the sh script to pick up the data from the ipfw.include
file, and process it as well.

Instead of implementing the rules live, and then adding them into the
startup script manually, I simply (from time-to-time) run this
(copy/paste into CLI):

ipfw list | \
perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \
> /etc/ipfw.include
chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include

That then makes a copy of your current live ruleset into your
/etc/ipfw.include file, which will be loaded upon next reboot.

Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20090521/70f68f37/smime.bin