Does ipfw support interface groups?

[Freddie Cash]

On Thu, May 21, 2009 at 9:42 AM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
> On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote:
>> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
>> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
>> >> can ipfw use somehow interface groups as pf(4) can?
>> >> From a quick glance at documentation and not so through look at code
>> >> it does not but i am sending this just if i missed something during my
>> >> search!
>> >
>> > something like
>> > ?? ?? ?? ??... { recv ed0 or recv xl1 or recv ath4 or recv vlan0 } ...
>> > is perhaps not so nice but does the job.
>>
>> Seriously??!!
>>
>> Luigi, you just made my day.  :)  Writing duplicate sets of rules for
>> multi-homed firewalls where the only thing that's different is the
>> incoming interface has been a pain ...
>
> you can always put multiple rules that check the variant part
> and skipto the common one
>
>        ipfw add 100 skipto 2000 in recv xl1
>        ipfw add 100 skipto 2000 in recv bge0
>        ...
>        ipfw add 100 count // interface not recognised
>        ipfw add 2000 ...  // do the common part

Skipto is very powerful, and we use it in some cases.  But I try not
to use it very often, as it can lead to spaghetti rules that are hard
to follow.  :)  We have one firewall where it takes a good 10 minutes
to track the path a packet takes through the rulelist, as there are so
many skipto rules and multiple interfaces/vlans (it's scheduled for a
rewrite this summer).

-- 
Freddie Cash
fjwcash at gmail.com