ipfw2 question
Ian Smith
smithi at nimnet.asn.au
Fri Jul 1 03:38:05 GMT 2005
On Thu, 30 Jun 2005, dnr wrote:
> sad, but
> ipfw add pipe 1 ip from any to any out recv vlan10 xmit vlan1000
> ipfw add pipe 2 ip from any to any out recv vlan11 xmit vlan1000
> doesn't seems to work :(
>
> i've noticed if in one ipfw rule i describe directions on two interfaces - rule doesn't work...
> example:
> simplified test machine:
> remote icmp 8--------fxp0[vlan10]---rl0----------remote icmp2
>
> "log ip from any to any" shows:
> accept icmp:8.0 10.10.10.2 192.168.144.254 in via vlan10
> accept icmp:8.0 10.10.10.2 192.168.144.254 out via rl0
> accept icmp:2.0 192.168.144.254 10.10.10.2 in via rl0
> accept icmp:2.0 192.168.144.254 10.10.10.2 out via vlan10
>
>
> so, 2 rules should be enough
> ipfw add pass all from any to any in via vlan10 out via rl0
> ipfw add pass all from any to any in via rl0 out via vlan10
> packets do not pass through these rules...
> of course "via" can be changed to "recv" or "xmit" accordingly, but i don't think i makes any sense
ipfw(8):
The via keyword causes the interface to always be checked. If
recv or xmit is used instead of via, then only the receive or
transmit interface (respectively) is checked. By specifying
both, it is possible to match packets based on both receive and
transmit interface, e.g.:
ipfw add 100 deny ip from any to any out recv ed0 xmit ed1
The recv interface can be tested on either incoming or outgoing
packets, while the xmit interface can only be tested on outgoing
packets. So out is required (and in is invalid) whenever xmit is
used. Specifying via together with xmit or recv is invalid.
Cheers, Ian
More information about the freebsd-net
mailing list