Re: IPFW Max Rule Discrete Number Limit

Thu, 04 Apr 2002 17:24:10 -0800 

On Thu, Apr 04, 2002 at 10:25:56PM +0200, Christophe Prevotaux wrote:
> Luigi Rizzo <[EMAIL PROTECTED]> wrote:
> > On Wed, Apr 03, 2002 at 08:59:23PM +0200, Christophe Prévotaux wrote:
> > > ...
> > > I have reached the 655 firewalling rules limit (with discrete values)
> > ...
> > you know you can assign explicit numbers to rules ?
> ...
> yes I know , do you seriously think I will do this ? 

any serious ipfw usage (especially with the hundreds of rules you
mention) involves skipto rules so you can make
your search paths shorter than having to scan all rules sequentially.
In such a context autonumbering is useless because you need to know
where to jump, and so you want to assign number yourself.

Additionally, you can have multiple rules with the same number,
which is useful e.g. when you have a block of rules which you
want to scan sequentially.

A typical large configuration could be something like this:

        # bunch of demux rules
        ipfw add 1000 skipto 5000 udp from any to any
        ipfw add 1000 skipto 5500 tcp from any to any
        ipfw add 1000 skipto 6000 icmp from any to any
        # all other traffic
        ipfw add 1000 skipto 6500 ip from any to any

        # udp specific rules 
        ipfw add 5000 allow udp from any to any 53,137,138
        ipfw add 5000 allow udp from any 53,137,138 to any
        ipfw add 5000 deny ip from any to any

        # tcp specific rules
        ipfw add 5500 deny tcp from any to ${my-net} 23
        ipfw add 5500 allow tcp from ${my-proxy} to any
        ipfw add 5500 allow tcp from any to ${my-proxy}
        ipfw add 5500 deny tcp from any to any 80
        ...
        ipfw add 5500 deny ip from any to any

        # icmp rules
        ipfw add 6000 pipe 10 icmp from any to any
        ipfw add 1000 skipto 11000 ip from ${net2} to any
        ipfw add 1000 skipto 11500 ip from any to ${net2}
        # ... you get the idea

> What happens when I insert new rules ? 

of course you number them manually it if is just single rules, and
if it is dozens of them you insert them in the script that loads
your configuration, and rerun the script.

        cheers
        luigi

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to