can ipfw check all permit rules without search termination?
Gary Aitken
freebsd at dreamchaser.org
Tue Dec 16 00:10:21 UTC 2014
On 12/15/14 00:49, s m wrote:
> i want to define multiple rules for ipfw. i wanna know if there is any way
> to ipfw check all permit rules without termination search until it sees and
> deny rule??? i want to search terminate only when a deny rule meet.
> is there any option or sysctl variable to doing this for me? i read ipfw
> man page but find nothing.
If you don't want the search to terminate except on a deny rule, simply put
all the deny rules first. Then put all your allow rules after that, with a
final deny rule to catch whatever didn't match the allow rules.
Perhaps I don't understand what you are trying to accomplish...
If what you want to do on an allow rule is skip the rest of the allow rules
through the following deny rule, and continue matching with the first
rule after the deny rule, you can use the "skipto" action for the allow rules:
add 100 skipto 1000 ip from <goodguy> via <if>
add 200 deny ip from <badguy> via <if>
...
add 1000 skipto 2000 ...
I've never used skipto so I may have the syntax a bit wrong.
Gary
More information about the freebsd-questions
mailing list