Solved How put a second interface in a rule to don't have to duplicate them?

Sub4sub

Sub4sub

I am getting down to configuring a wifi card for a local network, with access to samba.
I would like to ask where to define the second interface as "int_if" so as not to have to duplicate rules.

Below I paste a set of rules. The rules I'm interested in can be found under the comment #INTERIAL INTERFACE


Code: 
ipfw -q -f flush

ext_if="re0"
int_if="igb0"
my_ip="192.168.1.46"

#ipfw -q add 100 allow log all from any to any
#ipfw -q add 200 deny icmp from any to any

#IPv6
ipfw -q add 300 deny ipv6 from any to any
ipfw -q add 400 deny all from any to any frag

#LOOPBACK lo0
ipfw -q add 500 allow all from any to any via lo0

#NTPDATE
#ipfw -q add 600 allow udp from $my_ip to any dst-port 123 out keep-state

#EXTERNAL INTERFACE
ipfw -q add 0900 allow tcp from any 9001 to $my_ip in recv $ext_if
ipfw -q add 1000 allow tcp from any 9030 to $my_ip in recv $ext_if
ipfw -q add 1100 allow tcp from $my_ip to any 9001 out xmit $ext_if
ipfw -q add 1200 allow tcp from $my_ip to any 9030 out xmit $ext_if

ipfw -q add 1210 allow tcp from $my_ip to any 53 out setup keep-state via $ext_if
ipfw -q add 1220 allow udp from $my_ip to any 53 out keep-state via $ext_if

ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from $my_ip to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from $my_ip to any 67 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from $my_ip to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from $my_ip to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

#INTERIAL INTERFACE
ipfw -q add 2300 allow tcp from 10.1.1.0/24 to 10.1.1.1 1234 in via $int_if
ipfw -q add 2400 allow tcp from 10.1.1.1 1234 to 10.1.1.0/24 out via $int_if

ipfw -q add 2500 allow tcp from 10.1.1.1 445 to 10.1.1.0/24 out via $int_if
ipfw -q add 2600 allow tcp from 10.1.1.1 139 to 10.1.1.0/24 out via $int_if
ipfw -q add 2700 allow udp from 10.1.1.1 138 to 10.1.1.0/24 out via $int_if
ipfw -q add 2800 allow udp from 10.1.1.1 137 to 10.1.1.0/24 out via $int_if

ipfw -q add 2900 allow tcp from 127.0.0.1 9050 to 10.1.1.0/24 out via $int_if
ipfw -q add 3000 allow udp from 127.0.0.1 9053 to 10.1.1.0/24 out via $int_if

ipfw -q add 3100 deny all from any to any out via $int_if

ipfw -q add 3200 allow udp from 10.1.1.0/24 to any 68 in keep-state via $int_if
ipfw -q add 3300 allow udp from 10.1.1.0/24 to any 67 in keep-state via $int_if

ipfw -q add 3400 allow tcp from 10.1.1.0/24 to any 53 in setup keep-state via $int_if
ipfw -q add 3500 allow udp from 10.1.1.0/24 to any 53 in keep-state via $int_if

ipfw -q add 3600 allow tcp from 10.1.1.0/24 to any 80 in setup keep-state via $int_if
ipfw -q add 3700 allow tcp from 10.1.1.0/24 to any 443 in setup keep-state via $int_if

ipfw -q add 3800 allow tcp from 10.1.1.0/24 to 10.1.1.1 445 in via $int_if

ipfw -q add 3900 allow tcp from 10.1.1.0/24 to 10.1.1.1 139 in via $int_if
ipfw -q add 4000 allow udp from 10.1.1.0/24 to 10.1.1.1 137 in via $int_if
ipfw -q add 4100 allow udp from 10.1.1.0/24 to 10.1.1.255 137 in via $int_if

ipfw -q add 4200 allow tcp from 10.1.1.0/24 to 10.1.1.1 dst-port 8080 in setup keep-state via $int_if

ipfw -q add 4300 deny all from any to any via $int_if

#BLOCKING
ipfw -q add 4400 deny all from 10.0.0.0/8 to any
ipfw -q add 4500 deny all from any to 10.0.0.0/8

ipfw -q add 4600 deny all from 192.168.0.0/16 to any
ipfw -q add 4700 deny all from any to 192.168.0.0/16

ipfw -q add 4800 deny all from 172.16.0.0/16 to any
ipfw -q add 4900 deny all from any to 172.16.0.0/16

ipfw -q add 5000 deny all from 172.17.0.0/16 to any
ipfw -q add 5100 deny all from any to 172.17.0.0/16

ipfw -q add 5200 deny all from 172.18.0.0/16 to any
ipfw -q add 5300 deny all from any to 172.18.0.0/16

ipfw -q add 5400 deny all from 172.19.0.0/16 to any
ipfw -q add 5500 deny all from any to 172.19.0.0/16

ipfw -q add 5600 deny all from 172.20.0.0/16 to any
ipfw -q add 5700 deny all from any to 172.20.0.0/16

ipfw -q add 5800 deny all from 172.21.0.0/16 to any
ipfw -q add 5900 deny all from any to 172.21.0.0/16

ipfw -q add 6000 deny all from 172.22.0.0/16 to any
ipfw -q add 6100 deny all from any to 172.22.0.0/16

ipfw -q add 6200 deny all from 172.23.0.0/16 to any
ipfw -q add 6300 deny all from any to 172.23.0.0/16

ipfw -q add 6400 deny all from 172.24.0.0/16 to any
ipfw -q add 6500 deny all from any to 172.24.0.0/16

ipfw -q add 6600 deny all from 172.25.0.0/16 to any
ipfw -q add 6700 deny all from any to 172.25.0.0/16

ipfw -q add 6800 deny all from 172.26.0.0/16 to any
ipfw -q add 6900 deny all from any to 172.26.0.0/16

ipfw -q add 7000 deny all from 172.27.0.0/16 to any
ipfw -q add 7100 deny all from any to 172.27.0.0/16

ipfw -q add 7200 deny all from 172.28.0.0/16 to any
ipfw -q add 7300 deny all from any to 172.28.0.0/16

ipfw -q add 7400 deny all from 172.29.0.0/16 to any
ipfw -q add 7500 deny all from any to 172.29.0.0/16

ipfw -q add 7600  deny all from 172.30.0.0/16 to any
ipfw -q add 7700 deny all from any to 172.30.0.0/16

ipfw -q add 7800 deny all from 172.31.0.0/16 to any
ipfw -q add 7900 deny all from any to 172.31.0.0/16

ipfw -q add 8000 deny all from any to any

Eventually, I may put interfacing in other files and just paste the path in the main file.
E.g.:
Code: 
ipfw -q -f flush

/etc/ipfw.re0.conf
/etc/ipfw.igb0.conf
/etc/ipfw.iwn0.conf

ipfw -q add deny all from any to any

Also, I would have to change all the files.
 
Code: 
ifs="re0 igb0 iwn0"

m_ipfw ()
{
  local if
  for if in $ifs ; do
    ipfw "$@" via "$if"
  done
}

m_ipfw -q add 3900 allow tcp from 10.1.1.0/24 to 10.1.1.1 139 in
 
You must log in or register to reply here.
Back
Top