<div dir="ltr"><div class="gmail_default" style="font-size:small"><span style="font-family:verdana,sans-serif;color:rgb(0,0,0)"></span><font color="#9900ff" face="monospace, monospace">Hi Chuck,</font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace"></font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace">By default, the filters are joined with 'and'. and currently the 'or' can join the filter which is same as previous one. </font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace"><br></font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace">Technically we can enhance it by supporting different type of filter to make it more flexible.</font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace"><br></font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace">Regards,</font></div><div class="gmail_default" style="font-size:small"><font color="#9900ff" face="monospace, monospace">Bill Yuan</font></div><div class="gmail_default" style="font-size:small"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 November 2016 at 07:34, Chuck Musser <span dir="ltr"><<a href="mailto:cmusser@sonic.net" target="_blank">cmusser@sonic.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On Nov 25, 2016, at 5:38 AM, Bill Yuan <<a href="mailto:bycn82@gmail.com">bycn82@gmail.com</a>> wrote:<br>
><br>
> Hi Chuck,<br>
><br>
> Sorry for replying late. I was super busy recently.<br>
><br>
> Yes, the ipfw3 supports 'or' block, and we can use 'or' to join all the filters. so your firewall rules can be shorten as:<br>
><br>
> ipfw3 add [rule number] allow tcp to 1.2.3.4 dst-port 22 or 80<br>
><br>
<br>
</span>Not late at all. Thanks for the response.I tried something similar to what you are describing, but then those<br>
services (HTTP and SSH) were not accessible. To isolate the problem, I've put together 2 minimal sets of rules<br>
that I think should be functionally identical, but aren't:<br>
<br>
Attempt #1 (non shortened), which works:<br>
<br>
# External address: SSH sessions originating from elsewhere<br>
ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22<br>
ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22<br>
<br>
# External address: HTTP sessions originating from elsewhere<br>
ipfw3 add 15 set 1 allow tcp to 1.2.3.4 dst-port 80<br>
ipfw3 add 22 set 1 allow tcp from 1.2.3.4 src-port 80<br>
<br>
# External address: DNS requests<br>
ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53<br>
<br>
# External address: DNS responses<br>
ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53<br>
<br>
<br>
Attempt #2 (shortened with "or"), which didn't:<br>
<br>
# External address: SSH or HTTP sessions originating from elsewhere<br>
ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22 or 80<br>
ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22 or 80<br>
<br>
# External address: DNS requests<br>
ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53<br>
<br>
# External address: DNS responses<br>
ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53<br>
<br>
Notes:<br>
<br>
1. I expected the combination of rules 10, 20, 15 and 22 from #1 to be equivalent to rules 10 and 20 from #2.<br>
2. Rules 30 and 35 in both examples are to allow DNS queries to flow. These work fine.<br>
<br>
</blockquote></div><br></div>