Date: Wed, 24 Dec 2003 06:26:50 -0800 From: Luigi Rizzo <rizzo@icir.org> To: freebsd-hackers@freebsd.org Subject: Re: natd + ipfw question Message-ID: <20031224062650.A35575@xorpc.icir.org> In-Reply-To: <20031224133945.GA74426@ussenterprise.ufp.org>; from bicknell@ufp.org on Wed, Dec 24, 2003 at 08:39:45AM -0500 References: <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031224133945.GA74426@ussenterprise.ufp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 24, 2003 at 08:39:45AM -0500, Leo Bicknell wrote:
...
> Now that I've used IPFW2 for something more complicated than simple
> host filtering I see that the syntax and structure makes something
> like a firewall/nat box for any moderately interesting config way
> too complicated with way too many pitfalls. This whole "the packet
> may hit your rule between 0 and 4 times, depending on a pile of
> stuff" just doesn't fly, and add in the need for "one_pass=0" to
> make dummynet traffic shaping work right, which adds some complication
honestly, i think you are mispresenting things.
How many times you hit a rule depends on your ruleset, with
any firewall -- in fact, a ruleset is no different from a
program and if you want to do something useful with a program
you probably need to write slightly more than printf("hello world");
with a correspondingly increased chance for putting in bugs.
And you normally use "one_pass=1" only when you want to build
complex firewall structures involving multiple pipes, or doing
dummynet filtering before natd (for which there is a better
way given that you can operate on both the input and output path).
I believe that what you want is not a better config language,
but some default rulesets that you can customize by
simply putting in your addresses (more or less).
cheers
luigi
> to the firewall rules and things are just all kinds of strange.
>
> That's no knock on the authors, backwards compatability is important,
> and a lot has been grafted onto IPFW since it started (like divert/nat
> and the dummynet stuff). I'll strongly recomend though that IPFW3
> have a whole new, from the ground up, redesigned config language.
> :) And yes, I'm willing to help.
>
> --
> Leo Bicknell - bicknell@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
> Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031224062650.A35575>