Date: Wed, 24 Dec 2003 06:26:50 -0800 From: Luigi Rizzo <rizzo@icir.org> To: freebsd-hackers@freebsd.org Subject: Re: natd + ipfw question Message-ID: <20031224062650.A35575@xorpc.icir.org> In-Reply-To: <20031224133945.GA74426@ussenterprise.ufp.org>; from bicknell@ufp.org on Wed, Dec 24, 2003 at 08:39:45AM -0500 References: <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031224133945.GA74426@ussenterprise.ufp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 24, 2003 at 08:39:45AM -0500, Leo Bicknell wrote: ... > Now that I've used IPFW2 for something more complicated than simple > host filtering I see that the syntax and structure makes something > like a firewall/nat box for any moderately interesting config way > too complicated with way too many pitfalls. This whole "the packet > may hit your rule between 0 and 4 times, depending on a pile of > stuff" just doesn't fly, and add in the need for "one_pass=0" to > make dummynet traffic shaping work right, which adds some complication honestly, i think you are mispresenting things. How many times you hit a rule depends on your ruleset, with any firewall -- in fact, a ruleset is no different from a program and if you want to do something useful with a program you probably need to write slightly more than printf("hello world"); with a correspondingly increased chance for putting in bugs. And you normally use "one_pass=1" only when you want to build complex firewall structures involving multiple pipes, or doing dummynet filtering before natd (for which there is a better way given that you can operate on both the input and output path). I believe that what you want is not a better config language, but some default rulesets that you can customize by simply putting in your addresses (more or less). cheers luigi > to the firewall rules and things are just all kinds of strange. > > That's no knock on the authors, backwards compatability is important, > and a lot has been grafted onto IPFW since it started (like divert/nat > and the dummynet stuff). I'll strongly recomend though that IPFW3 > have a whole new, from the ground up, redesigned config language. > :) And yes, I'm willing to help. > > -- > Leo Bicknell - bicknell@ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031224062650.A35575>