From owner-freebsd-questions Sat Aug 26 1: 7:31 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kirk.dsl.visi.com (kirk.dsl.visi.com [209.98.248.172]) by hub.freebsd.org (Postfix) with ESMTP id B5C6237B422 for ; Sat, 26 Aug 2000 01:07:28 -0700 (PDT) Received: from localhost (dgl@localhost) by kirk.dsl.visi.com (8.9.3/8.9.3) with ESMTP id DAA09686 for ; Sat, 26 Aug 2000 03:07:27 -0500 (CDT) (envelope-from dgl@visi.com) X-Authentication-Warning: kirk.dsl.visi.com: dgl owned process doing -bs Date: Sat, 26 Aug 2000 03:07:27 -0500 (CDT) From: Doug Lee To: freebsd-questions@freebsd.org Subject: Firewall rule tags Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Apologies in advance if there's a better place to ask this. Perhaps it belongs in FreeBSD-Current, but I haven't started following that list (yet). Would it not be very useful and not that expensive to add a "tag" capability to ipfw/ip6fw? Example usage: ipfw add deny log ip from any to any 23 tag "telnet" Then the log output might include "tag telnet." This would permit better log parsing without depending on rule numbers, which can all shift instantly on the addition of a new rule. As I imagin it, tags need not be unique. The tag syntax could also be made to work on other subcommands of ipfw: ipfw delete|zero|resetlog tag telnet ipfw list|show tag telnet would act on all rules with the given tag. I'm not sure if it would be useful to include the tag syntax on ipfw queue or pipe lines, having never used those. I also haven't fully thought through the idea of how tags should work with dynamic rules; it would seem a dynamic rule would either get no tag or get the tag of the rule that created it. I have started experimenting with adding this capability to my installation of FreeBSD 4.1-STABLE, but I want to know if I'm the only one who finds the idea intriguing... I'd finish experimenting before asking, but I'm going out of town for the weekend and figure it would be nice to know when I get back whether my experiments are likely to net something more widely useful. My first version will only support tag creation and logging, not delete/zero/resetlog/list/show with tag numbers. If this tag idea is interesting to many, it might constitute my first code contribution to FreeBSD, which would be cool. :-) -- Doug Lee dgl@visi.com http://www.visi.com/~dgl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message