From owner-freebsd-current Sat Feb 3 12:49:40 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA28511 for current-outgoing; Sat, 3 Feb 1996 12:49:40 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA28503 for ; Sat, 3 Feb 1996 12:49:35 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.6.11/8.6.6) with SMTP id NAA13034; Sat, 3 Feb 1996 13:49:25 -0700 Message-Id: <199602032049.NAA13034@rover.village.org> To: "Rodney W. Grimes" Subject: Re: ip_fw ordering of rules.. Cc: current@freebsd.org In-reply-to: Your message of Fri, 02 Feb 1996 16:49:09 PST Date: Sat, 03 Feb 1996 13:49:25 -0700 From: Warner Losh Sender: owner-current@freebsd.org Precedence: bulk : Enough said??? Can we remove the sorting PLEASE?? We aren't using IPFW right now because it reorders rules. This is completely *EVIL*, as Rod said, and our firewall marshall punted when he saw this feature of IPFW and went to IPFILT, which seems to have tied us to 1.1.5.1R, which isn't necessarily bad, but isn't necessarily good either... Our rules right now look like: allow port 21 to ir allow port 25 to ir ... disallow all which most sane people would consider means "Allow FTP and TELNET to ir, but nothing else is allowed at all." As far as we've been able to determine, IPFW doens't allow this to work properly, and is therefore nearly useless as a firewall. I agree with Rod. Let's take the sorting out! Warner