Date: Thu, 15 Aug 1996 09:50:12 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: danny@panda.hilink.com.au (Daniel O'Callaghan) Cc: hackers@freebsd.org Subject: Re: ipfw vs ipfilter? Message-ID: <199608142350.QAA03500@freefall.freebsd.org> In-Reply-To: <Pine.BSF.3.91.960815085157.6553D-100000@panda.hilink.com.au> from "Daniel O'Callaghan" at Aug 15, 96 09:02:33 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Daniel O'Callaghan, sie said: [...] > There are a couple of things which I prefer in ipfw-current over ipfilter: > * The ability to number each rule and insert rules into the middle of the > rule table without the need for flush/re-install. This is possible (and has been for some time), but perhaps not clearly documented. For example, assuming you had (say) 30 or 40 rules for each of input & output and wanted to add one for NTP at a particular point, you can use a rule of the form: @23 pass in on ed0 proto tcp/udp from any to any port = 123 to insert a new rule at position 23 for the input list of filters. Or you might add it to your IP Filter configuration file and load it like this: ipf -If new.conf -s where it loads the new configuration into the "inactive" list and then switches the active list to the new set. If you're making permanent changes, then I'd recommend the later (you do want to be sure you get the same ruleset when you reboot, right ?) and use the former for the dynamic type thing. [...] > but I *do* like Poul-Henning's rule numbers in ipfw. Any chance of > having numbered rules, Darren? This reminds me of programming in BASIC, way back, when you needed to use line numbers for GOTO's, etc, and eventually, you will run into the same "problem" and need to renumber. I really don't see a win from this feature. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608142350.QAA03500>