Date: Sun, 28 Mar 1999 15:48:36 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: jmb@hub.freebsd.org (Jonathan M. Bresler) Cc: housley@frenchknot.ne.mediaone.net, noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <199903281348.PAA03730@labinfo.iet.unipi.it> In-Reply-To: <19990328152846.B065314C14@hub.freebsd.org> from "Jonathan M. Bresler" at Mar 28, 99 07:28:27 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > should we add another instruction to ipfw > > > > <action> <proto> between A and B ... > > > > to ease life in configuring firewalls ? Performance of a ruleset > > will be only marginally improved, but having simpler rules will > > indirectly make configurations more secure by reducing mistakes. > > i understand between to be a short cut that replaces "from A to B" > and "from B to A". functionally, yes. but it would map (and you would see) only a single ipfw rule. > i prefer the present syntax, it allows me to control who originates > the connection. "add" does not mean "replace"! the old syntax would still be valid. > seems to me that the new syntax would not be used very frequently. > most of my rules (27 of 30) have "any" as one endpoint. dont think > that i want to use a "between" in cominbation with "any". i guess this is just a matter of preference (or use!). eg you (?) said to use accept tcp from any to any estab as a catchall for the reverse path, (possibly because you want to allow connection opens only from within your net ?) whereas i more frequently use bridge-based firewalls to control some internal labs and paths are much more symmetric. > seems to me that its better to have people understand what they are > configuratin rather than make the configuration syntax hide the > asymmetric nature of tcp. it just makes life easier to the average user. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903281348.PAA03730>