From owner-freebsd-stable Tue Feb 27 10:39:15 1996 Return-Path: owner-stable Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA11161 for stable-outgoing; Tue, 27 Feb 1996 10:39:15 -0800 (PST) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA11155 for freebsd-stable; Tue, 27 Feb 1996 10:39:14 -0800 (PST) From: "Jonathan M. Bresler" Message-Id: <199602271839.KAA11155@freefall.freebsd.org> Subject: ipfw comments To: freebsd-stable Date: Tue, 27 Feb 1996 10:39:14 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-stable@FreeBSD.ORG Precedence: bulk i want to able to filter on both incoming and outgoing interfaces. if0 is accounting if1 is engineering if2 is marketing no traffic from marketing to engineering allow traffic from engineering to marketing allow traffic from marketing to accounting allow traffic from accounting to marketing allow traffic from accounting to engineering allow traffic from engineering to marketing this can be done using ip addresses (or ranges) but specifying interfaces is easier, and i wont let me forget any (sub)nets it does not seems to be possible to filter on both interfaces from the strawman. this may be a real bear to implement in the kernel only after the route is chosen can the rule be applied. the packet has to carry around information regarding which interface it arrived on. (ugh.) warning the following may be just "persnickitiness" on my part. actions: it is implied that all actions are mutually exclusive. "count" could be combined with any of the other actions. should state mall actions are mutually exclusive. count action: strawman says "counters are updated, but the rule doesnt match the packet, and the next rule is tried." man page says "update counters for all packets that match rule. The search continues with the next rule." this confuses me. i guess that "but the rule doesnt match" means that "count" is never the last rule applied. "rules are applied in numerical order until one of them matches the packet" implying that once a match occurs ipfw applies the actions specified in that rule and stops processing that packet. we dont want "count" to be a terminal rule, so it must not match, ever. this exception is needed because "count" cant be combined with any other action. should ipfw be changed to allow "count" to combine with any other action? we would then need a "continue" action to let us count all packets of a general type, some of which we will later drop, others we will accept. on the external interface: i want to count all inbound nnrp (but continue processing rules) i want to accept and count inbound nnrp from allowed news readers i want to drop, cound and log all other nnrp packets should should "count" be a modifier like "syslog"? not an action like "accept". -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/