From owner-freebsd-net Wed Dec 12 16:16: 3 2001 Delivered-To: freebsd-net@freebsd.org Received: from sbserv0.intra.selectbourse.net (ATuileries-103-2-1-140.abo.wanadoo.fr [193.252.55.140]) by hub.freebsd.org (Postfix) with ESMTP id 0564937B41F for ; Wed, 12 Dec 2001 16:15:43 -0800 (PST) Received: from there (spetit.intra.selectbourse.net [172.16.2.7]) by sbserv0.intra.selectbourse.net (Postfix) with SMTP id A996DBA85; Thu, 13 Dec 2001 00:14:10 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Sebastien Petit To: Sam Tannous , rizzo@aciri.org Subject: Re: Ethernet Firewall for FreeBSD-4.4 Date: Thu, 13 Dec 2001 01:13:00 +0100 X-Mailer: KMail [version 1.3.1] References: <20011203211222.DA4386ACF@vega.bsdshell.net> <20011212173538.N28904@cisco.com> In-Reply-To: <20011212173538.N28904@cisco.com> Cc: net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011212231410.A996DBA85@sbserv0.intra.selectbourse.net> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday 12 December 2001 23:35, Sam Tannous wrote: > I've download the ethfw patches (v1.2) and they work fine > on my 4.4 system. One other good reason to add ethfw > to the existing ipfw code (and this is purely subjective) > is that it would look more like ipfw: > > 00100 27 1144 allow ip from any to any > > looks nicer then > > [ 50] REJ VLAN ANY -> ANY < in/out all > > > (I really miss having the little counters too.) > accounting and another features are for the next release of ethfw. > On a more practical level, the configs, code, > man pages, logs, etc....would all be in one place. > They really belong together...perhaps change the name to > simply "fw" ;-) my point of view is the same as Luiggi and yours. So Luiggi is very busy for the moment due to the polling code vs interrupts but he says that we can do this job current January probably. An unified interface is the best solution and I hope this can be done, this comment is perhaps applicable to ip6fw too. > > (I do a lot of work in protocol emulation/testing > that uses divert and dummynet. I would be spending > way too much money on test gear if I didn't have these) Yes, you're right. On Mon, Dec 03, 2001 at 10:06:35PM +0100, Sebastien Petit wrote: > On Monday 03 December 2001 21:28, Luigi Rizzo wrote: > > Sebastien, > > this is a personal point of view, and I know that people think > > differently, but I believe it would be a lot more interesting if > > you would design ethfw as an add-on for ipfw as opposed to a separate > > thing. Not only it would remove some replication from the code (all > > [sg]etsockopt, basically), but would also make its adoption easier > > to people who already use ipfw.  In fact, a very preliminary > > incarnation of ethernet matching was already in ipfw some time ago. > > > > I am a strong supporter of a unified interface for > > firewall functions. >  > Luigi, Regards, Sebastien. -- The HUT Project http://www.bsdshell.net/ spe@bsdfr.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message