From owner-freebsd-arch Wed Nov 24 13:51:47 1999 Delivered-To: freebsd-arch@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 6C165152EE for ; Wed, 24 Nov 1999 13:51:44 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id WAA10173 for ; Wed, 24 Nov 1999 22:51:27 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id WAA36054 for freebsd-arch@freebsd.org; Wed, 24 Nov 1999 22:51:21 +0100 (MET) Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 1194515487; Wed, 24 Nov 1999 13:51:06 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA69731; Thu, 25 Nov 1999 08:46:19 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA25984; Thu, 25 Nov 1999 08:48:11 +1100 (EST) Message-Id: <199911242148.IAA25984@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: ipfw@freebsd.org, arch@freebsd.org Subject: Re: new IPFW Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Nov 1999 08:48:10 +1100 From: Tony Landells Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG One of the things that would be a minor prettiness improvement (hmm, I wonder if I should TM that?)... At the moment I have rule numbers on every rule in rc.firewall because I want to start all my "groups" of rules at a boundary (like multiples of 10000 for "major" groups, and multiples of 1000 for "minor" groups). I didn't want to do it with numbers on every rule, but there didn't seem to be many alternatives: if I just put "$ipfw add 10000 ..." for each rule in the group, then they all get the exact same number if I use "skipto" to set line numbers every so often then I get crap I don't want in the rulesets if I put the line number on the first line in each group, then I have to actually pay attention when I'm debugging a new ruleset as to where I've commented out lines, or inserted/deleted the first line in a group--that's way too hard ;-) I'd be much happier with something in ipfw that just marked the next line number to be used, preferably in a way that I could get it to move to the next "grouping"--like "set the next rule number to the next multiple of 1000". Such a thing may fall out of going to a more procedural layout, because you could have: rules rfc1918 { # filter out and log any RFC 1918 addresses add deny log ... add deny log ... }; and then say something like "add rfc1918 ..." or whatever. Of course, I guess I could achieve the same effect by using a shell variable and a few functions in rc.firewall... Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message