From owner-freebsd-hackers Fri Dec 15 11:54:07 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA13943 for hackers-outgoing; Fri, 15 Dec 1995 11:54:07 -0800 (PST) Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA13932 for ; Fri, 15 Dec 1995 11:54:02 -0800 (PST) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id UAA00783; Fri, 15 Dec 1995 20:50:23 +0100 From: Luigi Rizzo Message-Id: <199512151950.UAA00783@labinfo.iet.unipi.it> Subject: Re: Order of rules in ip_fw chain To: nate@rocky.sri.MT.net (Nate Williams) Date: Fri, 15 Dec 1995 20:50:22 +0100 (MET) Cc: franky@pinewood.nl, nate@rocky.sri.MT.net, hackers@freebsd.org In-Reply-To: <199512151639.JAA16535@rocky.sri.MT.net> from "Nate Williams" at Dec 15, 95 09:39:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@freebsd.org Precedence: bulk > > > Ugen was supposed to be working on this a while back. I agree that > > > something should be done. His work was going to allow 'priority' based > > > rules, which I agree would be a good thing. Either that or allow the > > > rules to be listed in the same order in the kernel as they are added. > > > > Tell me more about 'priority' based rules, I don't grasp the basic idea > > behind it (could be because it's Friday late-afternoon :-). > > Basically, with priority based rules, you attach a 'priority' on the > rule which causes this ruls to be placed above all other rules with > a higher priority number. (I'm assuming that priority 0 is the highest Priorities are nice, but kind of hard to implement. Moreover, an ordering between rules with the same priority is still required to achieve a deterministic *and* easili predictable behaviour. What I do to set the firewall is to have a script like this ipfw -n flush ipfw -n policy deny ... filtering rules Whenever I need, I modify the script and re-run it. Sure, there is a hole in between the two commands where unwanted connections might get in, but the probability is quite low *and* a simple change to the 'flush' command can allow the firewall to set the default policy as well. All in all, I would just try to make additions to the firewall chain be stored in the same order as they are made. > Finally, while I agree that not allowing the filtering rules is a good > thing, I'm of the opinion that it's much better to allow changing it > without having to reboot the system. I have a pretty good set of rules, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is non-trivial to determine if the rules work, and expecially to fix unwanted behaviours, given the unknown addition order. Hopefully it is deterministic. Luigi ==================================================================== Luigi Rizzo Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it Universita' di Pisa tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 http://www.iet.unipi.it/~luigi/ ====================================================================