Date: Sun, 20 Jun 1999 00:56:44 +0930 From: Ian West <ian@niw.com.au> To: "Brian F. Feldman" <green@unixhelp.org> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Doug Rabson <dfr@nlsystems.com>, Ruslan Ermilov <ru@ucb.crimea.ua>, ugen@xonix.com, hackers@FreeBSD.org, luigi@FreeBSD.org Subject: Re: Firewalls (was Re: Introduction) Message-ID: <19990620005644.C29104@rose.niw.com.au> In-Reply-To: <Pine.BSF.4.10.9906191105280.99153-100000@janus.syracuse.net>; from Brian F. Feldman on Sat, Jun 19, 1999 at 11:12:07AM -0400 References: <xzpvhck8cq8.fsf@flood.ping.uio.no> <Pine.BSF.4.10.9906191105280.99153-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 19, 1999 at 11:12:07AM -0400, Brian F. Feldman wrote: > On 19 Jun 1999, Dag-Erling Smorgrav wrote: > > > "Brian F. Feldman" <green@unixhelp.org> writes: > > > It might be worth (discussion of) making ipfilter the firewall of > > > choice for 4.0. There would of course be rule conversion > > > scripts/programs (ipfw->ipf(5)), and ipfilter would be converted to > > > a KLD, cruft removed (I'm going to work on these), and ipfilter KLD > > > support (currently options IPFILTER_LKM) made a non-option. It seems > > > that our pretty proprietary ipfw is no longer a good idea. > > > > If ipfilter can to everything ipfw can (judging from ipf(5), it can) > > and you even manage to keep an ipfw(8) command around so those who > > want kan keep using the old syntax still can, then I for one have no > > objections. > > > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a > > simple Perl script should be sufficient. > > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched > takes effect. Plus, ipf doesn't have rule numbers (but there's similar functionailty.) > If you think you can get used to them both enough to tackle this, I'll handle other > things, and we can have a working replacement for crufty old ipfw. Note that Luigi's > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf > before everyone is necessarily willing to switch. I have a feeling there will be some > holdouts that, even if ipfw is removed, they'll MFS (merge from stable) ipfw back just > because they want to keep the old way. Ipfw could be dead for 4.0-RELEASE, as I see it > now. More discussion is, however, necessary. > > > > > DES > > -- > > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > > Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ > green@FreeBSD.org _ __ ___ | _ ) __| \ > FreeBSD: The Power to Serve! _ __ | _ \._ \ |) | > http://www.FreeBSD.org/ _ |___/___/___/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message Does ip filter now support per interface filtering based on an ip address, not an interface name ? This was the limitation I encountered last time I looked at it. Ran up against a few problems getting it to run nicely with user-ppp. (Can't remember how long ago that was exactly though, it may be fixed now, if so please ignore this :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990620005644.C29104>