From owner-freebsd-hackers  Sat Jun 19 20:15:48 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15])
	by hub.freebsd.org (Postfix) with ESMTP
	id 78C6F14BF5; Sat, 19 Jun 1999 20:15:44 -0700 (PDT)
	(envelope-from green@unixhelp.org)
Received: from localhost (green@localhost)
	by janus.syracuse.net (8.9.2/8.8.7) with ESMTP id XAA11927;
	Sat, 19 Jun 1999 23:15:35 -0400 (EDT)
Date: Sat, 19 Jun 1999 23:14:10 -0400 (EDT)
From: "Brian F. Feldman" <green@unixhelp.org>
X-Sender: green@janus.syracuse.net
To: Julian Elischer <julian@whistle.com>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	Doug Rabson <dfr@nlsystems.com>, Ruslan Ermilov <ru@ucb.crimea.ua>,
	ugen@xonix.com, hackers@FreeBSD.ORG, luigi@FreeBSD.ORG
Subject: Re: Firewalls (was Re: Introduction)
In-Reply-To: <Pine.BSF.3.95.990619184950.13715C-100000@current1.whistle.com>
Message-ID: <Pine.BSF.4.10.9906192312480.11791-100000@janus.syracuse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 19 Jun 1999, Julian Elischer wrote:

> As a contributor to ipfw, notice that I will be sticking my oar into the
> water when it comes to deleting it unless I'm very sure that the ipf stuff
> is better. Unless you're Danish you don't just get to delete bits of the
> tree without a lot of agreement, especially from those who are working on
> it.. (in this case luigi and I would both be extrememly interested).

Deleting IPFW would be a _long_ time from now, if at all. What it looks
like now is:

1. making ipf and ipfw equivalent in functionality
2. cleaning up both
3. MAYBE starting a brand new firewall project

I wasn't planning on trying to rip something out from under anyone :)

> 
> 
> On Sat, 19 Jun 1999, Brian F. Feldman wrote:
> 
> > On 19 Jun 1999, Dag-Erling Smorgrav wrote:
> > 
> > > "Brian F. Feldman" <green@unixhelp.org> writes:
> > > > It might be worth (discussion of) making ipfilter the firewall of
> > > > choice for 4.0. There would of course be rule conversion
> > > > scripts/programs (ipfw->ipf(5)), and ipfilter would be converted to
> > > > a KLD, cruft removed (I'm going to work on these), and ipfilter KLD
> > > > support (currently options IPFILTER_LKM) made a non-option. It seems
> > > > that our pretty proprietary ipfw is no longer a good idea.
> > > 
> > > If ipfilter can to everything ipfw can (judging from ipf(5), it can)
> > > and you even manage to keep an ipfw(8) command around so those who
> > > want kan keep using the old syntax still can, then I for one have no
> > > objections.
> > > 
> > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a
> > > simple Perl script should be sufficient.
> > 
> > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes
> > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched
> > takes effect. Plus, ipf doesn't have rule numbers (but there's similar functionailty.)
> > If you think you can get used to them both enough to tackle this, I'll handle other
> > things, and we can have a working replacement for crufty old ipfw. Note that Luigi's
> > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf
> > before everyone is necessarily willing to switch. I have a feeling there will be some
> > holdouts that, even if ipfw is removed, they'll MFS (merge from stable) ipfw back just
> > because they want to keep the old way. Ipfw could be dead for 4.0-RELEASE, as I see it
> > now. More discussion is, however, necessary.
> > 
> > > 
> > > DES
> > > -- 
> > > Dag-Erling Smorgrav - des@flood.ping.uio.no
> > > 
> > 
> >  Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
> >  green@FreeBSD.org                   _ __ ___ | _ ) __|   \ 
> >      FreeBSD: The Power to Serve!        _ __ | _ \._ \ |) |
> >        http://www.FreeBSD.org/              _ |___/___/___/ 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-hackers" in the body of the message
> > 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 

 Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
 green@FreeBSD.org                   _ __ ___ | _ ) __|   \ 
     FreeBSD: The Power to Serve!        _ __ | _ \._ \ |) |
       http://www.FreeBSD.org/              _ |___/___/___/ 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message