Date: Fri, 15 Dec 1995 20:50:22 +0100 (MET) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: nate@rocky.sri.MT.net (Nate Williams) Cc: franky@pinewood.nl, nate@rocky.sri.MT.net, hackers@freebsd.org Subject: Re: Order of rules in ip_fw chain Message-ID: <199512151950.UAA00783@labinfo.iet.unipi.it> In-Reply-To: <199512151639.JAA16535@rocky.sri.MT.net> from "Nate Williams" at Dec 15, 95 09:39:09 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Ugen was supposed to be working on this a while back. I agree that > > > something should be done. His work was going to allow 'priority' based > > > rules, which I agree would be a good thing. Either that or allow the > > > rules to be listed in the same order in the kernel as they are added. > > > > Tell me more about 'priority' based rules, I don't grasp the basic idea > > behind it (could be because it's Friday late-afternoon :-). > > Basically, with priority based rules, you attach a 'priority' on the > rule which causes this ruls to be placed above all other rules with > a higher priority number. (I'm assuming that priority 0 is the highest Priorities are nice, but kind of hard to implement. Moreover, an ordering between rules with the same priority is still required to achieve a deterministic *and* easili predictable behaviour. What I do to set the firewall is to have a script like this ipfw -n flush ipfw -n policy deny ... filtering rules Whenever I need, I modify the script and re-run it. Sure, there is a hole in between the two commands where unwanted connections might get in, but the probability is quite low *and* a simple change to the 'flush' command can allow the firewall to set the default policy as well. All in all, I would just try to make additions to the firewall chain be stored in the same order as they are made. > Finally, while I agree that not allowing the filtering rules is a good > thing, I'm of the opinion that it's much better to allow changing it > without having to reboot the system. I have a pretty good set of rules, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is non-trivial to determine if the rules work, and expecially to fix unwanted behaviours, given the unknown addition order. Hopefully it is deterministic. Luigi ==================================================================== Luigi Rizzo Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it Universita' di Pisa tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 http://www.iet.unipi.it/~luigi/ ====================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512151950.UAA00783>