From owner-freebsd-hackers@FreeBSD.ORG  Sun Nov 30 00:52:14 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5CBF716A4CE
	for <hackers@freebsd.org>; Sun, 30 Nov 2003 00:52:14 -0800 (PST)
Received: from atlas.informatik.rwth-aachen.de
	(atlas.Informatik.RWTH-Aachen.DE [137.226.194.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7272843FE1
	for <hackers@freebsd.org>; Sun, 30 Nov 2003 00:52:12 -0800 (PST)
	(envelope-from stolz@i2.informatik.rwth-aachen.de)
Received: from menelaos.informatik.rwth-aachen.de
	(menelaos.Informatik.RWTH-Aachen.DE [137.226.194.73])
	8.11.1-0.5-michaelw-20030918) with ESMTP id hAU8qBe08666;
	Sun, 30 Nov 2003 09:52:11 +0100
Received: (from stolz@localhost)hAU8qBQV014932;
	Sun, 30 Nov 2003 09:52:11 +0100 (CET)	(envelope-from stolz)
Date: Sun, 30 Nov 2003 09:52:11 +0100
From: Volker Stolz <stolz@i2.informatik.rwth-aachen.de>
To: Antti Louko <alo@iki.fi>
Message-ID: <20031130085211.GA14925@i2.informatik.rwth-aachen.de>
References: <20031130065310.29349.qmail@alo.louko.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031130065310.29349.qmail@alo.louko.com>
X-PGP-Key: finger vs@foldr.org
X-PGP-Id: 0x3FD1B6B5
User-Agent: Mutt/1.5.4i
cc: hackers@freebsd.org
Subject: Re: ipfw/ipf IP filtering thoughts
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2003 08:52:14 -0000

In local.freebsd-hackers, you wrote:
> In ipchains and iptables you have a sequential list of rules, very
> much like in ipfw and ipf, but you can have several different lists
> which have symbolic names and you can make calls from lists to other
> lists based on normal packet criteria.  If the list is exchausted, the
> scan returns to the previous list. 

You should be able to accomplish the same -- although in a more convoluted
way -- with ipf[w]. You might want to use a higher-level tool though instead
of writing all the rules by hand. Try using fwbuilder or code your own ab-
straction which translates to ipfw rules. 

Volker
-- 
http://www-i2.informatik.rwth-aachen.de/stolz/ *** PGP *** S/MIME
rage against the finite state machine