From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 24 06:26:54 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3200A16A4CE for ; Wed, 24 Dec 2003 06:26:54 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0ECF43D1F for ; Wed, 24 Dec 2003 06:26:52 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hBOEQoSN035713; Wed, 24 Dec 2003 06:26:50 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hBOEQorE035712; Wed, 24 Dec 2003 06:26:50 -0800 (PST) (envelope-from rizzo) Date: Wed, 24 Dec 2003 06:26:50 -0800 From: Luigi Rizzo To: freebsd-hackers@freebsd.org Message-ID: <20031224062650.A35575@xorpc.icir.org> References: <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031224133945.GA74426@ussenterprise.ufp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031224133945.GA74426@ussenterprise.ufp.org>; from bicknell@ufp.org on Wed, Dec 24, 2003 at 08:39:45AM -0500 Subject: Re: natd + ipfw question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2003 14:26:54 -0000 On Wed, Dec 24, 2003 at 08:39:45AM -0500, Leo Bicknell wrote: ... > Now that I've used IPFW2 for something more complicated than simple > host filtering I see that the syntax and structure makes something > like a firewall/nat box for any moderately interesting config way > too complicated with way too many pitfalls. This whole "the packet > may hit your rule between 0 and 4 times, depending on a pile of > stuff" just doesn't fly, and add in the need for "one_pass=0" to > make dummynet traffic shaping work right, which adds some complication honestly, i think you are mispresenting things. How many times you hit a rule depends on your ruleset, with any firewall -- in fact, a ruleset is no different from a program and if you want to do something useful with a program you probably need to write slightly more than printf("hello world"); with a correspondingly increased chance for putting in bugs. And you normally use "one_pass=1" only when you want to build complex firewall structures involving multiple pipes, or doing dummynet filtering before natd (for which there is a better way given that you can operate on both the input and output path). I believe that what you want is not a better config language, but some default rulesets that you can customize by simply putting in your addresses (more or less). cheers luigi > to the firewall rules and things are just all kinds of strange. > > That's no knock on the authors, backwards compatability is important, > and a lot has been grafted onto IPFW since it started (like divert/nat > and the dummynet stuff). I'll strongly recomend though that IPFW3 > have a whole new, from the ground up, redesigned config language. > :) And yes, I'm willing to help. > > -- > Leo Bicknell - bicknell@ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org