Date: Thu, 20 Oct 2005 11:08:24 +0200 (CEST) From: Erik Norgaard <norgaard@math.ku.dk> To: Foo Ji-Haw <jhfoo@nexlabs.com> Cc: Daniel Pittman <daniel@rimspace.net>, freebsd-questions@freebsd.org Subject: Re: Basic FreeBSD firewall and patching questions. Message-ID: <Pine.LNX.4.64.0510201058040.17272@shannon.math.ku.dk> In-Reply-To: <035f01c5d554$e3514350$c801a8c0@nexpc> References: <87br1kk72v.fsf@rimspace.net> <Pine.LNX.4.64.0510200951350.16151@shannon.math.ku.dk> <035f01c5d554$e3514350$c801a8c0@nexpc>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---511570841-1496422453-1129799304=:17272 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Thu, 20 Oct 2005, Foo Ji-Haw wrote: > Thanks for the brief breakdown on ipf and ipfilter. But what about ipfw? I > like the 'auto-swap ruleset' feature, as well as account. Does ipfw do them > as well? Thanks. No idea, never used it and I donīt plan to. I'm using pf now, it does what I need although I miss the two mentioned features, and I see no reason to change. I asked on the openbsd list for the ability to have an inactive ruleset and swap for the very same reasons you want it, and got flamed: "why would you ever want that?", "you can keep a backup in a file", "why wouldn't you want to have 10 or 100 rulesets?", "you can check your ruleset with pfctl -n", "it won't load if there are errors". They didn't get that the checks catches only syntactically incorrect errors, not those typos that can lock you out while strictly correct - like 10.0.0.0/2 instead of 10.0.0.0/24. So don't request it. Same thing for groups. Cheers, Erik ---511570841-1496422453-1129799304=:17272--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0510201058040.17272>