From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 20 09:08:28 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 51A0716A41F
	for <freebsd-questions@freebsd.org>;
	Thu, 20 Oct 2005 09:08:28 +0000 (GMT)
	(envelope-from norgaard@math.ku.dk)
Received: from imf.math.ku.dk (fw.math.ku.dk [130.225.103.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D616D43D5A
	for <freebsd-questions@freebsd.org>;
	Thu, 20 Oct 2005 09:08:27 +0000 (GMT)
	(envelope-from norgaard@math.ku.dk)
Received: from imf.math.ku.dk (localhost [127.0.0.1])
	by imf.math.ku.dk (Postfix) with ESMTP id C10FE1B2AF;
	Thu, 20 Oct 2005 11:08:24 +0200 (CEST)
Received: from shannon.math.ku.dk (shannon.math.ku.dk [130.225.103.12])
	by imf.math.ku.dk (Postfix) with ESMTP;
	Thu, 20 Oct 2005 11:08:24 +0200 (CEST)
Date: Thu, 20 Oct 2005 11:08:24 +0200 (CEST)
From: Erik Norgaard <norgaard@math.ku.dk>
To: Foo Ji-Haw <jhfoo@nexlabs.com>
In-Reply-To: <035f01c5d554$e3514350$c801a8c0@nexpc>
Message-ID: <Pine.LNX.4.64.0510201058040.17272@shannon.math.ku.dk>
References: <87br1kk72v.fsf@rimspace.net>
	<Pine.LNX.4.64.0510200951350.16151@shannon.math.ku.dk>
	<035f01c5d554$e3514350$c801a8c0@nexpc>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
	BOUNDARY="-511570841-1496422453-1129799304=:17272"
Cc: Daniel Pittman <daniel@rimspace.net>, freebsd-questions@freebsd.org
Subject: Re: Basic FreeBSD firewall and patching questions.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2005 09:08:28 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---511570841-1496422453-1129799304=:17272
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT

On Thu, 20 Oct 2005, Foo Ji-Haw wrote:

> Thanks for the brief breakdown on ipf and ipfilter. But what about ipfw? I
> like the 'auto-swap ruleset' feature, as well as account. Does ipfw do them
> as well? Thanks.

No idea, never used it and I donīt plan to. I'm using pf now, it 
does what I need although I miss the two mentioned features, and I 
see no reason to change.

I asked on the openbsd list for the ability to have an inactive 
ruleset and swap for the very same reasons you want it, and got 
flamed:

"why would you ever want that?", "you can keep a backup in a 
file", "why wouldn't you want to have 10 or 100 rulesets?", "you 
can check your ruleset with pfctl -n", "it won't load if there are 
errors".

They didn't get that the checks catches only syntactically 
incorrect errors, not those typos that can lock you out while 
strictly correct - like 10.0.0.0/2 instead of 10.0.0.0/24.

So don't request it. Same thing for groups.

Cheers, Erik
---511570841-1496422453-1129799304=:17272--