Date: Tue, 19 Oct 1999 19:11:25 +0900 From: "Daniel C. Sobral" <dcs@newsguy.com> To: Julian Elischer <julian@whistle.com> Cc: Jerry Bell <jerry@bellnetworks.net>, freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW Improvements. (comments?) Message-ID: <380C43CD.9767F133@newsguy.com> References: <Pine.BSF.4.10.9910190114150.25065-100000@current1.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > > On Mon, 18 Oct 1999, Jerry Bell wrote: > > > I have a few proposed additions to IPFW that I'd like to get feedback > > on. The changes are mostly from my experience with other (commercial) > > firewalls. > > > > Change source and destination identifier in the rule processing from one > > IP address (or range of addresses) to an array of IP addresses (or range > > of IP addresses). This allows for a more manageable rulebase. > > ex. ipfw add pass all from 10.0.0.1/24,10.0.1.0/24 to > > 10.0.0.1/24,10.0.1.0/24 > > The real advantage is being able to do somethine like this: > > > > #!/bin/sh > > dnservers=10.0.0.1,10.0.0.2,10.0.0.3 > > smtpservers=10.0.0.4,10.0.0.5,10.0.0.6 > > ipfw add pass udp from any to $dnservers 53 > > ipfw add pass tcp from any to $smtpservers 25 > > > > ... and so on. > but you need to store this somewhere.. > the present system of fixed structures doesn't support this without an > enormous waste of space...I'm not sure how useful it would be in > practice.. > > It would require rewriting of large parts of the code, not to mention a > complete rewrite of the interface and user program. > This is the kind of thing that is easy to say to a human and a bitch to > implement. Yes. Besides: #!/bin/sh dnservers=10.0.0.1 10.0.0.2 10.0.0.3 smtpserver=10.0.0.4 10.0.0.5 10.0.0.6 for addr in $dnservers do ipfw add pass udp from any to $addr 53 done for addr in $smtpservers do ipfw add pass tcp from any to $addr 25 done After all, it's *sh* you are running. It has power. > This can already be done with a daemon without > any ipfw changes.. > > The daemon adds a rule to allow itself to be connected to. > When it get's a successful authentication, it > adds more rules to allow the successful user in. Yup. See divert. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "People call him Neutron Star, 'cuz his so dense lights bends around him." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?380C43CD.9767F133>