From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 14:17:54 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA0216A4CE; Tue, 14 Dec 2004 14:17:54 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5393B43D39; Tue, 14 Dec 2004 14:17:54 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 0CCC511CEE; Tue, 14 Dec 2004 15:17:53 +0100 (CET) Date: Tue, 14 Dec 2004 15:17:52 +0100 From: "Simon L. Nielsen" To: freebsd-net@freebsd.org Message-ID: <20041214141752.GC782@zaphod.nitro.dk> References: <41BEF2AF.470F9079@freebsd.org> <20041214141307.GA684@empiric.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="b5gNqxB1S1yM7hjW" Content-Disposition: inline In-Reply-To: <20041214141307.GA684@empiric.icir.org> User-Agent: Mutt/1.5.6i cc: Andre Oppermann Subject: Re: per-interface packet filters, design approach X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 14:17:55 -0000 --b5gNqxB1S1yM7hjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.12.14 06:13:07 -0800, Bruce M Simpson wrote: > What I'm really missing in IPFW is the ability to maintain one or more > 'shadow rulesets'. These rulesets may not be the active rulesets, but > I can manipulate them as tables, independently of the active ruleset(s), > push rules into them, flush them, and then atomically switch them to be > the active ruleset, using a single syscall. Isn't that more or less sets you are talking about? Quoting ipfw(8): Each rule belongs to one of 32 different sets , numbered 0 to 31. Set= 31 is reserved for the default rule. By default, rules are put in set 0, unless you use the set N attribute when entering a new rule. Sets can be individually and atomically enabled or disabled, so this mechanism permits an easy way to store mu= l- tiple configurations of the firewall and quickly (and atomically) swit= ch between them. The command to enable/disable sets is ipfw set [disable number ...] [enable number ...] where multiple enable or disable sections can be specified. Command e= xe- cution is atomic on all the sets specified in the command. By default, all sets are enabled. --=20 Simon L. Nielsen --b5gNqxB1S1yM7hjW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBvvYQh9pcDSc1mlERAo3KAKCKqUVevMhTp4sZOS7Tvno9oEjrzQCeOUPo qUY7MGxCHypbtTraiVo9MKE= =AGnE -----END PGP SIGNATURE----- --b5gNqxB1S1yM7hjW--