Date: Thu, 16 Jan 1997 14:06:36 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: archie@whistle.com (Archie Cobbs) Cc: ejs@bfd.com, nate@mt.sri.com, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701161206.OAA14163@oskar.nanoteq.co.za> In-Reply-To: <199701152258.OAA23006@bubba.whistle.com> from Archie Cobbs at "Jan 15, 97 02:58:58 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ... > > > Actually, what I really want is an ipfw add skip XXX ... where if > > something matches the rule, skip all other rules below XXX (yes, I always > > number my rules:-) > > Just use the rule "ipfw accept". The packet is permitted and remaining > rules are ignored. Maybe he means just jumping a few rules and then continue enforcing the rules from XXX onward. What if the rules are made hierarchical, example: First test to see if the source is the subnet - then enforce more detailed entries ipfw add 10 TRUE from 0.0.0.0/24 to any /\ YES NO rules TRUE+ rules FALSE | | Deny all Deny all Or someting to this effect .... I'll be willing to give some ideas or even to try and implement this :) because this would make the number of rules tested for one packet much less , especially for a large subset of rules Reinier ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za # # # ###################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161206.OAA14163>