Date: Thu, 16 Jan 1997 14:06:36 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: archie@whistle.com (Archie Cobbs) Cc: ejs@bfd.com, nate@mt.sri.com, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701161206.OAA14163@oskar.nanoteq.co.za> In-Reply-To: <199701152258.OAA23006@bubba.whistle.com> from Archie Cobbs at "Jan 15, 97 02:58:58 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ...
>
> > Actually, what I really want is an ipfw add skip XXX ... where if
> > something matches the rule, skip all other rules below XXX (yes, I always
> > number my rules:-)
>
> Just use the rule "ipfw accept". The packet is permitted and remaining
> rules are ignored.
Maybe he means just jumping a few rules and then continue enforcing the
rules from XXX onward.
What if the rules are made hierarchical, example:
First test to see if the source is the subnet - then enforce more
detailed entries
ipfw add 10 TRUE from 0.0.0.0/24 to any
/\
YES NO
rules TRUE+ rules FALSE
| |
Deny all Deny all
Or someting to this effect ....
I'll be willing to give some ideas or even to try and implement this :)
because this would make the number of rules tested for one packet
much less , especially for a large subset of rules
Reinier
###################################################################
# #
# R.N. Bezuidenhout NetSeq Firewall #
# rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za #
# #
###################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161206.OAA14163>