Date: Thu, 25 Nov 1999 08:48:10 +1100 From: Tony Landells <ahl@austclear.com.au> To: ipfw@freebsd.org, arch@freebsd.org Subject: Re: new IPFW Message-ID: <199911242148.IAA25984@tungsten.austclear.com.au>
next in thread | raw e-mail | index | archive | help
One of the things that would be a minor prettiness improvement (hmm,
I wonder if I should TM that?)...
At the moment I have rule numbers on every rule in rc.firewall because
I want to start all my "groups" of rules at a boundary (like multiples
of 10000 for "major" groups, and multiples of 1000 for "minor" groups).
I didn't want to do it with numbers on every rule, but there didn't
seem to be many alternatives:
if I just put "$ipfw add 10000 ..." for each rule in the group,
then they all get the exact same number
if I use "skipto" to set line numbers every so often then I get
crap I don't want in the rulesets
if I put the line number on the first line in each group, then
I have to actually pay attention when I'm debugging a new ruleset
as to where I've commented out lines, or inserted/deleted the first
line in a group--that's way too hard ;-)
I'd be much happier with something in ipfw that just marked the next line
number to be used, preferably in a way that I could get it to move to the
next "grouping"--like "set the next rule number to the next multiple of
1000".
Such a thing may fall out of going to a more procedural layout, because
you could have:
rules rfc1918 {
# filter out and log any RFC 1918 addresses
add deny log ...
add deny log ...
};
and then say something like "add rfc1918 ..." or whatever.
Of course, I guess I could achieve the same effect by using a shell variable
and a few functions in rc.firewall...
Tony
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911242148.IAA25984>