Date: Mon, 9 Oct 2000 19:34:45 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-stable@FreeBSD.ORG Subject: Re: ipf vs. ipfw ? Message-ID: <20001009193445.T31338@speedy.gsinet> In-Reply-To: <Pine.BSF.4.21.0010082235080.3908-100000@turtle.looksharp.net>; from bandix@looksharp.net on Sun, Oct 08, 2000 at 10:39:22PM -0400 References: <20001008224359.R31338@speedy.gsinet> <Pine.BSF.4.21.0010082235080.3908-100000@turtle.looksharp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 08, 2000 at 22:39 -0400, Brandon D. Valentine wrote: > On Sun, 8 Oct 2000, Gerhard Sittig wrote: > > >- are you already familiar with one of the languages, do you > > already use one or the other? i.e. how much work is it for you > > to use "the other" or is either one the first effort you spend? > > Just to interject a brief comment, one of the main strongpoints > of ipf as I see it is that it is multiplatform. This is nice > because if your firewall dies, you can pull a box from just > about anywhere, maybe reconfigure the hardware a bit, and drop > in your existing ipf rules, regardless of what OS that box is > running. That's something other tools promise, too. One even wouldn't have to learn ipfw/ipf/ipchains/fw-1/whatever syntax, and could use e.g. hlfl (high level firewall language, IIRC) instead. This will even provide you with more abstract (read: maybe more readable for more complex scenarios) methods of specifying what you mean by having the computer break it down for you into the concrete program's syntax and maybe a multitude of rules replacing some "closer to human thinking" words. But OTOH this is just one more language to learn in case you already know the destination language. And it certainly is a good idea to understand the lower level language, too -- to make sure the "translator" told the machine what you wanted to tell it to the machine. :) It's always better to be safe than sorry ... BTW: Did anyone miss the possibility to use (shell like) variables in ipf rules, too? Is there someone who did something to achieve this? I thought of an extension like MXHOST=12.34.56.78 cat | ipf -f - << E_O_RULES pass out ... from $MXHOST ... E_O_RULES This would fit into my PR conf/20202 hooks, too. :) Just change the ipfilter_program and ipfilter_rules settings. But it still lacks something like DNSHOSTS="1.2.3.4 5.6.7.8" REPEAT $DNSHOSTS : pass out ... from SUBST_HOST ... which could need a little five line Perl wrapper. And ipfw users could like this PR, too, since they could use it for the very same mechanism -- just with ipfw behind the pipe! And these substitutions maybe could get nested if needed like this: REPEAT S1 $SRC : REPEAT S2 $DEST : pass ... from S1 to S2 ... if implemented in some intelligent way. Has someone gotten behind the stage of thinking about this and actually started planning or implementing it? I would be interested in different thoughts. Or would it be better to separate the "abstract description" from the "low level /etc/ipf.rules" with a "rules generator" not run at ipf load time but at ruleset modification time instead? Like some kind of vifw wrapper. :> Feel free to reply via PM in case this thread if too far OT. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001009193445.T31338>