Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Oct 2000 19:34:45 +0200
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-stable@FreeBSD.ORG
Subject:   Re: ipf vs. ipfw ?
Message-ID:  <20001009193445.T31338@speedy.gsinet>
In-Reply-To: <Pine.BSF.4.21.0010082235080.3908-100000@turtle.looksharp.net>; from bandix@looksharp.net on Sun, Oct 08, 2000 at 10:39:22PM -0400
References:  <20001008224359.R31338@speedy.gsinet> <Pine.BSF.4.21.0010082235080.3908-100000@turtle.looksharp.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 08, 2000 at 22:39 -0400, Brandon D. Valentine wrote:
> On Sun, 8 Oct 2000, Gerhard Sittig wrote:
> 
> >- are you already familiar with one of the languages, do you
> >  already use one or the other?  i.e. how much work is it for you
> >  to use "the other" or is either one the first effort you spend?
> 
> Just to interject a brief comment, one of the main strongpoints
> of ipf as I see it is that it is multiplatform.  This is nice
> because if your firewall dies, you can pull a box from just
> about anywhere, maybe reconfigure the hardware a bit, and drop
> in your existing ipf rules, regardless of what OS that box is
> running.

That's something other tools promise, too.  One even wouldn't
have to learn ipfw/ipf/ipchains/fw-1/whatever syntax, and could
use e.g. hlfl (high level firewall language, IIRC) instead.  This
will even provide you with more abstract (read: maybe more
readable for more complex scenarios) methods of specifying what
you mean by having the computer break it down for you into the
concrete program's syntax and maybe a multitude of rules
replacing some "closer to human thinking" words.

But OTOH this is just one more language to learn in case you
already know the destination language.  And it certainly is a
good idea to understand the lower level language, too -- to make
sure the "translator" told the machine what you wanted to tell it
to the machine. :)  It's always better to be safe than sorry ...


BTW:  Did anyone miss the possibility to use (shell like)
variables in ipf rules, too?  Is there someone who did something
to achieve this?  I thought of an extension like

  MXHOST=12.34.56.78
  cat | ipf -f - << E_O_RULES
  pass out ... from $MXHOST ...
  E_O_RULES

This would fit into my PR conf/20202 hooks, too. :)  Just change
the ipfilter_program and ipfilter_rules settings.  But it still
lacks something like

  DNSHOSTS="1.2.3.4  5.6.7.8"
  REPEAT $DNSHOSTS : pass out ... from SUBST_HOST ...

which could need a little five line Perl wrapper.  And ipfw users
could like this PR, too, since they could use it for the very
same mechanism -- just with ipfw behind the pipe!  And these
substitutions maybe could get nested if needed like this:

  REPEAT S1 $SRC : REPEAT S2 $DEST : pass ... from S1 to S2 ...

if implemented in some intelligent way.  Has someone gotten
behind the stage of thinking about this and actually started
planning or implementing it?  I would be interested in different
thoughts.

Or would it be better to separate the "abstract description" from
the "low level /etc/ipf.rules" with a "rules generator" not run
at ipf load time but at ruleset modification time instead?  Like
some kind of vifw wrapper. :>

Feel free to reply via PM in case this thread if too far OT.


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001009193445.T31338>