Date: Mon, 6 Mar 2017 20:43:56 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Polytropon <freebsd@edvax.de> Cc: Michael Wilcox <michael.wilcox2016@gmail.com>, freebsd-questions@freebsd.org Subject: Re: UFW-Like frontend for IPFW Message-ID: <20170306134355.GA31641@admin.sibptus.transneft.ru> In-Reply-To: <20170305154702.cf5ceb9d.freebsd@edvax.de> References: <CAERNySqz7Jgws0erYqFqL9rFKr_4DWLho9sA2w2NusRs_aaprA@mail.gmail.com> <CAERNySpKTkgSAm=_CU-TRKdwdN%2BitTFwVhMTreb7XSfXcAcLyQ@mail.gmail.com> <20170305154702.cf5ceb9d.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Polytropon wrote: > On Sun, 5 Mar 2017 17:57:02 +0530, Michael Wilcox wrote: > > I was wondering if there is any frontend for IPFW. > > > > Does anyone have one or must I use it directly? > > If I see the analogy correctly, a "UFW-like frontend" already > is "included" with ipfw, i. e., ipfw works at a comparable > level. If you compare the ufw commands with the ipfw commands, > they are quite similar, so you'd use ipfw directly in the same > manner as you use ufw to interact with iptables. > > As an equation: > > ufw ipfw > ---------- = ------ > iptables ipfw > > More or less... ;-) There is one thing that a higher level macro language on top of ipfw would be nice to have for. Several times I have tried to emulate Cisco PIX/ASA logic with ipfw. I just want to have e.g. 3 interfaces: inside, outside, dmz with security levels of 100, 0, 50 respectively. Traffic can flow from the interface with a higher security level to the interface with a lower security level, and return traffic is permitted too. Every time I have tried to express this with ipfw rules, I failed miserably, though superficially it looks simple (with keep-state). Has anyone done this? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170306134355.GA31641>