Date: Fri, 17 Dec 2004 14:56:45 -0500 From: Louis LeBlanc <FreeBSD@keyslapper.org> To: freebsd-questions@FreeBSD.org Subject: Re: "ipfw count" equivalent for pf Message-ID: <20041217195645.GB50057@keyslapper.org> In-Reply-To: <B033DA8BFBA01939DD99B717@utd49554.utdallas.edu> References: <b043a48504121611577801f1ef@mail.gmail.com> <20041217182908.GA50057@keyslapper.org> <B033DA8BFBA01939DD99B717@utd49554.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/17/04 01:26 PM, Paul Schmehl sat at the `puter and typed: > --On Friday, December 17, 2004 01:29:09 PM -0500 Louis LeBlanc > <FreeBSD@keyslapper.org> wrote: > > > > Control > > After boot, PF operation can be managed using the pfctl(8) program. Some > > example commands are: > > > > # pfctl -f /etc/pf.conf loads the pf.conf file > > # pfctl -nf /etc/pf.conf parse the file, but don't load it > > # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file > > # pfctl -Rf /etc/pf.conf Load only the filter rules from the file > > > > # pfctl -sn Show the current NAT rules > > # pfctl -sr Show the current filter rules > > # pfctl -ss Show the current state table > > # pfctl -si Show filter stats and counters > > # pfctl -sa Show EVERYTHING it can show > > > > For a complete list of commands, please see the pfctl(8) man page. > > -------- > > > > HTH. It certainly seems like changing nat and firewall rules on the fly > > are easier with pf. As I read and played with it, it seems to be much > > easier, particularly when using tables and lists. > > > I'm curious what you think is easier about the above than: > > ipfw show (same as ipfw -a list) > ipfw -d list (show dynamic rules) > ipfw -S list (show the set each rule belongs to) > ipfw add 00400 allow blah > ipfw delete 00400 > ipfw disable firewall > ipfw enable firewall > ipfw set disable (num) > ipfw set enable (num) > > Etc., etc. > > With ipfw you can add or delete rules on the fly as well. I do it > regularly. > > If you want to reset counters to zero, use ipfw zero rulenum. If you want > to reset the log to zero, use ipfw resetlog rulenum. (Or you can reset an > entire set.) Ah. Nothing really, I was referring to the fact that creating a list of "allowed ports" and a table of "allowed IPs and/or blocks" and "blocked IPs and/or blocks" etc. makes creating multiple rules easier than creating a separate rule for each IP block or individual IP. Regardless, changing the NAT rules *is* easier, unless I completely misunderstood the NAT setup with ipfw - which is possible, but I'm still sure I understand the pf NAT setup better. Cheers Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ What is now proved was once only imagin'd. -- William Blake
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041217195645.GB50057>