From owner-freebsd-questions@FreeBSD.ORG Fri Dec 17 19:56:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B88D216A4CE for ; Fri, 17 Dec 2004 19:56:41 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E87943D5F for ; Fri, 17 Dec 2004 19:56:41 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id A5D89692F6 for ; Fri, 17 Dec 2004 14:56:40 -0500 (EST) Received: by localhost (sSMTP sendmail emulation); Fri, 17 Dec 2004 14:56:45 -0500 Date: Fri, 17 Dec 2004 14:56:45 -0500 From: Louis LeBlanc To: freebsd-questions@FreeBSD.org Message-ID: <20041217195645.GB50057@keyslapper.org> Mail-Followup-To: freebsd-questions@FreeBSD.org References: <20041217182908.GA50057@keyslapper.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.6i Subject: Re: "ipfw count" equivalent for pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 19:56:41 -0000 On 12/17/04 01:26 PM, Paul Schmehl sat at the `puter and typed: > --On Friday, December 17, 2004 01:29:09 PM -0500 Louis LeBlanc > wrote: > > > > Control > > After boot, PF operation can be managed using the pfctl(8) program. Some > > example commands are: > > > > # pfctl -f /etc/pf.conf loads the pf.conf file > > # pfctl -nf /etc/pf.conf parse the file, but don't load it > > # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file > > # pfctl -Rf /etc/pf.conf Load only the filter rules from the file > > > > # pfctl -sn Show the current NAT rules > > # pfctl -sr Show the current filter rules > > # pfctl -ss Show the current state table > > # pfctl -si Show filter stats and counters > > # pfctl -sa Show EVERYTHING it can show > > > > For a complete list of commands, please see the pfctl(8) man page. > > -------- > > > > HTH. It certainly seems like changing nat and firewall rules on the fly > > are easier with pf. As I read and played with it, it seems to be much > > easier, particularly when using tables and lists. > > > I'm curious what you think is easier about the above than: > > ipfw show (same as ipfw -a list) > ipfw -d list (show dynamic rules) > ipfw -S list (show the set each rule belongs to) > ipfw add 00400 allow blah > ipfw delete 00400 > ipfw disable firewall > ipfw enable firewall > ipfw set disable (num) > ipfw set enable (num) > > Etc., etc. > > With ipfw you can add or delete rules on the fly as well. I do it > regularly. > > If you want to reset counters to zero, use ipfw zero rulenum. If you want > to reset the log to zero, use ipfw resetlog rulenum. (Or you can reset an > entire set.) Ah. Nothing really, I was referring to the fact that creating a list of "allowed ports" and a table of "allowed IPs and/or blocks" and "blocked IPs and/or blocks" etc. makes creating multiple rules easier than creating a separate rule for each IP block or individual IP. Regardless, changing the NAT rules *is* easier, unless I completely misunderstood the NAT setup with ipfw - which is possible, but I'm still sure I understand the pf NAT setup better. Cheers Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ What is now proved was once only imagin'd. -- William Blake