From owner-freebsd-stable  Tue Oct 10  7: 9:29 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from yertle.kciLink.com (yertle.kciLink.com [205.252.34.9])
	by hub.freebsd.org (Postfix) with ESMTP id DE30637B66C
	for <freebsd-stable@FreeBSD.ORG>; Tue, 10 Oct 2000 07:09:27 -0700 (PDT)
Received: from onceler.kciLink.com (onceler.kciLink.com [205.252.34.3])
	by yertle.kciLink.com (Postfix) with ESMTP
	id BCDB62E443; Tue, 10 Oct 2000 10:09:26 -0400 (EDT)
Received: (from khera@localhost)
	by onceler.kciLink.com (8.11.0/8.11.0) id e9AE9Q493543;
	Tue, 10 Oct 2000 10:09:26 -0400 (EDT)
	(envelope-from khera)
From: Vivek Khera <khera@kciLink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14819.8982.61823.868907@onceler.kciLink.com>
Date: Tue, 10 Oct 2000 10:09:26 -0400 (EDT)
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: ipf vs. ipfw ?
In-Reply-To: <20001009193445.T31338@speedy.gsinet>
References: <20001008224359.R31338@speedy.gsinet>
	<Pine.BSF.4.21.0010082235080.3908-100000@turtle.looksharp.net>
	<20001009193445.T31338@speedy.gsinet>
X-Mailer: VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>>>>> "GS" == Gerhard Sittig <Gerhard.Sittig@gmx.net> writes:

GS> same mechanism -- just with ipfw behind the pipe!  And these
GS> substitutions maybe could get nested if needed like this:

GS>   REPEAT S1 $SRC : REPEAT S2 $DEST : pass ... from S1 to S2 ...

GS> if implemented in some intelligent way.  Has someone gotten
GS> behind the stage of thinking about this and actually started
GS> planning or implementing it?  I would be interested in different
GS> thoughts.

ipfw lets you pre-process a file using any arbitrary pre-processor.
It recommends cpp or m4, but who's to stop you from using perl?  Just
make your FW rule file be a perl program and run it thusly:

ipfw -p /usr/bin/perl firewall.perl

and you're set.  Just make sure that the output of your firewall.perl
program is a valid set of firewall rules.  I guess the only trick
would be figuring out how to pass flags to your program.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-301-545-6996
GPG & MIME spoken here            http://www.khera.org/~vivek/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message