Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Jul 2003 15:12:31 -0700
From:      "Crist J. Clark" <cristjc@comcast.net>
To:        Diego Linke - GAMK <linke@calnet.com.br>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: I have four ideia for IPFW2
Message-ID:  <20030710221231.GB60029@blossom.cjclark.org>
In-Reply-To: <20030709181308.573bacf4.linke@calnet.com.br>
References:  <20030709181308.573bacf4.linke@calnet.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, Jul 09, 2003 at 06:13:08PM -0300, Diego Linke - GAMK wrote:
> I have four idea for IPFW2 (features):
> 
> 
> Idea 1) 
> 
> When using:
> ipfw add allow ip from any to me via xl0
> is equal:
> ipfw add allow ip from any to { IP_xl0 or IP_xl1 or IP_rl0 or ... } via xl0
> 
> My idea is an keyword specific for each interface. 
> Sample:
> ipfw add allow ip from any to me_xl0 via xl0

I believe you are looking for the,

  net.inet.ip.check_interface

sysctl(8) variable.

> Idea 2)
> 
> keyword "net" :-)
> As we have the IP and netmask of each interface, it would be easy to get the net. 
> Sample:
> ipfw add allow ip from any to net_xl0 via xl0

Do you really have a firewall whose attached networks behind it change
dynamically?

For the alternate case of dynamic anti-spoofing, something like,

  ipfw add allow ip from net_xl0 to any via xl0

The 'verrevpath' option already does that.

> Idea 3)
> 
> The logs with more information, as ( tcpflags (syn,ack,fin,rst...), ipoptions, iplen, iptos, ipttl...)
> This could more be called by one keyword (ex: logfull) in the IPFW.
> Sample:
> ipfw add deny logfull ...
> 
> Or an sysctl variable :-)

I have ancient patches on my FreeBSD homepage for that. Maybe someday
I'll update them or even commit them.

> Idea 4)
> 
> When we execute:
> ipfw -qf flush
> 
> The dynamic rules are flushed.
> 
> My ideia is an option for define if Yes or No flushed Dyn Rule.
> Example:
> 
> ipfw -nqf flush
> 
> -n = Dont flush Dyn Rules.
> 
> This would not erase the dyn rules and yes only the statics rules.
> As each dynamic rule is entailed to the one static rule, these dinamicas rules would be disentailed UP however.

"Disentailed UP?" ENOPARSE. I think you are eluding to the problem
that dynamic rules cannot exist in ipfw(8) without a parent rule. But
I have no idea how you are proposing to get around that.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030710221231.GB60029>