From owner-freebsd-hackers  Fri Jun 18 19:40:45 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15])
	by hub.freebsd.org (Postfix) with ESMTP id 0256814CB6
	for <hackers@FreeBSD.ORG>; Fri, 18 Jun 1999 19:40:34 -0700 (PDT)
	(envelope-from green@unixhelp.org)
Received: from localhost (green@localhost)
	by janus.syracuse.net (8.9.2/8.8.7) with ESMTP id WAA86336;
	Fri, 18 Jun 1999 22:39:22 -0400 (EDT)
Date: Fri, 18 Jun 1999 22:37:57 -0400 (EDT)
From: Brian Fundakowski Feldman <green@unixhelp.org>
X-Sender: green@janus.syracuse.net
To: Darren Reed <darrenr@reed.wattle.id.au>
Cc: npp@distortion.dk, ru@ucb.crimea.ua, hackers@FreeBSD.ORG
Subject: Re: firewalling (Was Re: Introduction)
In-Reply-To: <199906190228.MAA11563@avalon.reed.wattle.id.au>
Message-ID: <Pine.BSF.4.10.9906182232290.85521-100000@janus.syracuse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 19 Jun 1999, Darren Reed wrote:

> In some email I received from Brian Fundakowski Feldman, sie wrote:
> > How do you feel about (after getting it fixed in -CURRENT) helping with
> > converting ipfw(8) to just a front-end to ipf? I think it's worth discussing
> > whether it's actually worth it to rewrite IPFW or just work on improving
> > ipfilter. (discussion moved to -hackers)
> 
> I imagine they might be fighting words to some ;)  As I see it, if you
> added hooks for divert to ipfilter in FreeBSD and maybe added the rule
> number bits (I *know* there are going to be people who'd just die without
> it) then I can't see why you'd need ipfw.  I imagine that would be a hell
> of a lot less work than bringing the features of ipfilter into ipfw.
> 
> It'd also be one of those steps forward in compatibility between the various
> BSDs...

  Yes, and I know it might take some work. I'd like to have something good be
the default in FreeBSD, and I feel that maybe if ipfilter can be brought
to the foreground well and made backward compatible (i.e. ipfw(8) to translate
(perl? /bin/sh? idunno)), it will be a winning thing. I'd of course like to
add UID/GID support to ipfilter like I did to IPFW (but didn't commit).
  IPFW is nearing the end of its maintainable life. It needs a pretty large
rewrite or full replacement pretty soon. If we can get ipfilter in src/contrib
kept up-to-date and working, supplying a replacement for ipfw(8) as a front-end,
I don't see why ipfilter can't be the "FreeBSD firewall."


> 
> Darren
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 

 Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
 green@FreeBSD.org                   _ __ ___ | _ ) __|   \ 
     FreeBSD: The Power to Serve!        _ __ | _ \._ \ |) |
       http://www.FreeBSD.org/              _ |___/___/___/ 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message