From owner-freebsd-hackers Sat Jun 19 8:30:58 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C8B5315323; Sat, 19 Jun 1999 08:30:16 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA90072; Sat, 19 Jun 1999 17:30:13 +0200 (CEST) (envelope-from des) To: "Brian F. Feldman" Cc: Dag-Erling Smorgrav , Doug Rabson , Ruslan Ermilov , ugen@xonix.com, hackers@FreeBSD.org, luigi@FreeBSD.org Subject: Re: Firewalls (was Re: Introduction) References: From: Dag-Erling Smorgrav Date: 19 Jun 1999 17:30:13 +0200 In-Reply-To: "Brian F. Feldman"'s message of "Sat, 19 Jun 1999 11:12:07 -0400 (EDT)" Message-ID: Lines: 20 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Brian F. Feldman" writes: > On 19 Jun 1999, Dag-Erling Smorgrav wrote: > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a > > simple Perl script should be sufficient. > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched > takes effect. Just throw in 'quick' and ipfilter behaves just like ipfw. > Note that Luigi's > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf > before everyone is necessarily willing to switch. Divert sockets, dummynet and credential-based filtering would be sorely missed if they weren't ported to ipfilter. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message