From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 30 02:59:17 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 203AD16A4CE for ; Sun, 30 Nov 2003 02:59:17 -0800 (PST) Received: from alo.louko.com (x1.louko.com [195.218.71.106]) by mx1.FreeBSD.org (Postfix) with SMTP id 7DFEF43FCB for ; Sun, 30 Nov 2003 02:59:14 -0800 (PST) (envelope-from alo@x1.louko.com) Received: (qmail 45290 invoked by uid 406); 30 Nov 2003 10:59:12 -0000 Date: 30 Nov 2003 10:59:12 -0000 Message-ID: <20031130105912.45288.qmail@alo.louko.com> To: stolz@i2.informatik.rwth-aachen.de From: alo@iki.fi.invalid (Antti Louko) In-reply-to: <20031130085211.GA14925@i2.informatik.rwth-aachen.de> (message from Volker Stolz on Sun, 30 Nov 2003 09:52:11 +0100) References: <20031130065310.29349.qmail@alo.louko.com> <20031130085211.GA14925@i2.informatik.rwth-aachen.de> User-Agent: SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?UTF-8?B?VW5lYmlnb3J58m1h?= =?UTF-8?B?ZQ==?=) APEL/10.3 Emacs/21.2 (i386--freebsd) (with unibyte mode) MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII cc: hackers@freebsd.org Subject: Re: ipfw/ipf IP filtering thoughts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2003 10:59:17 -0000 You should be able to accomplish the same -- although in a more convoluted way -- with ipf[w]. You might want to use a higher-level tool though instead of writing all the rules by hand. Try using fwbuilder or code your own ab- straction which translates to ipfw rules. ipfw for example doesn't have call action. It only has skipto action and the information where the skipto came, is not available anymore. I am trying to find out if implementing the call action was sufficient or would it be useful to have also several named search lists like iptables has. Implementing just the call action and adding the return stack in ipfw processing should be quite simple. Fwbuilder of course helps in visualizing filter but it doesn't help if one already has the application which creates filters and wants to optimize filter list search.