Date: Sat, 19 Jun 1999 14:02:08 -0400 (EDT) From: "Brian F. Feldman" <green@unixhelp.org> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: Doug Rabson <dfr@nlsystems.com>, Ruslan Ermilov <ru@ucb.crimea.ua>, ugen@xonix.com, hackers@FreeBSD.org, luigi@FreeBSD.org Subject: Re: Firewalls (was Re: Introduction) Message-ID: <Pine.BSF.4.10.9906191401020.3513-100000@janus.syracuse.net> In-Reply-To: <xzpso7o8ayi.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19 Jun 1999, Dag-Erling Smorgrav wrote:
> "Brian F. Feldman" <green@unixhelp.org> writes:
> > On 19 Jun 1999, Dag-Erling Smorgrav wrote:
> > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a
> > > simple Perl script should be sufficient.
> > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes
> > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched
> > takes effect.
>
> Just throw in 'quick' and ipfilter behaves just like ipfw.
I figured that out. Come to think of it, I rather like "quick" much better
than ipf's default way.
>
> > Note that Luigi's
> > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf
> > before everyone is necessarily willing to switch.
>
> Divert sockets, dummynet and credential-based filtering would be
> sorely missed if they weren't ported to ipfilter.
Definitely. Working on ipfilter is probably better than reinventing the wheel
again.
>
> DES
> --
> Dag-Erling Smorgrav - des@flood.ping.uio.no
>
Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___
green@FreeBSD.org _ __ ___ | _ ) __| \
FreeBSD: The Power to Serve! _ __ | _ \._ \ |) |
http://www.FreeBSD.org/ _ |___/___/___/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906191401020.3513-100000>