From owner-freebsd-hackers  Sat Jun 19 11: 4: 9 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6433414BFA; Sat, 19 Jun 1999 11:03:59 -0700 (PDT)
	(envelope-from green@unixhelp.org)
Received: from localhost (green@localhost)
	by janus.syracuse.net (8.9.2/8.8.7) with ESMTP id OAA03543;
	Sat, 19 Jun 1999 14:03:33 -0400 (EDT)
Date: Sat, 19 Jun 1999 14:02:08 -0400 (EDT)
From: "Brian F. Feldman" <green@unixhelp.org>
X-Sender: green@janus.syracuse.net
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: Doug Rabson <dfr@nlsystems.com>,
	Ruslan Ermilov <ru@ucb.crimea.ua>, ugen@xonix.com,
	hackers@FreeBSD.org, luigi@FreeBSD.org
Subject: Re: Firewalls (was Re: Introduction)
In-Reply-To: <xzpso7o8ayi.fsf@flood.ping.uio.no>
Message-ID: <Pine.BSF.4.10.9906191401020.3513-100000@janus.syracuse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 19 Jun 1999, Dag-Erling Smorgrav wrote:

> "Brian F. Feldman" <green@unixhelp.org> writes:
> > On 19 Jun 1999, Dag-Erling Smorgrav wrote:
> > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a
> > > simple Perl script should be sufficient.
> > Not quite as trivial as you think. ipfw and ipf are completely backwards when it comes
> > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last rule matched
> > takes effect.
> 
> Just throw in 'quick' and ipfilter behaves just like ipfw.

I figured that out. Come to think of it, I rather like "quick" much better
than ipf's default way.

> 
> >                                                                    Note that Luigi's
> > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in ipf
> > before everyone is necessarily willing to switch.
> 
> Divert sockets, dummynet and credential-based filtering would be
> sorely missed if they weren't ported to ipfilter.

Definitely. Working on ipfilter is probably better than reinventing the wheel
again.

> 
> DES
> -- 
> Dag-Erling Smorgrav - des@flood.ping.uio.no
> 

 Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
 green@FreeBSD.org                   _ __ ___ | _ ) __|   \ 
     FreeBSD: The Power to Serve!        _ __ | _ \._ \ |) |
       http://www.FreeBSD.org/              _ |___/___/___/ 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message