From owner-freebsd-hackers Sun Mar 28 8:30:18 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (Postfix) with SMTP id 6C05D155C8; Sun, 28 Mar 1999 08:30:07 -0800 (PST) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id PAA03730; Sun, 28 Mar 1999 15:48:36 +0200 From: Luigi Rizzo Message-Id: <199903281348.PAA03730@labinfo.iet.unipi.it> Subject: Re: ipfw behavior, is it normal? To: jmb@hub.freebsd.org (Jonathan M. Bresler) Date: Sun, 28 Mar 1999 15:48:36 +0200 (MET DST) Cc: housley@frenchknot.ne.mediaone.net, noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG In-Reply-To: <19990328152846.B065314C14@hub.freebsd.org> from "Jonathan M. Bresler" at Mar 28, 99 07:28:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1440 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > should we add another instruction to ipfw > > > > between A and B ... > > > > to ease life in configuring firewalls ? Performance of a ruleset > > will be only marginally improved, but having simpler rules will > > indirectly make configurations more secure by reducing mistakes. > > i understand between to be a short cut that replaces "from A to B" > and "from B to A". functionally, yes. but it would map (and you would see) only a single ipfw rule. > i prefer the present syntax, it allows me to control who originates > the connection. "add" does not mean "replace"! the old syntax would still be valid. > seems to me that the new syntax would not be used very frequently. > most of my rules (27 of 30) have "any" as one endpoint. dont think > that i want to use a "between" in cominbation with "any". i guess this is just a matter of preference (or use!). eg you (?) said to use accept tcp from any to any estab as a catchall for the reverse path, (possibly because you want to allow connection opens only from within your net ?) whereas i more frequently use bridge-based firewalls to control some internal labs and paths are much more symmetric. > seems to me that its better to have people understand what they are > configuratin rather than make the configuration syntax hide the > asymmetric nature of tcp. it just makes life easier to the average user. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message