From owner-freebsd-stable Fri Aug 18 19:16:39 2000 Delivered-To: freebsd-stable@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id CC79837B424 for ; Fri, 18 Aug 2000 19:16:36 -0700 (PDT) Received: (qmail 16561 invoked by uid 0); 19 Aug 2000 02:16:35 -0000 Received: from p3ee20a8c.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.140) by mail.gmx.net with SMTP; 19 Aug 2000 02:16:35 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA10674 for freebsd-stable@FreeBSD.ORG; Fri, 18 Aug 2000 21:57:36 +0200 Date: Fri, 18 Aug 2000 21:57:36 +0200 From: Gerhard Sittig To: freebsd-stable@FreeBSD.ORG Subject: Re: ipfilter v. ipfw Message-ID: <20000818215736.U252@speedy.gsinet> Mail-Followup-To: freebsd-stable@FreeBSD.ORG References: <000f01c00939$0dd7b480$b8209fc0@marlowe><20000818141256.A29131@pir.net> <14749.32249.842000.944007@jef-nt.mdacc.tmc.edu> <002301c00946$67bd8c10$b8209fc0@marlowe> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <002301c00946$67bd8c10$b8209fc0@marlowe>; from swb@grasslake.net on Fri, Aug 18, 2000 at 01:59:14PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Aug 18, 2000 at 13:59 -0500, Shawn Barnhart wrote: > > While I'm creating a potential religious debate, does ipfilter > allow you to output your rules in a format that enables them to > be read in by ipf? In other words, can you do ipf list > foo > and then do ipf add -f foo ? ipfstat's output visually fits to how you write rules in your config files. And a quick test of ipfstat -in | ipf -I -Fa -f - -v didn't give any error message. But I admit I haven't activated and tested the set (that's one of the advantages of having an inactive set to fiddle with without bothering the installed rules:). And don't forget to handle "ipfstat -on", too. NAT state is something you don't want to keep, I guess. :) And despite you can list it, I wouldn't know how to restore it -- but I don't see a big point in trying to do so. It turns out you want to develop a rule set with ipf -Fa while not satisfied; do echo whatever rule | ipf -f - or edit rules; ipf -f rules done ( ipfstat -in; ipfstat -on; ) > rules and use this (at boot time or when done fiddling) with ipf -Fa -f rules And remember you can "experiment" (to some extent) with the inactive set -- see the manpage for further help on -I and -s. And use the info at /usr/src/contrib/ipfilter/rules as well as the HowTo at http://www.obfuscation.org/ipf/ and its mirrors (pir.net and others). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message