Date: Tue, 4 Mar 2008 11:46:16 +0000 (UTC) From: Vadim Goncharov <vadim_nuclight@mail.ru> To: freebsd-doc@freebsd.org Subject: Re: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html Message-ID: <slrnfsqdk8.2ceu.vadim_nuclight@hostel.avtf.net> References: <1841805624.20080304115040@eu.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Alexey Solovyov! On Tue, 4 Mar 2008 11:50:40 +0300; Alexey Solovyov wrote about 'http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html': > The subj says: > A simple example of ruleset file can be following: > add block in all > add block out all > ... A valid ruleset script that would be equivalent to the ruleset > file shown above would be following: > #!/bin/sh > ipfw -q flush > ipfw add block in all > ipfw add block out all Hmmm. Why ever "add block out all" ? That's pf syntax, not ipfw's one. Looks like a bug. > which is not exactly true since flush is not performed in the first case. > Also I could not find three things I personally worried about: > - possibility to include comments/empty lines in the ruleset which > happened to be really possible; > - the preference of the first method in terms of performance in case > of huge ruleset (ipfw is executed just once); And possibility to include shell variables, etc. in script, so script can be more comfortable. > - ability to produce ipfw output of the current ruleset compatible > with its input (without the need of preprocessing). Why? Preprocessing is easy trick. Just do: # to save ruleset ipfw list > /etc/ruleset # to restore ipfw -p awk '{print "add " $0}' /etc/ruleset The same is applicable for not only rulesm but tables, etc. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnfsqdk8.2ceu.vadim_nuclight>