From owner-freebsd-doc@FreeBSD.ORG Tue Mar 4 15:08:56 2008 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 607791065672 for ; Tue, 4 Mar 2008 15:08:56 +0000 (UTC) (envelope-from freebsd-doc@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1A6B68FC1E for ; Tue, 4 Mar 2008 15:08:55 +0000 (UTC) (envelope-from freebsd-doc@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1JWY9b-0000tF-18 for freebsd-doc@freebsd.org; Tue, 04 Mar 2008 14:30:03 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 04 Mar 2008 14:30:03 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 04 Mar 2008 14:30:03 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-doc@freebsd.org From: Vadim Goncharov Date: Tue, 4 Mar 2008 11:46:16 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 50 Message-ID: References: <1841805624.20080304115040@eu.spb.ru> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Alexey Solovyov User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 15:08:56 -0000 Hi Alexey Solovyov! On Tue, 4 Mar 2008 11:50:40 +0300; Alexey Solovyov wrote about 'http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html': > The subj says: > A simple example of ruleset file can be following: > add block in all > add block out all > ... A valid ruleset script that would be equivalent to the ruleset > file shown above would be following: > #!/bin/sh > ipfw -q flush > ipfw add block in all > ipfw add block out all Hmmm. Why ever "add block out all" ? That's pf syntax, not ipfw's one. Looks like a bug. > which is not exactly true since flush is not performed in the first case. > Also I could not find three things I personally worried about: > - possibility to include comments/empty lines in the ruleset which > happened to be really possible; > - the preference of the first method in terms of performance in case > of huge ruleset (ipfw is executed just once); And possibility to include shell variables, etc. in script, so script can be more comfortable. > - ability to produce ipfw output of the current ruleset compatible > with its input (without the need of preprocessing). Why? Preprocessing is easy trick. Just do: # to save ruleset ipfw list > /etc/ruleset # to restore ipfw -p awk '{print "add " $0}' /etc/ruleset The same is applicable for not only rulesm but tables, etc. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]