>Date: Sun, 29 Apr 2001 08:42:20 +0400
>From: "Andrey A. Chernov" <[EMAIL PROTECTED]>
>On Sat, Apr 28, 2001 at 21:22:59 -0700, David Wolfskill wrote:
>> I have at least one application where I generate ipfw rules in a script,
>> for a set of subnets which I read from a file at execution time. I am
>> able to use the numbers to group the firewall rules , so that for any
>> given subnet, I can predict the order in which the rules will be
>> applied.
>In situation you describe you can _add_ rules without any harm, but you
>can't _delete_ some of them later - it cause totally unpredictable
>results, i.e. delete operation really not works in the current way. Better
>way will be to give all subnets unique numbers ranges.
Well, in that situation, the rules are sufficiently complicated that I'd
modify the script or the input list of netmask specifications, and
re-run the whole thing. :-}
How about a syntax for being able to specify which instantiation of a
given ipfw rule number you mean, and a corresponding change to the code
to iterate through those instantiations until that one is encountered.
(You can probably tell I haven't actually looked at the code....)
Cheers,
david
--
David H. Wolfskill [EMAIL PROTECTED]
As a computing professional, I believe it would be unethical for me to
advise, recommend, or support the use (save possibly for personal
amusement) of any product that is or depends on any Microsoft product.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
