Julian Elischer wrote:
>
> On Mon, 18 Oct 1999, Jerry Bell wrote:
>
> > I have a few proposed additions to IPFW that I'd like to get feedback
> > on. The changes are mostly from my experience with other (commercial)
> > firewalls.
> >
> > Change source and destination identifier in the rule processing from one
> > IP address (or range of addresses) to an array of IP addresses (or range
> > of IP addresses). This allows for a more manageable rulebase.
> > ex. ipfw add pass all from 10.0.0.1/24,10.0.1.0/24 to
> > 10.0.0.1/24,10.0.1.0/24
> > The real advantage is being able to do somethine like this:
> >
> > #!/bin/sh
> > dnservers=10.0.0.1,10.0.0.2,10.0.0.3
> > smtpservers=10.0.0.4,10.0.0.5,10.0.0.6
> > ipfw add pass udp from any to $dnservers 53
> > ipfw add pass tcp from any to $smtpservers 25
> >
> > ... and so on.
> but you need to store this somewhere..
> the present system of fixed structures doesn't support this without an
> enormous waste of space...I'm not sure how useful it would be in
> practice..
>
> It would require rewriting of large parts of the code, not to mention a
> complete rewrite of the interface and user program.
> This is the kind of thing that is easy to say to a human and a bitch to
> implement.
Yes. Besides:
#!/bin/sh
dnservers=10.0.0.1 10.0.0.2 10.0.0.3
smtpserver=10.0.0.4 10.0.0.5 10.0.0.6
for addr in $dnservers
do
ipfw add pass udp from any to $addr 53
done
for addr in $smtpservers
do
ipfw add pass tcp from any to $addr 25
done
After all, it's *sh* you are running. It has power.
> This can already be done with a daemon without
> any ipfw changes..
>
> The daemon adds a rule to allow itself to be connected to.
> When it get's a successful authentication, it
> adds more rules to allow the successful user in.
Yup. See divert.
--
Daniel C. Sobral (8-DCS)
[EMAIL PROTECTED]
[EMAIL PROTECTED]
"People call him Neutron Star, 'cuz his so dense lights bends
around him."
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
