On Sat, Jun 19, 1999 at 11:12:07AM -0400, Brian F. Feldman wrote: > On 19 Jun 1999, Dag-Erling Smorgrav wrote: > > > "Brian F. Feldman" <gr...@unixhelp.org> writes: > > > It might be worth (discussion of) making ipfilter the firewall of > > > choice for 4.0. There would of course be rule conversion > > > scripts/programs (ipfw->ipf(5)), and ipfilter would be converted to > > > a KLD, cruft removed (I'm going to work on these), and ipfilter KLD > > > support (currently options IPFILTER_LKM) made a non-option. It seems > > > that our pretty proprietary ipfw is no longer a good idea. > > > > If ipfilter can to everything ipfw can (judging from ipf(5), it can) > > and you even manage to keep an ipfw(8) command around so those who > > want kan keep using the old syntax still can, then I for one have no > > objections. > > > > Rewriting ipfw rules to ipfilter rules on the fly should be trivial; a > > simple Perl script should be sufficient. > > Not quite as trivial as you think. ipfw and ipf are completely backwards when > it comes > to rule order: in ipfw, the first rule matched takes effect; in ipf, the last > rule matched > takes effect. Plus, ipf doesn't have rule numbers (but there's similar > functionailty.) > If you think you can get used to them both enough to tackle this, I'll handle > other > things, and we can have a working replacement for crufty old ipfw. Note that > Luigi's > extra ipfw functionality and my extra ipfw functionality _will_ be wanted in > ipf > before everyone is necessarily willing to switch. I have a feeling there will > be some > holdouts that, even if ipfw is removed, they'll MFS (merge from stable) ipfw > back just > because they want to keep the old way. Ipfw could be dead for 4.0-RELEASE, as > I see it > now. More discussion is, however, necessary. > > > > > DES > > -- > > Dag-Erling Smorgrav - d...@flood.ping.uio.no > > > > Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ > gr...@freebsd.org _ __ ___ | _ ) __| \ > FreeBSD: The Power to Serve! _ __ | _ \._ \ |) | > http://www.FreeBSD.org/ _ |___/___/___/ > > > > To Unsubscribe: send mail to majord...@freebsd.org > with "unsubscribe freebsd-hackers" in the body of the message
Does ip filter now support per interface filtering based on an ip address, not an interface name ? This was the limitation I encountered last time I looked at it. Ran up against a few problems getting it to run nicely with user-ppp. (Can't remember how long ago that was exactly though, it may be fixed now, if so please ignore this :-) To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message
