I'm personally against modifying ipfw(4) for this purpose. It gets into the complexity of syntax and simply violates the initial simple model of the whole ipfw packet filter itself. I agree in that freebsd systems acting as routers need a more "efficient" or "better" engine by allowing per-interface firewall hooks, but we all know pfil_hooks api already provides this; and modifying ipfw for this is just a mess for a little gain.
That said, the pfil_hooks already provides the ifp -- so why not just write a new firewall of your own that is totally separate from pf/ipfw? Please feel free to make it as compiled (like Crisco Turbo ACL) instead of linear rule by rule checks :) Just need to make it compatible to pfil_hooks api. While it is good to make freebsd more router-like, keeping things simple for systems acting as non-routing platforms for endusers is also equally important. -J -- James Jun TowardEX Technologies, Inc. Technical Lead Boston IPv4/IPv6 Web Hosting, Colocation and [EMAIL PROTECTED] Network design/consulting & configuration services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
