On 12/17/04 01:26 PM, Paul Schmehl sat at the `puter and typed: > --On Friday, December 17, 2004 01:29:09 PM -0500 Louis LeBlanc > <[EMAIL PROTECTED]> wrote: > > > > Control > > After boot, PF operation can be managed using the pfctl(8) program. Some > > example commands are: > > > > # pfctl -f /etc/pf.conf loads the pf.conf file > > # pfctl -nf /etc/pf.conf parse the file, but don't load it > > # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file > > # pfctl -Rf /etc/pf.conf Load only the filter rules from the file > > > > # pfctl -sn Show the current NAT rules > > # pfctl -sr Show the current filter rules > > # pfctl -ss Show the current state table > > # pfctl -si Show filter stats and counters > > # pfctl -sa Show EVERYTHING it can show > > > > For a complete list of commands, please see the pfctl(8) man page. > > -------- > > > > HTH. It certainly seems like changing nat and firewall rules on the fly > > are easier with pf. As I read and played with it, it seems to be much > > easier, particularly when using tables and lists. > > > I'm curious what you think is easier about the above than: > > ipfw show (same as ipfw -a list) > ipfw -d list (show dynamic rules) > ipfw -S list (show the set each rule belongs to) > ipfw add 00400 allow blah > ipfw delete 00400 > ipfw disable firewall > ipfw enable firewall > ipfw set disable (num) > ipfw set enable (num) > > Etc., etc. > > With ipfw you can add or delete rules on the fly as well. I do it > regularly. > > If you want to reset counters to zero, use ipfw zero rulenum. If you want > to reset the log to zero, use ipfw resetlog rulenum. (Or you can reset an > entire set.)
Ah. Nothing really, I was referring to the fact that creating a list of "allowed ports" and a table of "allowed IPs and/or blocks" and "blocked IPs and/or blocks" etc. makes creating multiple rules easier than creating a separate rule for each IP block or individual IP. Regardless, changing the NAT rules *is* easier, unless I completely misunderstood the NAT setup with ipfw - which is possible, but I'm still sure I understand the pf NAT setup better. Cheers Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ What is now proved was once only imagin'd. -- William Blake _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
