On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote:
I'm contemplating the following changes to functionality:
I'd like suggestions and comments...
1/ Commit capability
In this change you declare a new firewall,
and modify/build it, and then you 'commit' it so that
the whole change is atomic.
[ ... ]
5/
ability to have multiple firewalls.. (extension of (1))
ipfw new 1 ipfw rules 1 add ....
....
ipfw commit 1 bridge "bridge0"
different rule sets for different entry points.
ethernet layer (Layer2), IP output, bridging, IP input, different
input interfaces?
6/ corrolory of 5
ability for one firewall to call into another..
ipfw new 2 ipfw add [IP tests]
ipfw new 1
ipfw rules 1 add 1000 check rules 2 mac-type ipv4
commit 2 bridge
It seems to me that IPFW2 already has these three capabilities?
From the manpage:
Also, each rule belongs to one of 32 different sets , and there
are ipfw
commands to atomically manipulate sets, such as enable,
disable, swap
sets, move all rules in a set to another one, delete all rules
in a set.
These can be useful to install temporary configurations, or to
test them.
See Section SETS OF RULES for more information on sets.
[ ... ]
SETS OF RULES
Each rule belongs to one of 32 different sets , numbered 0 to
31. Set 31
is reserved for the default rule.
By default, rules are put in set 0, unless you use the set N
attribute
when entering a new rule. Sets can be individually and atomically
enabled or disabled, so this mechanism permits an easy way to
store mul-
tiple configurations of the firewall and quickly (and
atomically) switch
between them. The command to enable/disable sets is
[ ... ]
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
