Hello, I've been ipf user for long time. I now mostly switched to FreeBSD IPFW because of my colleagues know it better and because it's rule numbering.
After reading the manual page of ipfilter again I thought I must have been blind in the past because it seems to have something similar. It works differently then IPFW and seems almost useless to me after some testing. Of course there's always a chance I understand/use it the wrong way and it can be used similarly to IPFW rule numbers. Suppose I have the IPFW ruleset like this: 100 count tcp from any to any in 110 allow tcp from any to any telnet in 199 deny tcp from any to any in 200 count udp from any to any in 210 allow udp from any to any domain in 299 deny tcp from any to any in 300 permit icmp from any to any When manipulating such a ruleset I don't want to touch rules 100, 200 and 300. I may want to allow another tcp port and later on remove it or whatever. It seems to me I can't do it with ipfilter. I understand ipfilter evaluates rules differently than IPFW (last match vs. first match wins operation) and that is has heads and groups and whatever. Yet it looks from the manpage it provides the similar functionality to IPFW regarding numbering rules and operating only on a given number rule. ipfilter accepts the numbers (as stated in ipf(5)) but don't store the number AFAIK. When I add rules 100, 200 and 150 with ipfilter they are listed in 'wrong' order with ipfstat -in. >From the manual page one can get another impression how it might work - that the number is the absolute position in the list. It doesn't seem to really work this way either. The operation changes a little when I use '@' in front of the number but still doesn't work. From the documentation it would seem '@' is mandatory. I'd like to either know what the number in ipfilter really means or implement the functionality as done in IPFW. I offer my help - I believe the change shouldn't be too difficult to code and I'm a (kernel) C programmer. Michal
