Re: Using ipfw table names instead of numbers.
I'd argue that DNS clue pushes the firewall out from a packet inspection thing and into a user-space application inspection thing. DNS entries in filter rules doesn't work as well in all situations as you'd like. :) Adrian (who has done this, and it doesn't quite work right in all situations thanks to split-horizon, per-user, geo-location, server-balancing DNS..) On 6 September 2010 08:31, jhell jh...@dataix.net wrote: On 09/05/2010 11:53, Luigi Rizzo wrote: whereas one might want a more dynamic behaviour (e.g. refresh whenever the DNS response expires). Lord that would be nice! if only PF had this ;) -- jhell,v ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Using ipfw table names instead of numbers.
On 09/05/2010 11:47 PM, Adrian Chadd wrote: I'd argue that DNS clue pushes the firewall out from a packet inspection thing and into a user-space application inspection thing. It also opens up an attack vector on your firewall. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Using ipfw table names instead of numbers.
Em 5/9/2010 12:53, Luigi Rizzo escreveu: On Sat, Sep 04, 2010 at 10:58:44AM -0300, Anderson Eduardo wrote: Hello developers, I use the ipfw firewall with many tables and, I would like of able to use it with name/alias instead of just numbers. E.g: lab# ipfw table 1 name lanetwork Setting table 1 to lanetwork lab# ipfw table lanetwork add 192.168.0.0/24 lab# ipfw table lanetwork list 192.168.0.0/24 0 lab# I think a good idea a patch to do that. if you have a patch feel free to post it. the main issue is that internally, for efficiency reason, the name must be translated to a number anyways, so before implementing it one must decide where the name-number translation table is stored and how it is managed The same applies to any name vs. number issue in ipfw/dummynet Service, protocol and host names solve these issues because there is a well defined place for the translation table. But, for instance, hostname mappings are static (translated at rule insertion time) whereas one might want a more dynamic behaviour (e.g. refresh whenever the DNS response expires). cheers luigi Luigi, I did some changes just in user-land, I didn't touch in kernel. I will check if I can do that, I'm not a good developer. Thanks. -- Anderson Eduardo Diretor Geral Tel.: +55 (71) 3641-6450 Secover - Serviços em Tecnologia e Segurança da Informação http://www.secover.com.br ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Using ipfw table names instead of numbers.
On Sat, Sep 04, 2010 at 10:58:44AM -0300, Anderson Eduardo wrote: Hello developers, I use the ipfw firewall with many tables and, I would like of able to use it with name/alias instead of just numbers. E.g: lab# ipfw table 1 name lanetwork Setting table 1 to lanetwork lab# ipfw table lanetwork add 192.168.0.0/24 lab# ipfw table lanetwork list 192.168.0.0/24 0 lab# I think a good idea a patch to do that. if you have a patch feel free to post it. the main issue is that internally, for efficiency reason, the name must be translated to a number anyways, so before implementing it one must decide where the name-number translation table is stored and how it is managed The same applies to any name vs. number issue in ipfw/dummynet Service, protocol and host names solve these issues because there is a well defined place for the translation table. But, for instance, hostname mappings are static (translated at rule insertion time) whereas one might want a more dynamic behaviour (e.g. refresh whenever the DNS response expires). cheers luigi ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Using ipfw table names instead of numbers.
On 09/05/2010 11:53, Luigi Rizzo wrote: whereas one might want a more dynamic behaviour (e.g. refresh whenever the DNS response expires). Lord that would be nice! if only PF had this ;) -- jhell,v ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
