http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

[Alexey Solovyov]

The subj says:

    A simple example of ruleset file can be following:

         add block in  all
         add block out all

    ... A valid ruleset script that would be equivalent to the ruleset
    file shown above would be following:

         #!/bin/sh
         ipfw -q flush
         ipfw add block in  all
         ipfw add block out all


which is not exactly true since flush is not performed in the first case.

Also I could not find three things I personally worried about:

- possibility to include comments/empty lines in the ruleset which
happened to be really possible;

- the preference of the first method in terms of performance in case
of huge ruleset (ipfw is executed just once);

- ability to produce ipfw output of the current ruleset compatible
with its input (without the need of preprocessing).

With regards,
     Alex