http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
Vadim Goncharov
vadim_nuclight at mail.ru
Tue Mar 4 15:08:56 UTC 2008
Hi Alexey Solovyov!
On Tue, 4 Mar 2008 11:50:40 +0300; Alexey Solovyov wrote about 'http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html':
> The subj says:
> A simple example of ruleset file can be following:
> add block in all
> add block out all
> ... A valid ruleset script that would be equivalent to the ruleset
> file shown above would be following:
> #!/bin/sh
> ipfw -q flush
> ipfw add block in all
> ipfw add block out all
Hmmm. Why ever "add block out all" ? That's pf syntax, not ipfw's one. Looks
like a bug.
> which is not exactly true since flush is not performed in the first case.
> Also I could not find three things I personally worried about:
> - possibility to include comments/empty lines in the ruleset which
> happened to be really possible;
> - the preference of the first method in terms of performance in case
> of huge ruleset (ipfw is executed just once);
And possibility to include shell variables, etc. in script, so script can be
more comfortable.
> - ability to produce ipfw output of the current ruleset compatible
> with its input (without the need of preprocessing).
Why? Preprocessing is easy trick. Just do:
# to save ruleset
ipfw list > /etc/ruleset
# to restore
ipfw -p awk '{print "add " $0}' /etc/ruleset
The same is applicable for not only rulesm but tables, etc.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
More information about the freebsd-doc
mailing list