I have four ideia for IPFW2

Crist J. Clark cristjc at comcast.net
Thu Jul 10 15:12:58 PDT 2003 

On Wed, Jul 09, 2003 at 06:13:08PM -0300, Diego Linke - GAMK wrote:
> I have four idea for IPFW2 (features):
> 
> 
> Idea 1) 
> 
> When using:
> ipfw add allow ip from any to me via xl0
> is equal:
> ipfw add allow ip from any to { IP_xl0 or IP_xl1 or IP_rl0 or ... } via xl0
> 
> My idea is an keyword specific for each interface. 
> Sample:
> ipfw add allow ip from any to me_xl0 via xl0

I believe you are looking for the,

  net.inet.ip.check_interface

sysctl(8) variable.

> Idea 2)
> 
> keyword "net" :-)
> As we have the IP and netmask of each interface, it would be easy to get the net. 
> Sample:
> ipfw add allow ip from any to net_xl0 via xl0

Do you really have a firewall whose attached networks behind it change
dynamically?

For the alternate case of dynamic anti-spoofing, something like,

  ipfw add allow ip from net_xl0 to any via xl0

The 'verrevpath' option already does that.

> Idea 3)
> 
> The logs with more information, as ( tcpflags (syn,ack,fin,rst...), ipoptions, iplen, iptos, ipttl...)
> This could more be called by one keyword (ex: logfull) in the IPFW.
> Sample:
> ipfw add deny logfull ...
> 
> Or an sysctl variable :-)

I have ancient patches on my FreeBSD homepage for that. Maybe someday
I'll update them or even commit them.

> Idea 4)
> 
> When we execute:
> ipfw -qf flush
> 
> The dynamic rules are flushed.
> 
> My ideia is an option for define if Yes or No flushed Dyn Rule.
> Example:
> 
> ipfw -nqf flush
> 
> -n = Dont flush Dyn Rules.
> 
> This would not erase the dyn rules and yes only the statics rules.
> As each dynamic rule is entailed to the one static rule, these dinamicas rules would be disentailed UP however.

"Disentailed UP?" ENOPARSE. I think you are eluding to the problem
that dynamic rules cannot exist in ipfw(8) without a parent rule. But
I have no idea how you are proposing to get around that.
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org

More information about the freebsd-ipfw mailing list