Recommended additions to ipfw command: increment and verbosity limit
Brett Glass
brett at lariat.net
Thu Feb 26 22:10:21 PST 2009
Everyone:
Reviewing the latest man page for ipfw(8), I see that the only way
to change the automatic increment for rules is still to set a
sysctl variable (net.inet.ip.fw.autoinc_step). This was once also
the case for "one pass" behavior (net.inet.ip.fw.one_pass) as well
as verbose logging, debugging messages, and the global enable bit
for the entire firewall. However various "ipfw enable" and "ipfw
disable" subcommands were added over time to eliminate the need to
set arcane sysctl variables.
The only two commonly used parameters that are still not settable
from the ipfw(8) command seem to be autoinc_step and verbose_limit.
(autoinc_step has to be in the range 1..1000, while verbose_limit
seems to be able to take any unsigned integer value.)
I'd like to recommend that subcommands be added to set them, not
only for the sake of consistency but to make it unnecessary to
circumvent the ipfw command to configure one's firewall. The sysctl
variables could remain to provide backward compatibility and to
satisfy the Principle of Least Astonishment. Comments? Should I
submit code? (Anyone qualified to be a committer should be able to
make the changes by copying an editing a few lines, but...)
--Brett Glass
More information about the freebsd-net
mailing list