"ipfw count" equivalent for pf

Louis LeBlanc FreeBSD at keyslapper.org
Fri Dec 17 11:56:41 PST 2004 

On 12/17/04 01:26 PM, Paul Schmehl sat at the `puter and typed:
> --On Friday, December 17, 2004 01:29:09 PM -0500 Louis LeBlanc 
> <FreeBSD at keyslapper.org> wrote:
> >
> > Control
> > After boot, PF operation can be managed using the pfctl(8) program. Some
> > example commands are:
> >
> >      # pfctl -f /etc/pf.conf     loads the pf.conf file
> >      # pfctl -nf /etc/pf.conf    parse the file, but don't load it
> >      # pfctl -Nf /etc/pf.conf    Load only the NAT rules from the file
> >      # pfctl -Rf /etc/pf.conf    Load only the filter rules from the file
> >
> >      # pfctl -sn                 Show the current NAT rules
> >      # pfctl -sr                 Show the current filter rules
> >      # pfctl -ss                 Show the current state table
> >      # pfctl -si                 Show filter stats and counters
> >      # pfctl -sa                 Show EVERYTHING it can show
> >
> > For a complete list of commands, please see the pfctl(8) man page.
> > --------
> >
> > HTH.  It certainly seems like changing nat and firewall rules on the fly
> > are easier with pf.  As I read and played with it, it seems to be much
> > easier, particularly when using tables and lists.
> >
> I'm curious what you think is easier about the above than:
> 
> ipfw show  (same as ipfw -a list)
> ipfw -d list (show dynamic rules)
> ipfw -S list (show the set each rule belongs to)
> ipfw add 00400 allow blah
> ipfw delete 00400
> ipfw disable firewall
> ipfw enable firewall
> ipfw set disable (num)
> ipfw set enable (num)
> 
> Etc., etc.
> 
> With ipfw you can add or delete rules on the fly as well.  I do it 
> regularly.
> 
> If you want to reset counters to zero, use ipfw zero rulenum.  If you want 
> to reset the log to zero, use ipfw resetlog rulenum.  (Or you can reset an 
> entire set.)

Ah.  Nothing really, I was referring to the fact that creating a list of
"allowed ports" and a table of "allowed IPs and/or blocks" and "blocked
IPs and/or blocks" etc. makes creating multiple rules easier than
creating a separate rule for each IP block or individual IP.

Regardless, changing the NAT rules *is* easier, unless I completely
misunderstood the NAT setup with ipfw - which is possible, but I'm still
sure I understand the pf NAT setup better.

Cheers
Lou
-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

What is now proved was once only imagin'd.
    -- William Blake

More information about the freebsd-questions mailing list