Converting from IPFW to IPFILTER

Aaron Peterson dopplecoder at gmail.com
Mon Oct 10 08:51:56 PDT 2005


On 10/10/05, Aaron Peterson <dopplecoder at gmail.com> wrote:
> Thanks. The problem is it is on a production machine that I can not have down
> for any length of time. So recompiling the kernel to remove IPFW support, and
> then configuring, troubleshooting, and tweaking IPFILTER would have access
> down too long. I'd prefer to switch back and forth from the command line
> while I get IPFILTER configured and working correctly. Then on my next
> quarterly BUILDWORLD, I can also recompile the kernel to remove IPFW support.

You can add an ipfw rule (#1 for instance) allowing all traffic.
However if you use other protocols besides IP on your network, this
might have unexpected side effects.  My understanding is that the
default deny policy drops everything that isn't IP traffic, and there
is no way to allow it using rules at that point.  Someone please
correct me if I'm wrong.  A default accept policy with a "deny all"
rule functions similarly, still allowing all non IP traffic.  If you
don't forsee this causing problems, you should be fine with a single
"allow all" rule until your change window arrives.

Aaron


More information about the freebsd-questions mailing list