To convert your existing filter configuraton file to the 3.0 format:

o The allow table has been renamed to the override table so you will need
  to change all occurrences of the 'allow' keyword to 'override'.

o A new filter table has been added for incomming ICMP filtering.  As
  with all of the filter tables, by default everything is blocked and
  you have to explicitly allow access.  To provide the same behavior as
  version 2.x, add <0-18/icmp in> to the default class.  You will also
  need to add this to the hosts included in the filter config file.
  Instead of allowing all ICMP, you might want to exclude ICMP type 5
  which is ICMP redirect.

o The 'network' command has changed.  When an address range is specified,
  a network mask is not needed so it has been removed from the syntax.
  You must remove the network mask specified for a range of addresses.
  (It was never used anyway).


Other New Features:

o In Drawbridge 2.x, the reject table could be used to prevent IP spoofing
  from the outside to the inside.  Now, in 3.0, there is also a new table
  called 'accept' that may be used to prevent IP spoofing from the inside
  to the outside.

o The table (accept, reject, override) logic has been redesigned to add
  the ability to have inverse rules by using the '~' symbol.  This allows
  a single IP address or a small range of addresses to be excluded from a
  table rule.  For example:

     reject 123.45.0.0 255.255.0.0
     reject ~123.45.67.89 255.255.255.255   # allow this one address

