OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Darren Reed (avalon_at_coombs.anu.edu.au)
Date: Wed Feb 05 2003 - 13:31:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In some mail from Nicholas Esborn, sie said:
    >
    > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other
    > than reading through OpenBSD's pf documentation, I found a paper at:
    >
    > http://www.benzedrine.cx/pf-slides.pdf

    I'm pretty sure I could 'tune' ipfilter to be just as fast or faster
    than pf. I have some clues about why it's slower - the author of the
    paper doesn't (AFAIK) but I'm not in a rush to fix this.

    > I also like that you can use macros in its config files, and that it
    > automatically structures your ruleset for you to some extent (I think
    > this obsoletes head/group in ipf).

    But they've now gone and added anchors. groups are useful in ways
    beyond just optimising rule processing.

    > And you can use lists for ports or protocols.
    > For example:
    >
    > wi_if = "hme1"
    > wi_ip = "172.16.1.1/32"
    > wi_net = "172.16.1.0/24"
    > scrub in on $wi_if all
    > pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \
    > port {domain, bootpc, bootps, 5000} keep state

    Whether or not this is good or not is another thing.

    It obfuscates validating the kernel rules loaded with the
    configuration file you have in /etc.

    > I find pf to be as much of an improvement over ipf as I found ipf to
    > be an over ipfw. And of course, there's less possibility of licensing
    > surprises, because of OpenBSD's nearly militant adherence to the
    > BSD license.
    >
    > Sadly, most of the discussion I've seen here about pf on FreeBSD is
    > basically "Why would we need another packet filter?"

    Oh, IPFilter 4.0 will probably address all of your concerns and even
    go beyond what pf is currently providing. I suspect there is a certain
    amount of feature emulation currently happening (both ways). You just
    hear more about pf than ipf unless you're on the ipf list - there is
    currently no summary of "what's new" in 4.0 and it's kinda deliberate
    like that so there's no easy shopping list for someone to copy before
    I release it :)

    Darren

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message