From owner-freebsd-security  Tue Jan  7 14:12:54 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id OAA14769
          for security-outgoing; Tue, 7 Jan 1997 14:12:54 -0800 (PST)
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA14763
          for <security@FreeBSD.ORG>; Tue, 7 Jan 1997 14:12:48 -0800 (PST)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.8.2/8.6.4) with ESMTP id AAA16490; Wed, 8 Jan 1997 00:10:34 +0200 (EET)
Received: (hsu@localhost) by katiska.clinet.fi (8.8.4/8.6.4) id AAA13560; Wed, 8 Jan 1997 00:10:32 +0200 (EET)
Date: Wed, 8 Jan 1997 00:10:32 +0200 (EET)
Message-Id: <199701072210.AAA13560@katiska.clinet.fi>
From: Heikki Suonsivu <hsu@clinet.fi>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: proff@suburbia.net, brandon@cold.org, security@FreeBSD.ORG
Subject: Re: FreeBSD as a cleanwall
In-Reply-To: <199701070514.VAA28796@freefall.freebsd.org>
References: <19970106231249.23462.qmail@suburbia.net>
	<199701070514.VAA28796@freefall.freebsd.org>
Organization: Clinet Ltd, Espoo, Finland
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


Darren Reed writes:
...
 > Jullian, you really should seaparate this functionality out of ipfw.
 > 
 > For the most part, it has no relevance to the orgiinal context of ipfw.
 > Maybe you should write ipfws (IP firewall sockets) or similar ?  (Makes
 > good sense to me ... :-)

Before ipfw cooks coffee, maybe it might be worthwhile to look at combining
functionality of bpf and ipfw, instead of duplicating everything possible
with bpf into ipfw and vice versa.  In general it would be better to have
one interface for matching packets which could then be used for anything
(not just firewalling, but bandwidth management, snooping data like bpf now
does, accounting, etc).  I assume this would reduce amount of code in
kernel as ipfw matching code could be replaced with calls to bpf?

Is there anything which ipfw does but bpf does not, other than better
performance ?

How much more bpf consumes cpu than ipfw, per packet filtered, per rule ?

 > Darren

-- 
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-9-43542270 fax -4555276