From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 30 07:31:48 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4910F16A4CE for ; Sun, 30 Nov 2003 07:31:48 -0800 (PST) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [68.213.16.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D9D043FD7 for ; Sun, 30 Nov 2003 07:31:47 -0800 (PST) (envelope-from richardcoleman@mindspring.com) Received: from mindspring.com (titan.criticalmagic.com [68.213.16.23]) by saturn.criticalmagic.com (Postfix) with ESMTP id 6EB363BD2A; Sun, 30 Nov 2003 10:31:46 -0500 (EST) Message-ID: <3FCA0D6F.9000709@mindspring.com> Date: Sun, 30 Nov 2003 10:31:59 -0500 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Antti Louko References: <20031130065310.29349.qmail@alo.louko.com> In-Reply-To: <20031130065310.29349.qmail@alo.louko.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org Subject: Re: ipfw/ipf IP filtering thoughts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: richardcoleman@mindspring.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2003 15:31:48 -0000 Antti Louko wrote: > Generally, I like the (Free)BSD way of doing things. But the IP > filtering modules available for FreeBSD lack one feature when compared > to Linux way (ipchains and iptables). > > In ipchains and iptables you have a sequential list of rules, very > much like in ipfw and ipf, but you can have several different lists > which have symbolic names and you can make calls from lists to other > lists based on normal packet criteria. If the list is exchausted, the > scan returns to the previous list. This makes it possible to make > filtering decisions much more efficient in complex situation. You can > for example scan a certain list only for eg. packets going to for > example port 25 and so on. In FreeBSD, you don't have this > "subroutine call" feature at all and you are limited to only one > sequential list with a "goto". In ipf, you can use head/group tags to create a tree-like structure for the rules processing. This works roughly like a subroutine call. But admittedly this starts to look very confusing if you have many levels of these. Pf handles this much cleaner in that the tree structure is derived automatically, as long as the rules are ordered correctly. There is a port for pf in the ports tree. But I haven't tried it, since ipf is working fine for me. Richard Coleman richardcoleman@mindspring.com