Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Mar 2004 05:44:55 -0000
From:      Wes Peters <wes@softweyr.com>
To:        darrenr@FreeBSD.org (Darren Reed)
Cc:        Sam Leffler <sam@errno.com>
Subject:   Re: ideal firewall solution
Message-ID:  <200403082237.32608.wes@softweyr.com>
In-Reply-To: <20040309041200.41CB516A4CF@hub.freebsd.org>
References:  <20040309041200.41CB516A4CF@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday 08 March 2004 08:12 pm, Darren Reed wrote:
> In some mail I received from Sam Leffler, sie wrote
>
> > > To me there is no clear winner.
>
> Agreed.  The question that should have been asked and clearly
> answered is:
>
> What does FreeBSD gain from having pf in the base tree ?
>
> > > Honestly, i believe that the microcode-based approach of ipfw2 is
> > > a lot simpler to maintain and extend than the one used in pf
> > > (which resembles a lot the original ipfw), and dropping it would
> > > be a step backward.
> > > ipfw2 has some instructions (e.g. the 'address set') that greatly
> > > simplify the writing of rulesets.
>
> Has anone reviewed the Checkpoint patent with respect to whether
> or not ipfw2 violates it ?
>
> They patent an instruction/virtual mechanism for evaluating filter
> rules that is compiled by some user program.  I haven't looked at
> it in detail because ipfw2 isn't my area of responsiblity but
> someone should (if they haven't.)  When/if that is done, if someone
> can think about what it would be to use BPF instead of ipfw2 and
> if that makes any difference to the Checkpoint patent, I'd be
> further interested to know.  Patent #5,606,668 - read clause 8.

Probably unenforceable, because as written it falls all over the earlier 
work done in bpf and other sources.  If they had patented it as a unique 
application of packet filtering, it would probably fare better.  As it 
is, claim 8 is almost exactly a description of the workings of BPF or any 
other microcoded filter, with the exception of the words "security rule."

IANAL, this is based on my (very probably shaky) memory of a legal 
analysis done 6 years ago, at an employer where we were developing very 
similar "code" to go in an ASIC while being a Checkpoint FW-1 source 
customer.  Sticky ground all around.

-- 

        Where am I, and what am I doing in this handbasket?

Wes Peters                                               wes@softweyr.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403082237.32608.wes>