From owner-cvs-src@FreeBSD.ORG Mon Mar 29 21:44:55 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 559D816A4D1; Mon, 29 Mar 2004 21:44:55 -0800 (PST) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E54E43D41; Mon, 29 Mar 2004 21:44:55 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.homeunix.net (66-91-236-204.san.rr.com [66.91.236.204]) by smtp-relay.omnis.com (Postfix) with ESMTP id 16FB01880C1A; Mon, 29 Mar 2004 21:44:54 -0800 (PST) From: Wes Peters Organization: Softweyr To: darrenr@FreeBSD.org (Darren Reed) User-Agent: KMail/1.6 References: <20040309041200.41CB516A4CF@hub.freebsd.org> In-Reply-To: <20040309041200.41CB516A4CF@hub.freebsd.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200403082237.32608.wes@softweyr.com> cc: src-committers@FreeBSD.org cc: Steve Kargl cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: Max Laier cc: Tim Robbins cc: Luigi Rizzo cc: Sam Leffler Subject: Re: ideal firewall solution X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 30 Mar 2004 05:44:55 -0000 X-Original-Date: Mon, 8 Mar 2004 22:37:32 -0800 X-List-Received-Date: Tue, 30 Mar 2004 05:44:55 -0000 On Monday 08 March 2004 08:12 pm, Darren Reed wrote: > In some mail I received from Sam Leffler, sie wrote > > > > To me there is no clear winner. > > Agreed. The question that should have been asked and clearly > answered is: > > What does FreeBSD gain from having pf in the base tree ? > > > > Honestly, i believe that the microcode-based approach of ipfw2 is > > > a lot simpler to maintain and extend than the one used in pf > > > (which resembles a lot the original ipfw), and dropping it would > > > be a step backward. > > > ipfw2 has some instructions (e.g. the 'address set') that greatly > > > simplify the writing of rulesets. > > Has anone reviewed the Checkpoint patent with respect to whether > or not ipfw2 violates it ? > > They patent an instruction/virtual mechanism for evaluating filter > rules that is compiled by some user program. I haven't looked at > it in detail because ipfw2 isn't my area of responsiblity but > someone should (if they haven't.) When/if that is done, if someone > can think about what it would be to use BPF instead of ipfw2 and > if that makes any difference to the Checkpoint patent, I'd be > further interested to know. Patent #5,606,668 - read clause 8. Probably unenforceable, because as written it falls all over the earlier work done in bpf and other sources. If they had patented it as a unique application of packet filtering, it would probably fare better. As it is, claim 8 is almost exactly a description of the workings of BPF or any other microcoded filter, with the exception of the words "security rule." IANAL, this is based on my (very probably shaky) memory of a legal analysis done 6 years ago, at an employer where we were developing very similar "code" to go in an ASIC while being a Checkpoint FW-1 source customer. Sticky ground all around. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com