Date: Thu, 25 Nov 1999 01:30:53 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Julian Elischer <julian@whistle.com> Cc: "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net>, Brian Fundakowski Feldman <green@freebsd.org>, arch@freebsd.org Subject: Re: new IPFW Message-ID: <Pine.BSF.4.21.9911250054120.28352-100000@hub.freebsd.org> In-Reply-To: <Pine.BSF.4.10.9911240245250.11412-100000@current1.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Nov 1999, Julian Elischer wrote: > > Have you looked at or though about using the bpf routines in the > > kernel? bpf match rules are very powerful, compile to some pretty > > fast code, and the code is already written, and it knows about a lot > > more than just IP. > > iThen there is a reference that Garret Wollman pointed out some time ago. > a package at MIT called 'DPF' You should definitely look at this possibility. The downside is that we'd have to have a fallback generic option for non-x86 architectures (I'm pretty sure the DPF code was for x86). On another track, someone already raised the issue of ipfilter - this is as close to a standard as there is in the UNIX firewalling world (especially as the other BSDs use it exclusively). Of course, basing work on ipfilter isn't necessarily compatible with revolutionising the guts of the code, but we could provide a compatible interface. An ipfw->ipfilter rule translator can't be that difficult (I'm assuming the ipfilter functionality is a superset of ipfw, which seems to be at least approximately true). The other standard which network people are almost guaranteed to be familiar with is the cisco IOS model. This is probably less easy to emulate, but it's worth giving thought to IMO. The more familiar the interface is to people the easier it will be for them to secure their network with a freebsd box. Here's a wacky idea - we could have all three interfaces, by keeping the parser abstracted from the internal representation :-) The only other design goal I can think of now is to keep it as extensible as possible..(hmm..ipfw as netgraph node? :) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9911250054120.28352-100000>