From owner-freebsd-arch Thu Nov 25 1:31:11 1999 Delivered-To: freebsd-arch@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 61B7814DF1 for ; Thu, 25 Nov 1999 01:31:07 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id KAA19031 for ; Thu, 25 Nov 1999 10:31:00 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id KAA38461 for freebsd-arch@freebsd.org; Thu, 25 Nov 1999 10:30:59 +0100 (MET) Received: by hub.freebsd.org (Postfix, from userid 758) id DE7EF14C4A; Thu, 25 Nov 1999 01:30:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id CBFA11CD623; Thu, 25 Nov 1999 01:30:53 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Thu, 25 Nov 1999 01:30:53 -0800 (PST) From: Kris Kennaway To: Julian Elischer Cc: "Rodney W. Grimes" , Brian Fundakowski Feldman , arch@freebsd.org Subject: Re: new IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 24 Nov 1999, Julian Elischer wrote: > > Have you looked at or though about using the bpf routines in the > > kernel? bpf match rules are very powerful, compile to some pretty > > fast code, and the code is already written, and it knows about a lot > > more than just IP. > > iThen there is a reference that Garret Wollman pointed out some time ago. > a package at MIT called 'DPF' You should definitely look at this possibility. The downside is that we'd have to have a fallback generic option for non-x86 architectures (I'm pretty sure the DPF code was for x86). On another track, someone already raised the issue of ipfilter - this is as close to a standard as there is in the UNIX firewalling world (especially as the other BSDs use it exclusively). Of course, basing work on ipfilter isn't necessarily compatible with revolutionising the guts of the code, but we could provide a compatible interface. An ipfw->ipfilter rule translator can't be that difficult (I'm assuming the ipfilter functionality is a superset of ipfw, which seems to be at least approximately true). The other standard which network people are almost guaranteed to be familiar with is the cisco IOS model. This is probably less easy to emulate, but it's worth giving thought to IMO. The more familiar the interface is to people the easier it will be for them to secure their network with a freebsd box. Here's a wacky idea - we could have all three interfaces, by keeping the parser abstracted from the internal representation :-) The only other design goal I can think of now is to keep it as extensible as possible..(hmm..ipfw as netgraph node? :) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message