Date: Fri, 26 Nov 1999 00:51:41 -0600 From: Jason Young <doogie@staff.accessus.net> To: "'Brian Fundakowski Feldman'" <green@freebsd.org>, ipfw@freebsd.org Cc: arch@freebsd.org Subject: RE: new IPFW Message-ID: <ABD44D466F85D311A69900A0C900DB6BC521@staff.accessus.net>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF37DA.B217A81A Content-Type: text/plain; charset="iso-8859-1" I've had the privelege of using BSD/OS 4.0's firewalling code, and it's incredibly powerful. It's based on BPF. You actually write one or more filtering "programs" of sorts that get run through the C preprocessor and run as a BPF filter. I wish I had some docs on it handy to post here. There were several places to plug filters in - pre-input, input, input for the machine, pre-output and output, the input/output ones being per-interface (again, if I recall correctly). The pre-input phase was for dealing with fragmentation and some other things, and the input stage would present all packets reassembled, etc. This let you compile and emplace rulesets to be run exactly when and where you need them to be run. It's morally wrong to just rip off the code from BSDI, but if I had to pick just one piece of code for something to steal from somewhere, for any purpose, this would be it hands down. It's just incredibly elegant. It's The Way To Go(tm). If a BPF-like solution isn't adopted, I would say that per-interface rulesets would be my number one wish. > -----Original Message----- > From: Brian Fundakowski Feldman [mailto:green@freebsd.org] > Sent: Wednesday, November 24, 1999 12:33 AM > To: ipfw@freebsd.org > Cc: arch@freebsd.org > Subject: new IPFW > > > I've finally sat myself down to take the first step in getting the new > IPFW done. I'll start by listing some of the different ideas > I've had, [snip] ------_=_NextPart_001_01BF37DA.B217A81A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: new IPFW</TITLE> </HEAD> <BODY> <BR> <P><FONT SIZE=3D2>I've had the privelege of using BSD/OS 4.0's = firewalling code, and it's incredibly powerful. It's based on BPF. You = actually write one or more filtering "programs" of sorts that = get run through the C preprocessor and run as a BPF filter.</FONT></P> <P><FONT SIZE=3D2>I wish I had some docs on it handy to post here. = There were several places to plug filters in - pre-input, input, input = for the machine, pre-output and output, the input/output ones being = per-interface (again, if I recall correctly). The pre-input phase was = for dealing with fragmentation and some other things, and the input = stage would present all packets reassembled, etc. This let you compile = and emplace rulesets to be run exactly when and where you need them to = be run.</FONT></P> <P><FONT SIZE=3D2>It's morally wrong to just rip off the code from = BSDI, but if I had to pick just one piece of code for something to = steal from somewhere, for any purpose, this would be it hands down. = It's just incredibly elegant. It's The Way To Go(tm).</FONT></P> <P><FONT SIZE=3D2>If a BPF-like solution isn't adopted, I would say = that per-interface rulesets would be my number one wish.</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Brian Fundakowski Feldman [<A = HREF=3D"mailto:green@freebsd.org">mailto:green@freebsd.org</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Wednesday, November 24, 1999 12:33 = AM</FONT> <BR><FONT SIZE=3D2>> To: ipfw@freebsd.org</FONT> <BR><FONT SIZE=3D2>> Cc: arch@freebsd.org</FONT> <BR><FONT SIZE=3D2>> Subject: new IPFW</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I've finally sat myself down to take the first = step in getting the new</FONT> <BR><FONT SIZE=3D2>> IPFW done. I'll start by listing some of = the different ideas </FONT> <BR><FONT SIZE=3D2>> I've had,</FONT> <BR><FONT SIZE=3D2>[snip]</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF37DA.B217A81A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ABD44D466F85D311A69900A0C900DB6BC521>