Date: 21 Aug 1995 22:58:29 +0800 From: peter@haywire.dialix.com (Peter Wemm) To: freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND Message-ID: <41a6ul$3b9$1@haywire.DIALix.COM> References: <199508210434.AAA03316@healer.com>, <199508210817.BAA03501@gndrsh.aac.dev.com>
next in thread | previous in thread | raw e-mail | index | archive | help
rgrimes@gndrsh.aac.dev.com (Rodney W. Grimes) writes:
>> Hi. Some people appear to like IPFW and some appear to like SCREEND.
>>
>> I've just spent time rewriting chunks of screend to run on FreeBSD.
>> Who out there wrote (or is in charge of) IPFW, would like to collaborate
>> to put the best of both into freebsd? Saves two overlapping programs,
>> and saves me having to re-port the screend kernel patches for each new release.
>>
>Send me the screend kernel patches, (should be really small if I recall
>correctly, just 1 patch in ip_forward). That can become a standard part
>of FreeBSD.
>Becareful with that user land code in screend, it has some very strict
>license issues with it.
I just *know* I'm going to regret mentioning this, but I have a cute
little filter that runs in the kernel on a per-interface basis.
It's got a user-land "compiler" that takes a bizare script language,
and generates a chunk of microcode-like data which is passed into the
kernel. It was inspired by a thing called "ipacl" that somebody wrote
for a streams-tcp kernel... I've done something similar but not quite
the same (and I "lifted" parts of the compiler, which is just a
lex/yacc parser).
It has IP and port filtering.. Since it's on a per-interface level, it
could be programmed to drop packets coming in that have your source
address, in an attempt to get around your security (recent CERT advisory).
The bad news, is that I've not ported my version back from a streams
implementation, but it shouldn't be hard. It was meant to do other
things too, like IP accounting, but that was never quite finished.
I suspect this is similar to the capabilities of bpf, but I've never
really looked at bpf to see what it can do - but I suspect BPF would
do a better job if it could be wired up as a filter on an interface.
-Peter
(Please dont ask me for copies, I'm not happy to give it away in it's
present state, and I'd also need to clear it with my employer.. :-(
You can grab ipacl.{tar|shar}.{Z,gz} from the the same ftp site as
tcp_wrapper.. ftp.win.tue.nl:/pub/security I think...)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41a6ul$3b9$1>