From owner-freebsd-hackers Mon Aug 21 07:58:48 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id HAA23715 for hackers-outgoing; Mon, 21 Aug 1995 07:58:48 -0700 Received: from haywire.DIALix.COM (haywire.DIALix.COM [192.203.228.65]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id HAA23699 for ; Mon, 21 Aug 1995 07:58:40 -0700 Received: (from news@localhost) by haywire.DIALix.COM (8.7.Beta.11/8.7.Beta.11/DIALix) id WAA03437 for freebsd-hackers@freebsd.org; Mon, 21 Aug 1995 22:58:34 +0800 (WST) Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-hackers@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-hackers@freebsd.org Date: 21 Aug 1995 22:58:29 +0800 From: peter@haywire.dialix.com (Peter Wemm) Message-ID: <41a6ul$3b9$1@haywire.DIALix.COM> Organization: DIALix Services, Perth, Australia. References: <199508210434.AAA03316@healer.com>, <199508210817.BAA03501@gndrsh.aac.dev.com> Subject: Re: IPFW and SCREEND Sender: hackers-owner@freebsd.org Precedence: bulk rgrimes@gndrsh.aac.dev.com (Rodney W. Grimes) writes: >> Hi. Some people appear to like IPFW and some appear to like SCREEND. >> >> I've just spent time rewriting chunks of screend to run on FreeBSD. >> Who out there wrote (or is in charge of) IPFW, would like to collaborate >> to put the best of both into freebsd? Saves two overlapping programs, >> and saves me having to re-port the screend kernel patches for each new release. >> >Send me the screend kernel patches, (should be really small if I recall >correctly, just 1 patch in ip_forward). That can become a standard part >of FreeBSD. >Becareful with that user land code in screend, it has some very strict >license issues with it. I just *know* I'm going to regret mentioning this, but I have a cute little filter that runs in the kernel on a per-interface basis. It's got a user-land "compiler" that takes a bizare script language, and generates a chunk of microcode-like data which is passed into the kernel. It was inspired by a thing called "ipacl" that somebody wrote for a streams-tcp kernel... I've done something similar but not quite the same (and I "lifted" parts of the compiler, which is just a lex/yacc parser). It has IP and port filtering.. Since it's on a per-interface level, it could be programmed to drop packets coming in that have your source address, in an attempt to get around your security (recent CERT advisory). The bad news, is that I've not ported my version back from a streams implementation, but it shouldn't be hard. It was meant to do other things too, like IP accounting, but that was never quite finished. I suspect this is similar to the capabilities of bpf, but I've never really looked at bpf to see what it can do - but I suspect BPF would do a better job if it could be wired up as a filter on an interface. -Peter (Please dont ask me for copies, I'm not happy to give it away in it's present state, and I'd also need to clear it with my employer.. :-( You can grab ipacl.{tar|shar}.{Z,gz} from the the same ftp site as tcp_wrapper.. ftp.win.tue.nl:/pub/security I think...)