From owner-freebsd-security Wed Feb 5 11:24:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8263637B401 for ; Wed, 5 Feb 2003 11:24:34 -0800 (PST) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2175943F85 for ; Wed, 5 Feb 2003 11:24:34 -0800 (PST) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 8DD66F80A; Wed, 5 Feb 2003 11:24:33 -0800 (PST) Date: Wed, 5 Feb 2003 11:24:33 -0800 From: Nicholas Esborn To: Marc Spitzer Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030205192433.GB59212@carbon.berkeley.netdot.net> References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205140532.4ff4390c.mspitze1@optonline.net> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other than reading through OpenBSD's pf documentation, I found a paper at: http://www.benzedrine.cx/pf-slides.pdf I also like that you can use macros in its config files, and that it automatically structures your ruleset for you to some extent (I think this obsoletes head/group in ipf). And it can randomize TCP ISNs for OSes which do not. And you can use lists for ports or protocols. For example: wi_if = "hme1" wi_ip = "172.16.1.1/32" wi_net = "172.16.1.0/24" scrub in on $wi_if all pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \ port {domain, bootpc, bootps, 5000} keep state I find pf to be as much of an improvement over ipf as I found ipf to be an over ipfw. And of course, there's less possibility of licensing surprises, because of OpenBSD's nearly militant adherence to the BSD license. Sadly, most of the discussion I've seen here about pf on FreeBSD is basically "Why would we need another packet filter?" -nick On Wed, Feb 05, 2003 at 02:05:32PM -0500, Marc Spitzer wrote: > On Wed, 05 Feb 2003 10:26:01 -0800 > Nicholas Esborn wrote: > > > Here here on pf envy. It's not well tested yet, but pf's architecture > > and capabilities look better than both ipf and ipfw. > > > > -nick > > > > Could you share some details on that? > > marc > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message