Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Feb 2003 11:24:33 -0800
From:      Nicholas Esborn <nick@netdot.net>
To:        Marc Spitzer <mspitze1@optonline.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: The way forward
Message-ID:  <20030205192433.GB59212@carbon.berkeley.netdot.net>
In-Reply-To: <20030205140532.4ff4390c.mspitze1@optonline.net>
References:  <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Pf seems to scale better than netfilter/iptables, ipfw, or ipf.  Other
than reading through OpenBSD's pf documentation, I found a paper at:

  http://www.benzedrine.cx/pf-slides.pdf

I also like that you can use macros in its config files, and that it
automatically structures your ruleset for you to some extent (I think
this obsoletes head/group in ipf).  And it can randomize TCP ISNs for
OSes which do not.  And you can use lists for ports or protocols.
For example:

wi_if = "hme1"
wi_ip = "172.16.1.1/32"
wi_net = "172.16.1.0/24"
scrub in on $wi_if all
pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \
	port {domain, bootpc, bootps, 5000} keep state

I find pf to be as much of an improvement over ipf as I found ipf to
be an over ipfw.  And of course, there's less possibility of licensing
surprises, because of OpenBSD's nearly militant adherence to the
BSD license.

Sadly, most of the discussion I've seen here about pf on FreeBSD is
basically "Why would we need another packet filter?"

-nick

On Wed, Feb 05, 2003 at 02:05:32PM -0500, Marc Spitzer wrote:
> On Wed, 05 Feb 2003 10:26:01 -0800
> Nicholas Esborn <nick@netdot.net> wrote:
> 
> > Here here on pf envy.  It's not well tested yet, but pf's architecture
> > and capabilities look better than both ipf and ipfw.
> > 
> > -nick
> > 
> 
> Could you share some details on that?
> 
> marc
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Nicholas Esborn
Unix Systems Administrator
Berkeley, California

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030205192433.GB59212>