From owner-freebsd-security Wed Feb 5 11:32: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1636837B401 for ; Wed, 5 Feb 2003 11:31:59 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1253843F79 for ; Wed, 5 Feb 2003 11:31:58 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA11248; Thu, 6 Feb 2003 06:31:50 +1100 (EST) From: Darren Reed Message-Id: <200302051931.GAA11248@caligula.anu.edu.au> Subject: Re: The way forward To: nick@netdot.net (Nicholas Esborn) Date: Thu, 6 Feb 2003 06:31:50 +1100 (Australia/ACT) Cc: mspitze1@optonline.net (Marc Spitzer), freebsd-security@FreeBSD.ORG In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> from "Nicholas Esborn" at Feb 05, 2003 11:24:33 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nicholas Esborn, sie said: > > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other > than reading through OpenBSD's pf documentation, I found a paper at: > > http://www.benzedrine.cx/pf-slides.pdf I'm pretty sure I could 'tune' ipfilter to be just as fast or faster than pf. I have some clues about why it's slower - the author of the paper doesn't (AFAIK) but I'm not in a rush to fix this. > I also like that you can use macros in its config files, and that it > automatically structures your ruleset for you to some extent (I think > this obsoletes head/group in ipf). But they've now gone and added anchors. groups are useful in ways beyond just optimising rule processing. > And you can use lists for ports or protocols. > For example: > > wi_if = "hme1" > wi_ip = "172.16.1.1/32" > wi_net = "172.16.1.0/24" > scrub in on $wi_if all > pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \ > port {domain, bootpc, bootps, 5000} keep state Whether or not this is good or not is another thing. It obfuscates validating the kernel rules loaded with the configuration file you have in /etc. > I find pf to be as much of an improvement over ipf as I found ipf to > be an over ipfw. And of course, there's less possibility of licensing > surprises, because of OpenBSD's nearly militant adherence to the > BSD license. > > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" Oh, IPFilter 4.0 will probably address all of your concerns and even go beyond what pf is currently providing. I suspect there is a certain amount of feature emulation currently happening (both ways). You just hear more about pf than ipf unless you're on the ipf list - there is currently no summary of "what's new" in 4.0 and it's kinda deliberate like that so there's no easy shopping list for someone to copy before I release it :) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message