[54848] in North American Network Operators' Group
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
daemon@ATHENA.MIT.EDU (Scott Francis)
Sat Jan 18 18:50:02 2003
Date: Sat, 18 Jan 2003 15:48:03 -0800
From: Scott Francis <darkuncle@darkuncle.net>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: nanog@merit.edu
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
Richard A Steenbergen <ras@e-gerbil.net>, nanog@merit.edu
In-Reply-To: <20030118172928.GD78231@overlord.e-gerbil.net>
Errors-To: owner-nanog-outgoing@merit.edu
--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jan 18, 2003 at 12:29:28PM -0500, ras@e-gerbil.net said:
[snip]
> As I understand OpenBSD's pf (which may not be complete so feel free to
> point out if I'm wrong), it isn't actually doing anything to compile
> normal packet lookups, it just added a non-sequential lookup engine for
> the truely "stateful" filtering that it does. While this is nice and all,
> it doesn't replace the functionality of normal rule-based filtering, and
=46rom pf.conf(5):
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last. The last matching
rule decides what action is taken.
Does this not constitute rule-based filtering? Or am I misunderstanding you?
--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE+KeezWaB7jFU39ScRAngrAJ47wdjTeWDM3F1Df86Vuk6qOWC4OACgv5xq
dPCHzfzU4m5TYOihK1KX7cw=
=KZir
-----END PGP SIGNATURE-----
--Kj7319i9nmIyA2yE--
