[54852] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Sat Jan 18 20:05:15 2003

Date: Sat, 18 Jan 2003 20:03:03 -0500
From: Richard A Steenbergen <ras@e-gerbil.net>
To: Scott Francis <darkuncle@darkuncle.net>
Cc: nanog@merit.edu
In-Reply-To: <20030118234803.GA66288@darkuncle.net>
Errors-To: owner-nanog-outgoing@merit.edu


On Sat, Jan 18, 2003 at 03:48:03PM -0800, Scott Francis wrote:
> On Sat, Jan 18, 2003 at 12:29:28PM -0500, ras@e-gerbil.net said:
> [snip]
> > As I understand OpenBSD's pf (which may not be complete so feel free to
> > point out if I'm wrong), it isn't actually doing anything to compile
> > normal packet lookups, it just added a non-sequential lookup engine for
> > the truely "stateful" filtering that it does. While this is nice and all,
> > it doesn't replace the functionality of normal rule-based filtering, and
> 
> From pf.conf(5):
> 
>      For each packet processed by the packet filter, the filter rules are
>      evaluated in sequential order, from first to last.  The last matching
>      rule decides what action is taken.
> 
> Does this not constitute rule-based filtering? Or am I misunderstanding you?

Yes and no. That would prove my point, if not for the fact that they are
describing the logical processing of a filter ruleset (aka "ipf-style"),
not the implementation of the matching engine.

But still, the stateful filtering and any lookup model it uses does not 
negate the need for standard rule-based filtering, and AFAIK pf still 
does those comparisons sequentially like any other traditional filter.

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

home help back first fref pref prev next nref lref last post