Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
- Subject: Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
- From: Jeff Nathan <email@hidden>
- Date: Sat, 22 Nov 2003 21:18:32 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenBSD's (Danielt Hartmeier's) pf is really quite neat.
Loadable kernel modules aside (yeah yeah, I know the old argument that
securelevel is a one-way spinlock, and we've seen the exploits that
disprove that), it's well-implemented piece of software.
Some of the finer points that really make it nice are the scrubbing
features (dealing with duplicate IP fragments with overlapping data),
the ability to compensate for weak TCP ISNs when acting as a NATting
system, queueing, anchor points for externally generated rules, useful
counters....
Rather than go on with glittering generalities, I think I'd like to
familiarize myself better with ipfw2 (I haven't looked at it at all, to
be honest).
Hartmeier's pf has some support for sharing nat and filter states among
systems (though I'm not sure how advanced this is at the moment. I
think it uses a pseudo device). It can operate in a routing fashion or
in a bridging fashion too which is quite handy. Just like Darren
Reid's ipf, Hartmeier's pf uses a configuration file (using a yacc
parser), as opposed to the ipfw/iptables/ipchains method of using the
binary for all configuration -- yes, I've seen the iptables restore
format and it's a lot closer to making it maintainable.
- -Jeff
P.S. I sent in a kernel patch to this list a few days ago and never saw
it make the list, is anyone else having problems sending messages to
the list?
P.P.S. I submitted the same patch to Apple's patch form and actually
received a bounce! (The submission page is a web form).
On Nov 22, 2003, at 9:06 PM, OpenMacNews wrote:
then again, its seems that i spoke (somewhat) too soon ...
looks like OpenBSD's "pf" has been ported to FreeBSD 5.x
(<http://pf4freebsd.love2party.net/>) as a lodable kernel module.
what implications that has for Darwin, i honestly don't know ...
comments/thoughts anyone?
richard
On a related note, is there any interest in exploring the potential
benefits of Daniel Hartmeier's pf or Darren
Reid's ipf?
- -Jeff
On Nov 22, 2003, at 5:53 PM, OpenMacNews wrote:
hi all,
what plans/progress exist for updating Darwin's "ipfw" to "ipfw2"?
having moved from a FreeBSD box to a Mac, there are several features
missing from ipfw that i'm having to work around
...
in particular, the assignment/use of rule sets and the ability to
assign boolean concatenations of IP ranges to a
variable, then use the variable in a rule.
or, there's always the possibility that i'm missing an already
existing feature set in current Darwin .... if it
exists, a friendly pointer to it would be much appreciated!
thanks,
richard
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.
- --
The most technical single-track security conference in the West.
Vancouver B.C., Canada April, 2004
http://cansecwest.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/wBj7Eqr8+Gkj0/0RArxzAKCxqSjOebVuU5sEZL+xODuHELnwHwCeKleI
QZ3F7vZet0+VfirJ9ajG3Jc=
=Cg3p
-----END PGP SIGNATURE-----
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.