Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
- Subject: Re: status (plans?) of latest *BDS's ipfw2 for OSX/Darwin kernel?
- From: OpenMacNews <email@hidden>
- Date: Mon, 24 Nov 2003 10:22:50 -0800
ok,
having done some reading re: pf/ipf, i've got to say that -- altho still a bit foreign -- it definitely seems to be
well-featured, and as ipfw2, would be a not insignificant improvement over Darwin's current ipfw. as you, i have to
compare ipfw2 & pf in greater depth to 'choose' between the two ...
ANYONE OUT THERE HAVE ANY URLs FOR A GOOD/THOROUGH COMPARISONS OF IPFW/IPFW2/PF/IPF?
either way, i agree that ipfw is getting 'long in the tooth' ... and would add my voice to suggesting that a discussion
here be opened/started here on the matter. it seems to be the right forum ...
i'll be happy to contribute what i can as a user, but as a kernel-developer, i'm in over my head :-S
cheers,
richard
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenBSD's (Danielt Hartmeier's) pf is really quite neat.
Loadable kernel modules aside (yeah yeah, I know the old argument that securelevel is a one-way spinlock, and we've
seen the exploits that disprove that), it's well-implemented piece of software.
Some of the finer points that really make it nice are the scrubbing features (dealing with duplicate IP fragments
with overlapping data), the ability to compensate for weak TCP ISNs when acting as a NATting system, queueing, anchor
points for externally generated rules, useful counters....
Rather than go on with glittering generalities, I think I'd like to familiarize myself better with ipfw2 (I haven't
looked at it at all, to be honest).
Hartmeier's pf has some support for sharing nat and filter states among systems (though I'm not sure how advanced
this is at the moment. I think it uses a pseudo device). It can operate in a routing fashion or in a bridging
fashion too which is quite handy. Just like Darren Reid's ipf, Hartmeier's pf uses a configuration file (using a
yacc parser), as opposed to the ipfw/iptables/ipchains method of using the binary for all configuration -- yes, I've
seen the iptables restore format and it's a lot closer to making it maintainable.
- -Jeff
On Nov 22, 2003, at 9:06 PM, OpenMacNews wrote:
then again, its seems that i spoke (somewhat) too soon ...
looks like OpenBSD's "pf" has been ported to FreeBSD 5.x
(<http://pf4freebsd.love2party.net/>) as a lodable kernel module.
what implications that has for Darwin, i honestly don't know ...
comments/thoughts anyone?
richard
On a related note, is there any interest in exploring the potential
benefits of Daniel Hartmeier's pf or Darren
Reid's ipf?
- -Jeff
On Nov 22, 2003, at 5:53 PM, OpenMacNews wrote:
hi all,
what plans/progress exist for updating Darwin's "ipfw" to "ipfw2"?
having moved from a FreeBSD box to a Mac, there are several features
missing from ipfw that i'm having to work around
...
in particular, the assignment/use of rule sets and the ability to
assign boolean concatenations of IP ranges to a
variable, then use the variable in a rule.
or, there's always the possibility that i'm missing an already
existing feature set in current Darwin .... if it
exists, a friendly pointer to it would be much appreciated!
thanks,
richard
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.