• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)

  • Subject: Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
  • From: Terry Lambert <email@hidden>
  • Date: Wed, 17 May 2006 13:48:55 -0700
On May 17, 2006, at 11:43 AM, Christopher D. Lewis wrote:

On Apr 3, 2006, at 10:12 PM, Terry Lambert wrote:
On Apr 1, 2006, at 12:52 AM, Jett Tayer wrote: 
Hi,

I wish pf or ipfilter be ported to darwin so we
will have choices for better firewalls (ipfw, pf, ipf)

OT: ipfilter now runs on linux 

You might want to try "man ipfw"; you are running Tiger, right?  8-).

For pf and ipfilter, either one could be ported as an NKE (Network Kernel Extension) pretty trivially, and Apple provides NKE sample code already.

To get all the things the pf tools support (including firewall failover, load balancing, packet prioritization, per-user port access privileges, network address translation, and the like) there's a host of userland stuff that'd need porting (and the .kext would need to create pf's virtual devices, so userland apps could interact with the firewall as the developers intended).

This is all pretty straight-forward. Allocation of BSD-style pseudo- devices without intermediation by IOKit is both possible, and relatively easy to accomplish - there are a number of drivers that can be used as an example which call cdevsw_add() to add devices like this. As long as you use a larger negative number (e.g. "-15"), then it means "give me a cdevsw entry whose major number is at least the absolute value of the first argument to cdevsw_add(), and insert my device structure which is supplied as the second argument". The negative number is required to block out space for legacy implementations that want specific device numbers (no device should *require* a specific major number).


(Note that pf does both NAT and packet filtering, so the pf port would involve more than the firewall's .kext and userland, it would involve removing the stuff that collides with pf's other functions.)

This is not actually true. There are a number of approaches to dealing with this, but taking over a single entry point rather than muxing it is definitely *not* the way to play nice with other software. Whatever approach you use *must* be amenable to being daisy- chained.

-- Terry

PS: You may want to limit yourself to a small set of questions per email that can safely be answered in isolation.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
      • From: "Christopher D. Lewis" <email@hidden>
References: 
 >Re: software firewall wishlist (pf, but see systrace, which was a good idea, too) (From: "Christopher D. Lewis" <email@hidden>)

  • Prev by Date: Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
  • Next by Date: Darwin not open source anymore?????
  • Previous by thread: Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
  • Next by thread: Re: software firewall wishlist (pf, but see systrace, which was a good idea, too)
  • Index(es):
    • Date
    • Thread