-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenBSD's (Danielt Hartmeier's) pf is really quite neat. Loadable kernel modules aside (yeah yeah, I know the old argument that securelevel is a one-way spinlock, and we've seen the exploits that disprove that), it's well-implemented piece of software. Some of the finer points that really make it nice are the scrubbing features (dealing with duplicate IP fragments with overlapping data), the ability to compensate for weak TCP ISNs when acting as a NATting system, queueing, anchor points for externally generated rules, useful counters.... Rather than go on with glittering generalities, I think I'd like to familiarize myself better with ipfw2 (I haven't looked at it at all, to be honest). Hartmeier's pf has some support for sharing nat and filter states among systems (though I'm not sure how advanced this is at the moment. I think it uses a pseudo device). It can operate in a routing fashion or in a bridging fashion too which is quite handy. Just like Darren Reid's ipf, Hartmeier's pf uses a configuration file (using a yacc parser), as opposed to the ipfw/iptables/ipchains method of using the binary for all configuration -- yes, I've seen the iptables restore format and it's a lot closer to making it maintainable. - -Jeff P.S. I sent in a kernel patch to this list a few days ago and never saw it make the list, is anyone else having problems sending messages to the list? P.P.S. I submitted the same patch to Apple's patch form and actually received a bounce! (The submission page is a web form). On Nov 22, 2003, at 9:06 PM, OpenMacNews wrote: then again, its seems that i spoke (somewhat) too soon ... looks like OpenBSD's "pf" has been ported to FreeBSD 5.x (<http://pf4freebsd.love2party.net/>) as a lodable kernel module. what implications that has for Darwin, i honestly don't know ... comments/thoughts anyone? richard On a related note, is there any interest in exploring the potential benefits of Daniel Hartmeier's pf or Darren Reid's ipf? - -Jeff On Nov 22, 2003, at 5:53 PM, OpenMacNews wrote: hi all, what plans/progress exist for updating Darwin's "ipfw" to "ipfw2"? having moved from a FreeBSD box to a Mac, there are several features missing from ipfw that i'm having to work around ... in particular, the assignment/use of rule sets and the ability to assign boolean concatenations of IP ranges to a variable, then use the variable in a rule. or, there's always the possibility that i'm missing an already existing feature set in current Darwin .... if it exists, a friendly pointer to it would be much appreciated! thanks, richard _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored. - -- The most technical single-track security conference in the West. Vancouver B.C., Canada April, 2004 http://cansecwest.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/wBj7Eqr8+Gkj0/0RArxzAKCxqSjOebVuU5sEZL+xODuHELnwHwCeKleI QZ3F7vZet0+VfirJ9ajG3Jc= =Cg3p -----END PGP SIGNATURE----- _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.