site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On May 17, 2006, at 11:43 AM, Christopher D. Lewis wrote: Hi, I wish pf or ipfilter be ported to darwin so we will have choices for better firewalls (ipfw, pf, ipf) You might want to try "man ipfw"; you are running Tiger, right? 8-). -- Terry On Apr 3, 2006, at 10:12 PM, Terry Lambert wrote: On Apr 1, 2006, at 12:52 AM, Jett Tayer wrote: OT: ipfilter now runs on linux For pf and ipfilter, either one could be ported as an NKE (Network Kernel Extension) pretty trivially, and Apple provides NKE sample code already. To get all the things the pf tools support (including firewall failover, load balancing, packet prioritization, per-user port access privileges, network address translation, and the like) there's a host of userland stuff that'd need porting (and the .kext would need to create pf's virtual devices, so userland apps could interact with the firewall as the developers intended). This is all pretty straight-forward. Allocation of BSD-style pseudo- devices without intermediation by IOKit is both possible, and relatively easy to accomplish - there are a number of drivers that can be used as an example which call cdevsw_add() to add devices like this. As long as you use a larger negative number (e.g. "-15"), then it means "give me a cdevsw entry whose major number is at least the absolute value of the first argument to cdevsw_add(), and insert my device structure which is supplied as the second argument". The negative number is required to block out space for legacy implementations that want specific device numbers (no device should *require* a specific major number). (Note that pf does both NAT and packet filtering, so the pf port would involve more than the firewall's .kext and userland, it would involve removing the stuff that collides with pf's other functions.) This is not actually true. There are a number of approaches to dealing with this, but taking over a single entry point rather than muxing it is definitely *not* the way to play nice with other software. Whatever approach you use *must* be amenable to being daisy- chained. PS: You may want to limit yourself to a small set of questions per email that can safely be answered in isolation. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com