Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Mar 2004 20:12:00 -0800 (PST)
From:      darrenr@FreeBSD.ORG (Darren Reed)
To:        Sam Leffler <sam@errno.com>
Cc:        cvs-src@FreeBSD.org
Subject:   ideal firewall solution
Message-ID:  <20040309041200.41CB516A4CF@hub.freebsd.org>
In-Reply-To: <5D79345A-68E3-11D8-AE91-000A95AD0668@errno.com>

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Sam Leffler, sie wrote
> 
> > To me there is no clear winner.

Agreed.  The question that should have been asked and clearly
answered is:

What does FreeBSD gain from having pf in the base tree ?

> > Honestly, i believe that the microcode-based approach of ipfw2 is
> > a lot simpler to maintain and extend than the one used in pf
> > (which resembles a lot the original ipfw), and dropping it would
> > be a step backward.
> > ipfw2 has some instructions (e.g. the 'address set') that greatly
> > simplify the writing of rulesets.

Has anone reviewed the Checkpoint patent with respect to whether
or not ipfw2 violates it ?

They patent an instruction/virtual mechanism for evaluating filter
rules that is compiled by some user program.  I haven't looked at
it in detail because ipfw2 isn't my area of responsiblity but
someone should (if they haven't.)  When/if that is done, if someone
can think about what it would be to use BPF instead of ipfw2 and
if that makes any difference to the Checkpoint patent, I'd be
further interested to know.  Patent #5,606,668 - read clause 8.

> I agree with Luigi about much of this.  I'm happy to see pf brought 
> into the tree because it's actively being developed and folks look to 
> be using it (it looks to me like it's going to become the most often 
> used filtering package for folks with *bsd systems).

Only if all those who use ipf/ipfw stop using that.

> However I think 
> the "microcode-based" architecture used by ipfw2 and the BSD/OS ipfw 
> code are a better design.

See again referene to above patent.  It was filed in 1993, well
before BSD/OS did anything like this.  The standard /dev/bpf*
is not a case of "prior art", in this instance.

Darren



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040309041200.41CB516A4CF>