Date: Wed, 24 Nov 1999 14:08:47 -0800 (PST) From: "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net> To: ahl@austclear.com.au (Tony Landells) Cc: ipfw@freebsd.org, arch@freebsd.org Subject: Re: new IPFW Message-ID: <199911242208.OAA46490@gndrsh.dnsmgr.net> In-Reply-To: <199911242152.IAA26077@tungsten.austclear.com.au> from Tony Landells at "Nov 25, 1999 08:52:28 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> [ using BPF for ipfw ] > > One concern I would have with that is that there are a lot of tools > built on BPF that I would prefer to not be able to run on the firewall. > > Well, to be more accurate, I'd love to be able to run them on the > firewall, but I don't want attackers to have access to them, and > the safest option is to not even have support in the kernel for them > (I can always plug in a separate sniffer if I really need it). Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping routings that actually get packets to/from the cards is in net/bpf.c. I din't mean to imply that the filtering should be done using the /dev/bpf interface, just that the engine code for filtering could be reused. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911242208.OAA46490>