Date: Wed, 24 Nov 1999 14:49:33 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: "Louis A. Mamakos" <louie@TransSys.COM> Cc: "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net>, Tony Landells <ahl@austclear.com.au>, ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW Message-ID: <Pine.BSF.4.10.9911241445380.11412-100000@current1.whistle.com> In-Reply-To: <199911242231.RAA21036@whizzo.transsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We are playing with the idea of a 'bpf' node in netgraph. ALso a DPF node and a firewall node. We are also playing with the idea of puting the telnet daemon in a node too :-) Louis, have you looked at the pppoe node? (as you are the author of the RFC I'd like your comments) Is uunet implementing pppoe yet? I notice all our dsl line s are still 'routed'. (can you select which method to use with each custommer on a line by line basis? On Wed, 24 Nov 1999, Louis A. Mamakos wrote: > > > [ using BPF for ipfw ] > > > > > > One concern I would have with that is that there are a lot of tools > > > built on BPF that I would prefer to not be able to run on the firewall. > > > > > > Well, to be more accurate, I'd love to be able to run them on the > > > firewall, but I don't want attackers to have access to them, and > > > the safest option is to not even have support in the kernel for them > > > (I can always plug in a separate sniffer if I really need it). > > > > Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping > > routings that actually get packets to/from the cards is in net/bpf.c. > > > > I din't mean to imply that the filtering should be done using the /dev/bpf > > interface, just that the engine code for filtering could be reused. > > I've actually used the BFP engine for just such an application. It was > on another platform (NeXTSTEP), and it was sorta a netgraph-like system, > but all in user space. I used a BPF-based engine for such things as > "firewall" type filtering, as well as classifing traffic for dial-on-demand > and idle-timeout reset. > > It worked quite well. The one extension which would be valuable is more > an extension of the BPF expression compiler rather than the engine itself; > if would be valuable to be able to return a value from the BPF-engine > program so that it could be acted on. The engine itself has this capability, > but the existing tcpdump intended expression compiler doesn't currently > have syntax to support it. > > louie > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911241445380.11412-100000>