Date: Wed, 5 Feb 2003 23:07:24 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Nicholas Esborn <nick@netdot.net> Cc: Marc Spitzer <mspitze1@optonline.net>, freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030206070724.GA3760@HAL9000.homeunix.com> In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> <20030205192433.GB59212@carbon.berkeley.netdot.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Nicholas Esborn <nick@netdot.net>: > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other > than reading through OpenBSD's pf documentation, I found a paper at: > > http://www.benzedrine.cx/pf-slides.pdf The server seems to be down right now. Do you have the title of the paper? > I also like that you can use macros in its config files The macroexpander for my firewall is already pretty good. It is called the Bourne shell. > and that it > automatically structures your ruleset for you to some extent (I think > this obsoletes head/group in ipf). What do you mean by this? It sounds interesting. Do you mean that it does some sort of static or dynamic optimization, or something else? > And it can randomize TCP ISNs for > OSes which do not. And you can use lists for ports or protocols. [...] > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" Well, I'm sorry to disappoint you, but you haven't convinced me that I need another packet filter yet! FreeBSD randomizes ISNs, and ipfw now supports lists of ports or even IP addresses. The missing feature I personally would like to see is a flexible interface for application-level firewalling. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030206070724.GA3760>