[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

Theo will probably say "show me the code", but the fact is that a
functional, stable packet filter implementation is non-trivial,
especially one that is high-peformance.

Not to belittle the amount of work that anyone on any project has
done, but OpenBSD started with the NetBSD codebase, and OpenSSH
started with an older ssh release. And a _hell_ of a lot of work was
done to get the two projects to the points they are at today.

If there was an older version of ipfilter that was free, then
conceivably an OpenFilter could be created in 6 months. As it is ipfw
or Drawbridge [1] are the only two IP packet filters I could find
easily with BSD-style licenses. I don't even have an inkling how
hard ipfw would be to modify, however the fact that it doesn't have a
seperate project page and diff tarball is not encouraging.

[1] ObPlug: http://drawbridge.tamu.edu/ . Yes, its missing important
features, such as stateful inspection. Yes, it is very much targeted
at FreeBSD. However, as far as packet filters running on PC hardware
go, its probably one of the fastest out there. Might be worth looking
at, at any rate.

On Tue, May 29, 2001 at 10:20:08PM -0700, Nicholas Janzen wrote:
> would it be possible for OpenBSD to start writting it's own?
> that way it would be part of OpenBSD, and no-one could ever take that away
> from us.