[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

To: Michael Samuel <michael@miknet.net>, tech@openbsd.org
Subject: Re: ipf
From: Jeff Bachtel <sebastion@irelandmail.com>
Date: Wed, 30 May 2001 00:10:52 -0500
Content-Disposition: inline
References: <Pine.LNX.4.30.0105292146340.21047-100000@daffy.bkw.org> <200105300254.f4U2sjn07877@cvs.openbsd.org> <20010530150523.B31094@miknet.net>
User-Agent: Mutt/1.2.5i

What would be the security advantage? Packet filters don't parse
strings, or execve() programs, they filter. And thats it.

The reason you _don't_ put a packet filter in userspace is that a
context switch is added for each packet that traverses the firewall.

And the only language to choose for a BSD packet filter is C. That is,
if you want it to be capable of handling linespeed.

(in short, the only thing userland about a firewall should be the
control programs)

jeff

On Wed, May 30, 2001 at 03:05:23PM +1000, Michael Samuel wrote:
> Would a userland API be totally out of the question?
> 
> It would be a major security advantage to have the packet filter
> chroot()ing, then dropping root priveleges.  Not to mention the
> flexability of being able to write a packet filter in any language you
> choose...

Follow-Ups:
- Re: ipf
  - From: Damien Miller <djm@mindrot.org>
- Re: ipf
  - From: Michael Samuel <michael@miknet.net>
- Re: ipf
  - From: "Angelos D. Keromytis" <angelos@coredump.keromytis.com>

References:
- ipf
  - From: Brian West <brian@bkw.org>
- Re: ipf
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>
- Re: ipf
  - From: Michael Samuel <michael@miknet.net>

Prev by Date: Re: ipf
Next by Date: Re: ipf
Prev by thread: Re: ipf
Next by thread: Re: ipf
Index(es):
- Date
- Thread