[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

To: Jeff Bachtel <sebastion@irelandmail.com>
Subject: Re: ipf
From: Damien Miller <djm@mindrot.org>
Date: Wed, 30 May 2001 15:21:28 +1000 (EST)
Cc: Michael Samuel <michael@miknet.net>, <tech@openbsd.org>

On Wed, 30 May 2001, Jeff Bachtel wrote:

> What would be the security advantage? Packet filters don't parse
> strings, or execve() programs, they filter. And thats it.
>
> The reason you _don't_ put a packet filter in userspace is that a
> context switch is added for each packet that traverses the firewall.

Not necessarily. If you are making your accept/reject decisions on
'connections' rather than packets, then user-space policy becomes more
manageable and much more desireable.

-d

-- 
| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

Follow-Ups:
- Re: ipf
  - From: Jeff Bachtel <sebastion@irelandmail.com>

References:
- Re: ipf
  - From: Jeff Bachtel <sebastion@irelandmail.com>

Prev by Date: Re: ipf
Next by Date: Re: ipf
Prev by thread: Re: ipf
Next by thread: Re: ipf
Index(es):
- Date
- Thread