[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf



I'd say the requirement for inclusion in OpenBSD isn't just something that
"no-one could ever take [that] away from us", but something that EVERYONE
can have. http://www.openbsd.org/goals.html states "We want to make
available source code that anyone can use for ANY PURPOSE, with no
restrictions."

Sorry if i seem pedantic or something.

As far as implementing a (free) alternative to ipf is concerned, it seems
the only options are to start a packet filter from scratch (yay
OpenFilter/OpenIPF (OpenFirewall has a bad ring to it, you tend to want
firewalls to be fairly tight, not open :) ) or to use an existing peice of
software. The immediate choice would be IPFW used by FreeBSD, but personally
(my personal opinion doesn't count for much in this situation) I don't like
this idea. I prefer configuration files, not configuration scripts.

I'm sure with a bit of poking around several alternatives could be found
like Drawbridge. Another that popped up on #openbsd earlier was Click
 http://www.pdos.lcs.mit.edu/click/ ), which looks like it either is or has
the potential to be very powerful and extensible.

Personally I would like to see and OpenFilter or OpenIPF done, but like I
said before, my personal opinion doesnt count much in this situation.

I will trust Theo and the rest of the OpenBSD developers to provide a secure
and safe implementation, and I will be using it. I put a greater level of
trust in this projects ideals and goals than i do in some others (no names
mentioned).

Until a new filter is in place, I'l stick to my current set up (early 2001
snapshot of 2.8).

Thus ends my rambling.

----- Original Message -----
From: "Jeff Bachtel" <sebastion@irelandmail.com>
To: "Nicholas Janzen" <nj@third-net.com>; <tech@openbsd.org>
Sent: Wednesday, May 30, 2001 2:39 PM
Subject: Re: ipf


> Theo will probably say "show me the code", but the fact is that a
> functional, stable packet filter implementation is non-trivial,
> especially one that is high-peformance.
>
> Not to belittle the amount of work that anyone on any project has
> done, but OpenBSD started with the NetBSD codebase, and OpenSSH
> started with an older ssh release. And a _hell_ of a lot of work was
> done to get the two projects to the points they are at today.
>
> If there was an older version of ipfilter that was free, then
> conceivably an OpenFilter could be created in 6 months. As it is ipfw
> or Drawbridge [1] are the only two IP packet filters I could find
> easily with BSD-style licenses. I don't even have an inkling how
> hard ipfw would be to modify, however the fact that it doesn't have a
> seperate project page and diff tarball is not encouraging.
>
> jeff
> [1] ObPlug: http://drawbridge.tamu.edu/ . Yes, its missing important
> features, such as stateful inspection. Yes, it is very much targeted
> at FreeBSD. However, as far as packet filters running on PC hardware
> go, its probably one of the fastest out there. Might be worth looking
> at, at any rate.
>
> On Tue, May 29, 2001 at 10:20:08PM -0700, Nicholas Janzen wrote:
> > would it be possible for OpenBSD to start writting it's own?
> >
> > that way it would be part of OpenBSD, and no-one could ever take that
away
> > from us.