[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

To: Jeff Bachtel <sebastion@irelandmail.com>
Subject: Re: ipf
From: Chuck Yerkes <chuck@snew.com>
Date: Wed, 30 May 2001 15:29:44 -0700
Cc: Damien Miller <djm@mindrot.org>, tech@openbsd.org
Content-Disposition: inline
References: <20010530001052.T29475@cepheid.nu> <Pine.LNX.4.33.0105301519500.13853-100000@mothra.mindrot.org> <20010530002709.U29475@cepheid.nu>
User-Agent: Mutt/1.2.5i

And somehow I get flashbacks of Paul Vixie's screend.
Some kernel mods (a .o file for use using non-opensource OSs)
and a userland processed that made decisions.

Times have moved on, but the context switch rates are pretty
much moot for anyone using a post-1997 machine to firewall
a T1.

Quoting Jeff Bachtel (sebastion@irelandmail.com):
> Then you're not exactly putting your _packet filter_ in _userspace_,
> are you?
> 
> What you are talking about is an API for a policy daemon to feed
> dynamic rules to a kernelspace packet filter. Similar to ipf -F a -f
> /etc/ipf.rules -E, but running constantly, and somehow "smarter".
> 
> jeff
> 
> > > The reason you _don't_ put a packet filter in userspace is that a
> > > context switch is added for each packet that traverses the firewall.
> > 
> > Not necessarily. If you are making your accept/reject decisions on
> > 'connections' rather than packets, then user-space policy becomes more
> > manageable and much more desireable.

Follow-Ups:
- Re: ipf
  - From: ppruett <ppruett@webengr.com>

References:
- Re: ipf
  - From: Jeff Bachtel <sebastion@irelandmail.com>
- Re: ipf
  - From: Damien Miller <djm@mindrot.org>
- Re: ipf
  - From: Jeff Bachtel <sebastion@irelandmail.com>

Prev by Date: problem with aac running on Dell PE 2400 (Perc 2/Si)
Next by Date: userland packet filtering
Prev by thread: Re: ipf
Next by thread: Re: ipf
Index(es):
- Date
- Thread