[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPF and IPFW, after some night talk



I'm writing this post with respect to people who will think of a solution 
for OpenBSD firewalling needs.
I've been working on IPFilter as user and developing patches\modules for 
various tasks (mainly in the transparent proxying area of natting) and this 
situation implies that people who contributed software to IPFilter source 
tree can't modify their own code without Darren's consent.

All of which, basically sucks.

I also believe that this lack of clarity in the past, which gave people the 
feeling that this kind of modifications activity was well accepted, isn't 
giving much credit to contributors either.

Now Theo Deraadt says "look at goal #2". I say "look at goal #8":

"Do not let serious problems sit unsolved."

I believe many developers among you have thought that an OS like OpenBSD 
-CANNOT- lack of a good firewall\packet filter. I've heard many people 
talking about switching to IPFW. I don't want to generate any flame 
regarding this point, however I must say that IPFW is nowhere near IPF 
capabilities up to now, in terms of filtering and natting, expecially for 
what regards ruleset syntax, while it has some key to additional packages 
like DummyNet (traffic shaping).

If anyone is interested in coding a filtering\firewalling\natting code 
opposed to IPFW for OpenBSD, please contact me privately, as I'm interested 
in helping such development, expecially for what regards NAT and 
transparent application proxies.

I have one more question. Some packages like PPP or bridging support by 
Jason Wright contain filtering systems for packets. Are they to be 
considered in any way related to IPFilter or will they continue to appear 
into OpenBSD source tree?

For what regards my H.323 transparent proxy for IPFilter, I have to find 
out what kind of licensing restrictions my code will have, before releasing 
it. I encourage people who have received a beta version of it to avoid 
distributing it until then.



Giacomo Cariello, jwk@bug.it
KeyID: 3072/1024/0x409C9044
Fingerprint: 7984 10FD 0460 4202 BF90 3881 CDE4 D78E 409C 9044

"Put that mic in my hand and let me kick out the jams!" - MC5