[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf for packet data?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf for packet data?
- From: gabe f <gabe_1_(_at_)_mac_(_dot_)_com>
- Date: Tue, 15 Jul 2003 14:54:06 -0400
Okay, thanks for the chroot lesson, but I am a little hazy on the line
between kernel and
user in the case of pf passing a packet buffer to a bpf/pcap program,
like Ted Unangst
suggested (if I understood his post, which I'm still not too sure
about, still waiting for a reply).
To me, that seems ideal in terms of flexibility an non-invasiveness in
the pf code, and I
can think one way in which the bpf/pcap process would only give a
return code, and
never see the real packet buffer, though that would really slow things
down - making a
copy of every packet for the userland filter to see. Uh, am I on the
On Tuesday, July 15, 2003, at 06:05 AM, Henning Brauer wrote:
On Mon, Jul 14, 2003 at 11:08:43PM -0400, gabe f wrote:
how about on a bridging firewall?
you still want a userland proxy.
please think about it for a minute. you really do not want to handle
upper layer protocols liek ftp in the kernel. every problem in this
rather complex area leads to a disaster. in userland, the proxy runs
nicely chroot'd and without much privileges...
Ode On A Sugar Sweet LAN
I love my 'pooters, and my 'pooters love me.
We're just a big digital family.
Me and my 'pooters, we get along fine.
I'm super tickled, my 'pooters are mine.
Visit your host, monkey.org