North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
- From: Richard A Steenbergen
- Date: Sat Jan 18 12:31:50 2003
> You may want to look into OpenBSD's new packet filter, pf(4). It's a
> stateful filter, which, according to pf.conf(8), is usually faster than
> a rule-based filter:
> But I agree with Scott that a stateful packet filter like pf on OpenBSD or
> ipf on FreeBSD is much better at this task.
Don't confuse "stateful" firewalls with "compiled" firewalls.
Stateful just means you're maintaining state of established flows, which
is behaviorly different from a non-stateful filter.
Compiled is when you pre-process a normal ruleset and produce a matching
engine which is better suited to doing complex lookups. Some
implementations of this include Cisco's "turbo acl", Bill Fumerola's C
primitive generation from ipfw rules, Juniper's internal handling of all
firewalling, etc. People are trying anything, from adding a few binary
trees in your lookup to making a true compiler which produces packet
As I understand OpenBSD's pf (which may not be complete so feel free to
point out if I'm wrong), it isn't actually doing anything to compile
normal packet lookups, it just added a non-sequential lookup engine for
the truely "stateful" filtering that it does. While this is nice and all,
it doesn't replace the functionality of normal rule-based filtering, and
it isn't the same as a true compiled filter. The closest comparison you
could make for the normal readers of this list is that it is the same as
speeding up acl matches by enabling the flow route-cache on a Cisco.
Richard A Steenbergen <firstname.lastname@example.org> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)