North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

  • From: Richard A Steenbergen
  • Date: Sat Jan 18 12:31:50 2003

> You may want to look into OpenBSD's new packet filter, pf(4). It's a
> stateful filter, which, according to pf.conf(8), is usually faster than
> a rule-based filter:

...

> But I agree with Scott that a stateful packet filter like pf on OpenBSD or
> ipf on FreeBSD is much better at this task.

Don't confuse "stateful" firewalls with "compiled" firewalls.

Stateful just means you're maintaining state of established flows, which 
is behaviorly different from a non-stateful filter.

Compiled is when you pre-process a normal ruleset and produce a matching
engine which is better suited to doing complex lookups. Some
implementations of this include Cisco's "turbo acl", Bill Fumerola's C
primitive generation from ipfw rules, Juniper's internal handling of all
firewalling, etc. People are trying anything, from adding a few binary
trees in your lookup to making a true compiler which produces packet
matching code.

As I understand OpenBSD's pf (which may not be complete so feel free to
point out if I'm wrong), it isn't actually doing anything to compile
normal packet lookups, it just added a non-sequential lookup engine for
the truely "stateful" filtering that it does. While this is nice and all,
it doesn't replace the functionality of normal rule-based filtering, and
it isn't the same as a true compiled filter. The closest comparison you 
could make for the normal readers of this list is that it is the same as 
speeding up acl matches by enabling the flow route-cache on a Cisco.

-- 
Richard A Steenbergen <[email protected]>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)