|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
On Sat, Jan 18, 2003 at 03:48:03PM -0800, Scott Francis wrote: > On Sat, Jan 18, 2003 at 12:29:28PM -0500, [email protected] said: > [snip] > > As I understand OpenBSD's pf (which may not be complete so feel free to > > point out if I'm wrong), it isn't actually doing anything to compile > > normal packet lookups, it just added a non-sequential lookup engine for > > the truely "stateful" filtering that it does. While this is nice and all, > > it doesn't replace the functionality of normal rule-based filtering, and > > From pf.conf(5): > > For each packet processed by the packet filter, the filter rules are > evaluated in sequential order, from first to last. The last matching > rule decides what action is taken. > > Does this not constitute rule-based filtering? Or am I misunderstanding you? Yes and no. That would prove my point, if not for the fact that they are describing the logical processing of a filter ruleset (aka "ipf-style"), not the implementation of the matching engine. But still, the stateful filtering and any lookup model it uses does not negate the need for standard rule-based filtering, and AFAIK pf still does those comparisons sequentially like any other traditional filter. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
|