nanog mailing list archives
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Sat, 18 Jan 2003 12:29:28 -0500
You may want to look into OpenBSD's new packet filter, pf(4). It's a stateful filter, which, according to pf.conf(8), is usually faster than a rule-based filter:
...
But I agree with Scott that a stateful packet filter like pf on OpenBSD or ipf on FreeBSD is much better at this task.
Don't confuse "stateful" firewalls with "compiled" firewalls. Stateful just means you're maintaining state of established flows, which is behaviorly different from a non-stateful filter. Compiled is when you pre-process a normal ruleset and produce a matching engine which is better suited to doing complex lookups. Some implementations of this include Cisco's "turbo acl", Bill Fumerola's C primitive generation from ipfw rules, Juniper's internal handling of all firewalling, etc. People are trying anything, from adding a few binary trees in your lookup to making a true compiler which produces packet matching code. As I understand OpenBSD's pf (which may not be complete so feel free to point out if I'm wrong), it isn't actually doing anything to compile normal packet lookups, it just added a non-sequential lookup engine for the truely "stateful" filtering that it does. While this is nice and all, it doesn't replace the functionality of normal rule-based filtering, and it isn't the same as a true compiled filter. The closest comparison you could make for the normal readers of this list is that it is the same as speeding up acl matches by enabling the flow route-cache on a Cisco. -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Current thread:
- Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Josh Brooks (Jan 16)
- Cross country networks, and data replication... Questions... :-) Gabriel (Jan 16)
- Re: Cross country networks, and data replication... Questions... :-) Jared Mauch (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Mikael Abrahamsson (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls dre (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls David G. Andersen (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls E.B. Dreger (Jan 18)
- Cross country networks, and data replication... Questions... :-) Gabriel (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Tony Kapela (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Stefan Paletta (Jan 18)