> Brad Parker <brad@stemwinder.fcr.com> writes:
> "Mark P. Gooderum" wrote:
> ...
> >From a security point of view, it would be good to have kernel level
> >packet filtering code.  Better would be if this code could log attempts
> >to connect to ports that aren't there (for instance, you may not run X
> >or NFS, but would like to know if someone was systematically probing
> >your high number TCP (or UDP) ports).
> 
> I've added bpf filters to the input and output side of the ip forwarding
> code and been using them for some months.  The performance is reasonable
> for slow links (like up to 56k).  The optimizer in tcpdump is actually
> pretty good.
> 
> If you are interested, I'll send you the diffs.  There is currently no
> notification of dropped packets.

There is an ipfirewall set of patches put out by Daniel Boulet for
BSDi ages ago. They applied without hassle to 0.9, and I've done a
fresh set of patches for NetBSD-1.0.

It supports both a forward list and a block list of rules which are
quite flexible - and (I'm pretty sure) applied in the order YOU
specify which is crucial for accurate filtering.  With empty lists,
the overhead is not measurable on an i386 with 16bit ethernet card.

It logs packets that it rejects though only to the console I think.

--sjg