> To be honest, I'm supprised that someone didn't simply integrate it into
> the NetBSD-1.1 kernel.  While it may not be the perfect packet filtering
> system, it at least, appears to both be fairly well known and come off
> the shelf.

Different sites have different packet filtering needs, so there is no
easy choice.  Copyright restrictions may also preclude NetBSD from
including screend in the distribution.

One problem with screend: it brings all packets to the user level, filters
them there, then returns them to the kernel.  This results in poor performance
under high loads.  Completely in-kernel solutions such as IPfilter or
Firewall'95 can handle much higher loads.