Re: packet filters for NetBSD in the future

["Jeremy C. Reed" <reed%reedmedia.net@localhost>]

On Thu, 19 Feb 2009, yancm%sdf.lonestar.org@localhost wrote:

> >>From what I can tell pf syntax and ipf syntax are pretty similar...
> (I've wondered about the cross lineage between the two codes are,  but
> basic googling did not yield anything for me...)

No cross lineage.
http://www.benzedrine.cx/pf-beginning.html

It would be good to have table or chart listing the features available and 
not available in IPF and PF. At one time I began a chart (for other packet 
filters too), but never got far. 
http://reedmedia.net/misc/networking/packet-filter.html
Please suggest features or letting me know what is supported for my chart.

I need to update it to add some features supported by IPF: variable 
substitution; tuning during run-time; save state over reboots; active and 
testing filter which can be swapped; can generate C code for filter rules 
hard-coded in custom kernel; flush specific TCP states (at run-time); 
flush idle states that are a certain age (at run-time); provides tools to 
generate simple ruleset and testing of rulesets without enabling on real 
firewall (and using various packet input formats); able to call kernel 
functions per a rule; authentication (such as password) for rules; lookup 
tables; packet per second matching; few built in proxies; some load 
balancing; checksum verifications. Which of these are supported by PF? 
What else to add for IPF and/or PF?


  Jeremy C. Reed

uggc://jjj.errqzrqvn.arg/obbxf/cs-obbx/