tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: packet filters for NetBSD in the future

On Thu, 19 Feb 2009, wrote:

> >>From what I can tell pf syntax and ipf syntax are pretty similar...
> (I've wondered about the cross lineage between the two codes are,  but
> basic googling did not yield anything for me...)

No cross lineage.

It would be good to have table or chart listing the features available and 
not available in IPF and PF. At one time I began a chart (for other packet 
filters too), but never got far.
Please suggest features or letting me know what is supported for my chart.

I need to update it to add some features supported by IPF: variable 
substitution; tuning during run-time; save state over reboots; active and 
testing filter which can be swapped; can generate C code for filter rules 
hard-coded in custom kernel; flush specific TCP states (at run-time); 
flush idle states that are a certain age (at run-time); provides tools to 
generate simple ruleset and testing of rulesets without enabling on real 
firewall (and using various packet input formats); able to call kernel 
functions per a rule; authentication (such as password) for rules; lookup 
tables; packet per second matching; few built in proxies; some load 
balancing; checksum verifications. Which of these are supported by PF? 
What else to add for IPF and/or PF?

  Jeremy C. Reed


Home | Main Index | Thread Index | Old Index