OpenBSD's Packet Filter... On Windows?

Toggle sidebar Toggle sidebar
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Yea, I saw one of there messages on BugTraq and wasn't sure what to think. I can't find it now, but one of their articles mentioned that they removed a lot of features of PF. I'm not sure if they removed them to speed up progress of the initial port or if they just figure things like NAT didn't belong in their product.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
In this post on bugtraq someone from the company (coresecurity) has this to say:
(removed NAT, RDR, packet queing and normalization and packet tagging among other things)
Click to expand...

I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though. :confused:

Tagging might be interesting, but it would probably complicate things a lot, and most people wouldn't have a use for it. Especially on an end-user's system.

Definitely neat stuff though. If only Linux would adopt it... ;)
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though.
Click to expand...

That's the portion of pf that defrags fragmented packets and discards illegal ones, isn't it? You would think that would make their job easier, not harder. NAT would be nice so that you could make a Windows NAT router without installing ICS or RRAS, it would be especially nice if you could just edit the pf.conf file.

Definitely neat stuff though. If only Linux would adopt it...
Click to expand...

There's no reason to, iptables is just as capable (probably more so because of the plugin architecture) even if it is a good bit more complicated.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Nothinman
I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though.
Click to expand...

That's the portion of pf that defrags fragmented packets and discards illegal ones, isn't it? You would think that would make their job easier, not harder. NAT would be nice so that you could make a Windows NAT router without installing ICS or RRAS, it would be especially nice if you could just edit the pf.conf file.
Click to expand...

From the PF FAQ:
"Scrubbing" is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.
Click to expand...

It'd be nice to have, but I'm guessing it wouldn't be easy with the NDIS framework. Plus, if Microsoft can't properly randomize the stuff that should be randomized why would these guys be able to? :p

NAT would be fine I guess, but people should use something better than Windows for a gateway anyhow. ;)

Definitely neat stuff though. If only Linux would adopt it...
Click to expand...

There's no reason to, iptables is just as capable (probably more so because of the plugin architecture) even if it is a good bit more complicated.
Click to expand...

Everyone else is doing it! ;)

IPTables is fine, even if it's insanely complicated. It'd just be nice to have the same firewall software across the BSDs and Linux. It'd make things easier for some people (like me :)).

I also wish the other BSDs would drop IPFW and IPFilter and just standardize on Packet Filter. It'd properly make porting it to them easier, and they wouldn't drag behind quite as much.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
IPTables is fine, even if it's insanely complicated. It'd just be nice to have the same firewall software across the BSDs and Linux. It'd make things easier for some people (like me ).
Click to expand...

It would simplify some things, but it would force Linux to lose a lot of functionality.

I also wish the other BSDs would drop IPFW and IPFilter and just standardize on Packet Filter. It'd properly make porting it to them easier, and they wouldn't drag behind quite as much.
Click to expand...

That makes a lot more sense, I would imagine that IPFW and IPF are pretty close to PF in functionality with PF probably having a slight lead so the conversion probably wouldn't be too difficult either.

Everyone else is doing it!
Click to expand...

If that argument actually worked we'd all be running Windows =)
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Nothinman
It would simplify some things, but it would force Linux to lose a lot of functionality.
Click to expand...

Not if Linux gave you the choice of which one you want to use. ;)

That makes a lot more sense, I would imagine that IPFW and IPF are pretty close to PF in functionality with PF probably having a slight lead so the conversion probably wouldn't be too difficult either.
Click to expand...

They support PF (partially at least) already, so it would probably just require removing support for the others and finishing the PF port.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Not if Linux gave you the choice of which one you want to use.
Click to expand...

And that would add complexity for no real gain. I suppose someone could write a netfilter plugin to handle whatever functionality is missing and then maybe a tool to convert pf rules to iptables commands, that would probably be the simplest route to take.

 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom