OpenBSD's Packet Filter... On Windows?

[n0cmonkey]

Over view.

The firewall is a Windows port of OpenBSD?s Packet Filter (PF), which has been trimmed and tailored to make it suitable for desktop systems and to minimize complexity.

Thread on misc@.

Isn't good software licensing grand? 😀

 

[Nothinman]

Yea, I saw one of there messages on BugTraq and wasn't sure what to think. I can't find it now, but one of their articles mentioned that they removed a lot of features of PF. I'm not sure if they removed them to speed up progress of the initial port or if they just figure things like NAT didn't belong in their product.

 

[n0cmonkey]

In this post on bugtraq someone from the company (coresecurity) has this to say:

(removed NAT, RDR, packet queing and normalization and packet tagging among other things)

I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though. 😕

Tagging might be interesting, but it would probably complicate things a lot, and most people wouldn't have a use for it. Especially on an end-user's system.

Definitely neat stuff though. If only Linux would adopt it... 😉

 

[Nothinman]

I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though.

That's the portion of pf that defrags fragmented packets and discards illegal ones, isn't it? You would think that would make their job easier, not harder. NAT would be nice so that you could make a Windows NAT router without installing ICS or RRAS, it would be especially nice if you could just edit the pf.conf file.

Definitely neat stuff though. If only Linux would adopt it...

There's no reason to, iptables is just as capable (probably more so because of the plugin architecture) even if it is a good bit more complicated.

 

[n0cmonkey]

Originally posted by: Nothinman

I think the only thing in that list that might be nice to have is packet normalization. I'm not sure if this might have caused probablems for the end system though.

That's the portion of pf that defrags fragmented packets and discards illegal ones, isn't it? You would think that would make their job easier, not harder. NAT would be nice so that you could make a Windows NAT router without installing ICS or RRAS, it would be especially nice if you could just edit the pf.conf file.

From the PF FAQ:

"Scrubbing" is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.

It'd be nice to have, but I'm guessing it wouldn't be easy with the NDIS framework. Plus, if Microsoft can't properly randomize the stuff that should be randomized why would these guys be able to? 😛

NAT would be fine I guess, but people should use something better than Windows for a gateway anyhow. 😉

Definitely neat stuff though. If only Linux would adopt it...

There's no reason to, iptables is just as capable (probably more so because of the plugin architecture) even if it is a good bit more complicated.

Everyone else is doing it! 😉

IPTables is fine, even if it's insanely complicated. It'd just be nice to have the same firewall software across the BSDs and Linux. It'd make things easier for some people (like me 🙂).

I also wish the other BSDs would drop IPFW and IPFilter and just standardize on Packet Filter. It'd properly make porting it to them easier, and they wouldn't drag behind quite as much.

 

[Nothinman]

IPTables is fine, even if it's insanely complicated. It'd just be nice to have the same firewall software across the BSDs and Linux. It'd make things easier for some people (like me ).

It would simplify some things, but it would force Linux to lose a lot of functionality.

I also wish the other BSDs would drop IPFW and IPFilter and just standardize on Packet Filter. It'd properly make porting it to them easier, and they wouldn't drag behind quite as much.

That makes a lot more sense, I would imagine that IPFW and IPF are pretty close to PF in functionality with PF probably having a slight lead so the conversion probably wouldn't be too difficult either.

Everyone else is doing it!

If that argument actually worked we'd all be running Windows =)

 

[n0cmonkey]

Originally posted by: Nothinman
It would simplify some things, but it would force Linux to lose a lot of functionality.

Not if Linux gave you the choice of which one you want to use. 😉

That makes a lot more sense, I would imagine that IPFW and IPF are pretty close to PF in functionality with PF probably having a slight lead so the conversion probably wouldn't be too difficult either.

They support PF (partially at least) already, so it would probably just require removing support for the others and finishing the PF port.

 

[Nothinman]

Not if Linux gave you the choice of which one you want to use.

And that would add complexity for no real gain. I suppose someone could write a netfilter plugin to handle whatever functionality is missing and then maybe a tool to convert pf rules to iptables commands, that would probably be the simplest route to take.