Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

• Previous message (by thread): Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
• Next message (by thread): Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 18, 2003 at 12:29:28PM -0500, ras at e-gerbil.net said:
[snip]
> As I understand OpenBSD's pf (which may not be complete so feel free to
> point out if I'm wrong), it isn't actually doing anything to compile
> normal packet lookups, it just added a non-sequential lookup engine for
> the truely "stateful" filtering that it does. While this is nice and all,
> it doesn't replace the functionality of normal rule-based filtering, and

From pf.conf(5):

     For each packet processed by the packet filter, the filter rules are
     evaluated in sequential order, from first to last.  The last matching
     rule decides what action is taken.

Does this not constitute rule-based filtering? Or am I misunderstanding you?
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030118/0c652ab5/attachment.sig>

• Previous message (by thread): Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
• Next message (by thread): Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]