ideal firewall solution
wes at softweyr.com
Mon Mar 29 21:44:55 PST 2004
On Monday 08 March 2004 08:12 pm, Darren Reed wrote:
> In some mail I received from Sam Leffler, sie wrote
> > > To me there is no clear winner.
> Agreed. The question that should have been asked and clearly
> answered is:
> What does FreeBSD gain from having pf in the base tree ?
> > > Honestly, i believe that the microcode-based approach of ipfw2 is
> > > a lot simpler to maintain and extend than the one used in pf
> > > (which resembles a lot the original ipfw), and dropping it would
> > > be a step backward.
> > > ipfw2 has some instructions (e.g. the 'address set') that greatly
> > > simplify the writing of rulesets.
> Has anone reviewed the Checkpoint patent with respect to whether
> or not ipfw2 violates it ?
> They patent an instruction/virtual mechanism for evaluating filter
> rules that is compiled by some user program. I haven't looked at
> it in detail because ipfw2 isn't my area of responsiblity but
> someone should (if they haven't.) When/if that is done, if someone
> can think about what it would be to use BPF instead of ipfw2 and
> if that makes any difference to the Checkpoint patent, I'd be
> further interested to know. Patent #5,606,668 - read clause 8.
Probably unenforceable, because as written it falls all over the earlier
work done in bpf and other sources. If they had patented it as a unique
application of packet filtering, it would probably fare better. As it
is, claim 8 is almost exactly a description of the workings of BPF or any
other microcoded filter, with the exception of the words "security rule."
IANAL, this is based on my (very probably shaky) memory of a legal
analysis done 6 years ago, at an employer where we were developing very
similar "code" to go in an ASIC while being a Checkpoint FW-1 source
customer. Sticky ground all around.
Where am I, and what am I doing in this handbasket?
Wes Peters wes at softweyr.com
More information about the cvs-src