|
BSDCon 2002 Abstract
Flexible Packet Filtering: Providing a Rich Toolbox
| Kurt J. Lidl |
Deborah G. Lidl |
Paul R. Borman |
| Zero Millimeter |
Wind River Systems |
Wind River Systems |
Abstract
The BSD/OS IPFW packet filtering system is a well engineered, flexible
kernel framework for filtering (accepting, rejecting, logging, or
modifying) IP packets. IPFW uses the well understood, widely available
Berkeley Packet Filter (BPF) system as the basis of its packet matching
abilities, and extends BPF in several straightforward areas. Since the
first implementation of IPFW, the system has been enhanced several times
to support additional functions, such as rate filtering, network address
translation (NAT), and traffic flow monitoring. This paper examines the
motivation behind IPFW and the design of the system. Comparisons with
some contemporary packet filtering systems are provided. Potential future
enhancements for the IPFW system are discussed.
- View the full text of this paper in
HTML,
PDF, and
PostScript. Until February 2003, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2002 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
