Date: Wed, 8 Oct 2003 11:43:12 -0500 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: Re: Wind River news release... From: Paul Borman To: bsdi-users@mailinglists.org Content-Transfer-Encoding: 7bit Message-Id: <81E0B64D-F9AE-11D7-8BF2-000A9599FC6A@kryslix.com> X-Mailer: Apple Mail (2.552) Status: RO Content-Length: 4835 Lines: 107 On Tuesday, October 7, 2003, at 01:29 PM, Merton Campbell Crockett wrote: > The major problem with the BSD/OS IPFW Facility is that the man pages > are > not current. Unfortunately, neither are the descriptions provided in > the > BSD/OS 4.0 through 5.0 installation guides. I have to agree with this statement, and without explanation, I will also have to take responsibility for this unfortunate state of affairs (the documentation, that is). As partial atonement I am attaching an internal text document that was current as of April 19th, 2000. Due to limits on this mailing list, it will be sent in a separate post. It is still missing a few statements, such as the nexthop statement: set nexthop(address) When used with the pre-output or forward filter, cause the interface lookup to be based on "address" rather than the destination address. It is also missing the 5.1 features that allow time of day and day of week filtering (not heavily tested features): time(9:00-17:00) { ... } day (monday - friday) { ... } Note that Monday is 0 and Sunday is 6. The compiler should probably figure out what to do when you say day(saturday - tuesday) but for now you would need to say day(saturday - sunday, monday - tuesday) There is also the new "tcp request" condition which is true for SYN packets that do not have any of the FIN|ACK|RST bits set. Established now only allows ACK, RST, SYN|ACK, RST|ACK and FIN|ACK. ipfwcmp allows -v to specify the IP version number to use by default (the ipfw command automatically sets this flag depending on where the filter is being inserted, IPv4 vs IPv6). This might be the complete set of changes to the language since I wrote that document. > Basically, it has the "look and feel" of a facility that was developed > for > a firewall vendor with all the hooks in the "right" places. I will take that as a complement and thank you for it :-) I spent several years in random discussion about firewalls, what they should and should not do and talking to several friends about real world problems prior to writing a single line of IPFW code. The very early design and work was influenced by Jack Flory, Mike Karels, Bill Cheswick, among others. Oh, and Chris Torek who was the first person to talk with me about BPF and how BPF really didn't provide firewall type filtering. That very ancient conversation was the real genesis of IPFW. Many of the industrial strength features were added due to conversations with and the needs of those whacky guys at UUNET. Who else would want to filter peta-packets of information, AND KNOW WHERE IT CAME FROM AND WENT TO?! Kurt Lidl and his team deserve special recognition for their contribution to the evolution of IPFW. I can be reached at my wrs.com mail address, which is simply prb, as always. I, and many other BSD/OS engineers and tech support guys are still at Wind River. BSDi's engineering manager is now the engineering manager for Core Operating Systems at Wind River (he has been for some time). No one is happy about the EOL, but we all would have been less happy to see BSDi go bankrupt in 2001 and the BSD/OS source be locked up by a creditor. Having another 2 1/2 years was a good thing. Without Wind River we would have never done BSD/OS 5.0 (I guess some of you debate if that was a good thing :-) Engineers are still hard at work getting 5.1 out. Thoughts of our current and past customers are always there. It is sometimes hard to understand that things can move slowly in a commercial enterprise, in particular, non-revenue generating requests during in a soft market. (As a sobering note, since 2000 the future of BSD/OS has had little to do with technology and a lot to do with other things.) I personally hope that all of you continue to make successful "upgrades" over time for your computing needs. I am sure Peter's work will be of help to many of you. I personally will most likely continue to use BSD/OS's IPFW for all my filtering needs. All my servers run BSD/OS with no plans in place to change that. My desktop, however, is a PowerBook. Not only was I able to implement the IPv6 packet filtering for BSD/OS completely on my PowerBook (thanks to Virtual PC and a re-compilation of the compilers), I can edit movies and, as of my last hardware upgrade, burn DVD's. I have been a Mac user since 1987, but only MacOS X had enough of the right stuff to make it a viable desktop for me. And a pox onto all those who think microsoft word documents are a standard for information sharing (yes, I have office). -Paul --------------------------------------------------------------------- To unsubscribe, e-mail: bsdi-users-unsubscribe@mailinglists.org For additional commands, e-mail: bsdi-users-help@mailinglists.org