|
2002 FREENIX Track Technical Program - Abstract
Design and Performance of the OpenBSD Stateful Packet Filter (pf)
Daniel Hartmeier, Systor AG
Abstract
With more and more hosts being connected to the Internet, the importance
of securing connected networks has increased, too.
One mechanism to provide enhanced security for a network is to filter
out potentially malicious network packets.
Firewalls are designed to provide ``policy-based'' network filtering.
A firewall may consist of several components. Its key component is
usually a packet filter. The packet filter may be stateful to reach
more informed decisions. The state allows the packet filter to keep
track of established connections so that arriving packets could be
associated with them. On the other hand, a stateless packet filter
bases its decisions solely on individual packets.
With release 3.0, OpenBSD includes a new Stateful Packet Filter
(pf) in the base install.
pf implements traditional packet filtering with some additional
novel algorithms.
This paper describes the design and implementation of pf and
compares its scalability and performance with existing packet filter
implementations.
- View the full text of this paper in
HTML,
PDF, and Postscript.
The Proceedings are published as a collective work, © 2002 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
 To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
Technical Program