Design and Performance of the {OpenBSD} Stateful Packet Filter (pf)

Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Abstract:

With more and more hosts being connected to the Internet, the importance of securing connected networks has increased, too. One mechanism to provide enhanced security for a network is to filter out potentially malicious network packets. Firewalls are designed to provide ``policy-based'' network filtering.

A firewall may consist of several components. Its key component is usually a packet filter. The packet filter may be stateful to reach more informed decisions. The state allows the packet filter to keep track of established connections so that arriving packets could be associated with them. On the other hand, a stateless packet filter bases its decisions solely on individual packets. With release 3.0, OpenBSD includes a new Stateful Packet Filter (pf) in the base install. pf implements traditional packet filtering with some additional novel algorithms. This paper describes the design and implementation of pf and compares its scalability and performance with existing packet filter implementations.

Daniel Hartmeier, Systor AG

BibTeX

@inproceedings {270651,
author = {Daniel Hartmeier},
title = {Design and Performance of the {OpenBSD} Stateful Packet Filter (pf)},
booktitle = {2002 USENIX Annual Technical Conference (USENIX ATC 02)},
year = {2002},
address = {Monterey, CA},
url = {https://www.usenix.org/conference/2002-usenix-annual-technical-conference/design-and-performance-openbsd-stateful-packet},
publisher = {USENIX Association},
month = jun
}

Download

Links

Paper:

http://usenix.org/publications/library/proceedings/usenix02/tech/freenix/full_papers/hartmeier/hartmeier.pdf

Paper (HTML):

http://usenix.org/publications/library/proceedings/usenix02/tech/freenix/full_papers/hartmeier/hartmeier_html/index.html

Log in or register to post comments