ideal firewall solution

[Wes Peters]

On Monday 08 March 2004 08:12 pm, Darren Reed wrote:
> In some mail I received from Sam Leffler, sie wrote
>
> > > To me there is no clear winner.
>
> Agreed.  The question that should have been asked and clearly
> answered is:
>
> What does FreeBSD gain from having pf in the base tree ?
>
> > > Honestly, i believe that the microcode-based approach of ipfw2 is
> > > a lot simpler to maintain and extend than the one used in pf
> > > (which resembles a lot the original ipfw), and dropping it would
> > > be a step backward.
> > > ipfw2 has some instructions (e.g. the 'address set') that greatly
> > > simplify the writing of rulesets.
>
> Has anone reviewed the Checkpoint patent with respect to whether
> or not ipfw2 violates it ?
>
> They patent an instruction/virtual mechanism for evaluating filter
> rules that is compiled by some user program.  I haven't looked at
> it in detail because ipfw2 isn't my area of responsiblity but
> someone should (if they haven't.)  When/if that is done, if someone
> can think about what it would be to use BPF instead of ipfw2 and
> if that makes any difference to the Checkpoint patent, I'd be
> further interested to know.  Patent #5,606,668 - read clause 8.

Probably unenforceable, because as written it falls all over the earlier 
work done in bpf and other sources.  If they had patented it as a unique 
application of packet filtering, it would probably fare better.  As it 
is, claim 8 is almost exactly a description of the workings of BPF or any 
other microcoded filter, with the exception of the words "security rule."

IANAL, this is based on my (very probably shaky) memory of a legal 
analysis done 6 years ago, at an employer where we were developing very 
similar "code" to go in an ASIC while being a Checkpoint FW-1 source 
customer.  Sticky ground all around.

-- 

        Where am I, and what am I doing in this handbasket?

Wes Peters                                               wes at softweyr.com