With more and more hosts being connected to the Internet, the importance of securing connected networks has increased, too. One mechanism to provide enhanced security for a network is to filter out potentially malicious network packets. Firewalls are designed to provide “policy-based” network filtering. A firewall may consist of several components. Its key component is usually a packet filter. The packet filter may be stateful to reach more informed decisions. The state allows the packet filter to keep track of established connections so that arriving packets could be associated with them. On the other hand, a stateless packet filter bases its decisions solely on individual packets. With release 3.0, OpenBSD includes a new Stateful Packet Filter (pf) in the base install. pf implements traditional packet filtering with some additional novel algorithms. This paper describes the design and implementation of pf and compares its scalability and performance with existing packet filter implementations.
[1]
David Watson,et al.
Transport and application protocol scrubbing
,
2000,
Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).
[2]
Scott O. Bradner,et al.
Benchmarking Methodology for Network Interconnect Devices
,
1999,
RFC.
[3]
Steven McCanne,et al.
The BSD Packet Filter: A New Architecture for User-level Packet Capture
,
1993,
USENIX Winter.
[4]
Mark Handley,et al.
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
,
2001,
USENIX Security Symposium.