Two different things entirely: "packet filter" and "gateway screen"
Jeffrey Mogul
mogul at wrl.dec.com
Thu May 9 04:35:16 AEST 1991
In article <1991May07.195428.17658 at decuac.dec.com> mjr at hussar.dco.dec.com (Marcus J. Ranum) writes:
>taku at cathedral.cerc.wvu.wvnet.edu (Takumei So) writes:
>
>> The machine I'm using is a ultrix machine, DECstation 5000 running
>>ULTRIX V4.0 Rev.179. I'm running it as su, and the interface is set to
>>promiscuous mode.
>> Any help, or example codes for using packetfilter, will be greatly
>>appreciated!!!
>
> I think 4.2 comes with the packet screen daemon - which is a table
>driven packet filterer - very useful for screened IP gateways. I don't know
>if the source to it is something that can be given out or not. I'll defer
>to the author.
Thanks for the deference, Marcus, but it looks like I've managed to
confuse you along with everyone else.
There are two ENTIRELY DIFFERENT AND UNRELATED facilties in Ultrix,
both of which I must take some blame for.
The "packet filter", introduced in Ultrix 4.0 (but quite similar to
half a dozen versions floating around in other systems), is a way
for user programs to get direct access to the Ethernet (or FDDI, for
that matter). This is used for implementing network monitoring
programs (e.g., "tcpdump"), and may also be used for easy implementation
of new protocol packages (e.g., the Stanford "Pup" code and the
CAP package). See the paper in Proc. SOSP-11.
The "gateway screen", introduced in Ultrix 4.2, is a facility that
allows you to control which IP packets are forwarded by your system
when it is used as an IP packet router (a.k.a. "gateway"). It is
meant to be used as part of a "firewall" gateway. I'm busy writing
a paper on how to use it; a paper on how it works is in Proc. Summer
1989 USENIX Conf.
Yes, I know that the the "gateway screen" does what other people (e.g.,
cisco) calls "packet filtering". If I had a chance to go back in time,
I would have named the "packet filter" something else (the "packet matcher"
or something like that). But the "packet filter" was named 12 years ago,
by someone else, long before most people had even considered running
a filtering router (and before most people had even heard of IP).
I'm sure I'll be disentangling this name-confusion for the next 20 years,
so I'm saving a copy of this message!
-Jeff
More information about the Comp.unix.ultrix
mailing list