Date: Mon, 20 Dec 1999 12:47:28 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: klh@netcom.com (Ken Harrenstien) Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipfw feature requests Message-ID: <199912202047.MAA22877@bubba.whistle.com> In-Reply-To: <CMM.0.90.4.945324662.klh@netcom3.netcom.com> from Ken Harrenstien at "Dec 15, 1999 10:11:02 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Ken Harrenstien writes: > IPFW is an amazingly useful and impressive piece of work. > Nevertheless, while wrestling a bit trying to write a new ruleset for > a 4-interface (!) firewall/gateway, I came up with the following > wishlist. A cursory inspection of netinet/ip_fw.c suggests that these > might be possible to implement without too much pain, if TPTB decide > they are worthy... > > [1] Provide some way to easily match packets that originate from or > are destined for the local host, regardless of the IP address. > Some approaches: > > [a] Add "local" as an acceptable keyword for <src> or <dst>. > Thus "deny all from not local to local" suppresses attempts to contact > the gateway as a host, while allowing packet forwarding to continue. > > [b] Add "local" as a pseudo-interface name, to match packets that have > no interface. Thus "out recv local" would match packets > originating from the local host. I wish this could also be used > to catch packets destined for the local host, but unfortunately > "in xmit local" won't work as "xmit" can only be used/checked with > "out" packets, sigh... > > [c] Allow boolean negation of each interface specification; then you can > say "not any" which would be synonymous with "local" per [b]. > Note that this feature would be very handy in general as it can > be used with all of the existing interface specs. I think [b] is best. But note that you don't know an incoming packet is local at the time ipfw looks at it because it hasn't been routed yet. So this would only work for outgoing packets. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912202047.MAA22877>