Date: Tue, 27 Feb 1996 09:52:46 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: freebsd-security Subject: strawman comments Message-ID: <199602271752.JAA07451@freefall.freebsd.org>
index | next in thread | raw e-mail
i want to able to filter on both incoming and outgoing interfaces.
if0 is accounting
if1 is engineering
if2 is marketing
no traffic from marketing to engineering
allow traffic from engineering to marketing
allow traffic from marketing to accounting
allow traffic from accounting to marketing
allow traffic from accounting to engineering
allow traffic from engineering to marketing
this can be done using ip addresses (or ranges)
but specifying interfaces is easier, and i wont let me forget any
(sub)nets
it does not seems to be possible to filter on both interfaces from
the strawman. this may be a real bear to implement in the kernel
only after the route is chosen can the rule be applied. the packet has
to carry around information regarding which interface it arrived on.
(ugh.)
warning the following may be just "persnickitiness" on my part.
actions:
it is implied that all actions are mutually exclusive. "count"
could be combined with any of the other actions. should state
mall actions are mutually exclusive.
count action:
strawman says "counters are updated, but the rule doesnt match
the packet, and the next rule is tried." man page says "update
counters for all packets that match rule. The search continues
with the next rule."
this confuses me. i guess that "but the rule doesnt match" means
that "count" is never the last rule applied. "rules are applied in
numerical order until one of them matches the packet" implying that
once a match occurs ipfw applies the actions specified in that rule
and stops processing that packet. we dont want "count" to be a
terminal rule, so it must not match, ever. this exception
is needed because "count" cant be combined with any other action.
should ipfw be changed to allow "count" to combine with any other
action? we would then need a "continue" action to let us count
all packets of a general type, some of which we will later drop,
others we will accept.
on the external interface:
i want to count all inbound nnrp (but continue processing rules)
i want to accept and count inbound nnrp from allowed news readers
i want to drop, cound and log all other nnrp packets
should should "count" be a modifier like "syslog"? not an action
like "accept"?
--
Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG
FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602271752.JAA07451>