Date: 28 Feb 1996 06:41:30 -0600 From: "Richard Wackerbarth" <rkw@dataplex.net> To: "freebsd-security@freefall.freebsd.org" <freebsd-security@freefall.freebsd.org>, "Jonathan M. Bresler" <jmb@freefall.freebsd.org> Subject: Re: strawman comments Message-ID: <n1386632787.64777@Richard Wackerbarth>
index | next in thread | raw e-mail
On 2/27/96 at 5:52:46 PM Jonathan M. Bresler wrote: > i want to able to filter on both incoming > and outgoing interfaces. >if0 is accounting > this can be done using ip addresses (or ranges) but > specifying interfaces is easier, and it wont let me forget any (sub) > nets Here is my comtribution for the "thought pot" Let me point out that the "best" solution may be to have two filter languages. The external language can be compiled into rules that the kernel "executes". I think that there is good argument for being able to use either interface (particularly for firewall) and ip address (particularly for accounting) to specify a rule. I am concerned about the use of one set of integers to determine both the priority and the link between rules and the interfaces to which they apply. Editing such a scheme "on the fly" can be difficult, if not impossible. I think that a more auditable scheme is to have one filter set for incoming and one set for outgoing. Perhaps we should use a two stage filter. On input first apply the interface filter, then apply the common filter. On output, first apply the common filter, then apply the interface filter. Richard Wackerbarth rkw@dataplex.net Sent with a test-drive version of CTM PowerMail 1.0.6 <http://www.ctm.ch>;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?n1386632787.64777>