From owner-freebsd-hackers  Mon Aug  2  7:45:10 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25])
	by hub.freebsd.org (Postfix) with ESMTP
	id 885DE14EBB; Mon,  2 Aug 1999 07:44:54 -0700 (PDT)
	(envelope-from joe@florence.pavilion.net)
Received: (from joe@localhost)
	by florence.pavilion.net (8.9.3/8.8.8) id PAA13066;
	Mon, 2 Aug 1999 15:40:24 +0100 (BST)
	(envelope-from joe)
Date: Mon, 2 Aug 1999 15:40:23 +0100
From: Josef Karthauser <joe@pavilion.net>
To: Sergey Babkin <babkin@bellatlantic.net>
Cc: Warner Losh <imp@village.org>, Wes Peters <wes@softweyr.com>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	"Brian F. Feldman" <green@FreeBSD.ORG>,
	"Jordan K. Hubbard" <jkh@zippy.cdrom.com>, hackers@FreeBSD.ORG
Subject: Re: So, back on the topic of enabling bpf in GENERIC...
Message-ID: <19990802154023.I60728@pavilion.net>
References: <37A3B701.851DF00B@softweyr.com> <Pine.BSF.4.10.9907301619280.6951-100000@janus.syracuse.net> <199907302342.RAA85088@harmony.village.org> <37A25361.34799F96@bellatlantic.net> <199907310140.SAA95581@apollo.backplane.com> <199908010416.WAA95811@harmony.village.org> <37A45712.58700F7B@bellatlantic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <37A45712.58700F7B@bellatlantic.net>; from Sergey Babkin on Sun, Aug 01, 1999 at 10:17:54AM -0400
X-NCC-RegID: uk.pavilion
Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England
Phone: +44-845-333-5000
Fax: +44-845-333-5001
Mobile: +44-403-596893
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Aug 01, 1999 at 10:17:54AM -0400, Sergey Babkin wrote:
> Warner Losh wrote:
> > 
> > In message <37A3B701.851DF00B@softweyr.com> Wes Peters writes:
> > : Do we have a list of all services that use bpf?  I'm willing to edit the man
> > : pages, given a list.  I guess I could just grep-o-matic here, huh?
> > 
> > Yes.  I'm also in a holding off pattern until we know the exact impact
> > for all daemons that use this...
> 
> I think I found a solution that may be better (although more complicated):
> 
> Let the sysadmin to define a bpf filter for the packets that are considered
> OK (say, DHCP or RARP or RBOOT or whatever else this installation needs for
> normal functioning). Provide some typical examples.
> 
> After this filter is defined and the system goes to a higher security
> level bpf first applies this filter to all the incoming packets, and only
> if they pass this filter they are checked for application-specified filters.
> If there is no such "master" filter defined then bpf can just deny
> new open()s as proposed earlier. This will allow the applications to 
> use bpf but only for the purposes defined in the master filter. This 
> also resolves the problem of services re-opening bpf after SIGHUP.
> 

I like this.  I'd prefer the default to be that bpf forwards all
packets, unless there is a template filter defined.  I see no reason
to change access to bpf at higher secure levels, because a master
filter can be installed at boot time to do this work.  Of course
we may have an equivalent of 'IPFIREWALL_DEFAULT_TO_ACCEPT' to
accomodate this.

Joe
-- 
Josef Karthauser	FreeBSD: How many times have you booted today?
Technical Manager	Viagra for your server (http://www.uk.freebsd.org)
Pavilion Internet plc.  [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message