From owner-freebsd-hackers  Mon Feb 26 13:34:57 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id NAA18888
          for hackers-outgoing; Mon, 26 Feb 1996 13:34:57 -0800 (PST)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA18879
          for <hackers@freebsd.org>; Mon, 26 Feb 1996 13:34:54 -0800 (PST)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id PAA16026; Mon, 26 Feb 1996 15:34:06 -0600
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199602262134.PAA16026@brasil.moneng.mei.com>
Subject: Re: IP filtering strawman, comments please.
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Mon, 26 Feb 1996 15:34:06 -0600 (CST)
Cc: hackers@freebsd.org
In-Reply-To: <12238.825366315@critter.tfs.com> from "Poul-Henning Kamp" at Feb 26, 96 09:25:15 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@freebsd.org
Precedence: bulk

Wow.  That's all I have to say!  That's very artsy.  "divert", what an
excellent idea!!!  "where a user-mode process can have fun with it"...  I
nearly split in two when I read that.  Show me a Cisco that can
automatically analyze and keep statistics about where dropped packets had
been coming from!!  That would be like an ultimate firewall.

I'm proud to be wearing my "Free The Berkeley 4.4" T-shirt today!!

Wait.  One thing:

> 	Interface matches name
> 	Interface matches IP.

IF it is easy to do, "Interface matches type" (i.e. driver type, let's say
you want to toss a filter on ALL "ppp" or "sl" devices).

I am thinking mainly about trying to easily implement a rule such as:

"drop all routing packets coming in via SLIP"

which might be mildly trickier to specify using more specific rules.  This
would only be useful to the ISP community - where 16 or 32 SLIP lines is
hardly unusual - but it WOULD be useful to them, if you can easily 
accomplish it.

On the other hand, what you have outlined is very comprehensive as it
stands, IMHO.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/546-7968