From owner-freebsd-hackers Sun Jan 5 05:30:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA29317 for hackers-outgoing; Sun, 5 Jan 1997 05:30:12 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA29278 for ; Sun, 5 Jan 1997 05:29:56 -0800 (PST) Message-Id: <199701051329.FAA29278@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA110270894; Mon, 6 Jan 1997 00:28:14 +1100 From: Darren Reed Subject: Re: file locking / firewalling based on uid/gid To: proff@iq.org (Julian Assange) Date: Mon, 6 Jan 1997 00:28:14 +1100 (EDT) Cc: hackers@FreeBSD.ORG In-Reply-To: <199701022334.KAA16149@profane.iq.org> from "Julian Assange" at Jan 3, 97 10:34:34 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Julian Assange, sie said: > > In some mail from Julian Assange, sie said: > > [...] > > > # ipfw add pass tcp from any to any established gid inetd > > > # ipfw add padd tcp from any to any 21,79 setup in gid inetd > > > > I don't think that is a good way (or the right place) to do access control > > for TCP/IP. Firstly, on a gateway, not all TCP packets are likely to have > > a gid (or for there to be one which is "findable") and secondly, where > > the current hooks are, you will cause two tcpb lookups to occur for the > > same packet. > > Bypassed these limitations by hooking input firewall checks into > the individual proto_sw routines just after the tcbp hash lookups. > Requires two scans of the firewall rule-set for inbound host packets, > but this has almost no overhead, because the first scan doesn't do > the checks of the second and vica-versa. The ipfw rule-set flows > sequentially without jumps, permitting this optimisation to work. Maybe, but the scan is still O(N) where N is the size of the list, not O(n) (where n is the applicable rules). Actually, I think it is a bad idea to have both types on the same list as the output of an ACL listing is confusing due to the "skipping". Making two separate lists solves both of these problems. > Output checks were unified by comparison, requiring only the passing > of (the new) socket credential information into ip_output(), where > it is passed onto the regular fw hook. Hmmmmm. Makes me think of SEoS which gives you user/group level access control on all system calls on Unix. Having said that, I think that access control via the system call (rather than sticking hooks into the kernel at strange places) is much neater. (To me, filtering based on UID implies you're doing things at a higher level than normal packet filtering and should be a separate beast rather than coming up with kludges to extend ipfw. Heck, there are many more and different checks you can make, for a start...). Darren