From owner-freebsd-security  Wed Feb  3 11:18:40 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA05383
          for freebsd-security-outgoing; Wed, 3 Feb 1999 11:18:40 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA05367;
          Wed, 3 Feb 1999 11:18:38 -0800 (PST)
          (envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id OAA13256;
	Wed, 3 Feb 1999 14:18:17 -0500 (EST)
	(envelope-from wollman)
Date: Wed, 3 Feb 1999 14:18:17 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <199902031918.OAA13256@khavrinen.lcs.mit.edu>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>,
        "Jonathan M. Bresler" <jmb@FreeBSD.ORG>,
        woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG
Subject: Re: tcpdump 
In-Reply-To: <199902031756.JAA74538@apollo.backplane.com>
References: <199902022137.NAA07900@hub.freebsd.org>
	<9575.918011566@zippy.cdrom.com>
	<199902031717.KAA29988@mt.sri.com>
	<199902031756.JAA74538@apollo.backplane.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Wed, 3 Feb 1999 09:56:43 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:

>     What if we extended the ipfw rules to cover bpf sockets?  This way
>     we could enable bpf yet still restrict its use.

Absolutely vile.

>     Even better, what if we were able to impose a bpf filter 'in front' of
>     any filter specified by a bpf user?  We could then impose a filter that
>     only allows through packets related to the services we wish to support
>     via bpf.  When securelevel is > 0, this imposed filter becomes locked.

This, on the other hand, is not a bad idea -- and not very different
from how DPF is used in the Exokernel to support secure networking
outside the kernel.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message