From owner-freebsd-hackers  Tue Feb 27 00:15:17 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id AAA14224
          for hackers-outgoing; Tue, 27 Feb 1996 00:15:17 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id AAA14203
          for <hackers@freebsd.org>; Tue, 27 Feb 1996 00:15:12 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0trKXd-0003vpC; Tue, 27 Feb 96 00:13 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id JAA13340; Tue, 27 Feb 1996 09:13:42 +0100
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: Lyndon Nerenberg VE7TCP <lyndon@orthanc.com>
cc: Joe Greco <jgreco@brasil.moneng.mei.com>, hackers@freebsd.org
Subject: Re: IP filtering strawman, comments please. 
In-reply-to: Your message of "Mon, 26 Feb 1996 22:36:35 PST."
             <199602270636.WAA11075@multivac.orthanc.com> 
Date: Tue, 27 Feb 1996 09:13:38 +0100
Message-ID: <13338.825408818@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-hackers@freebsd.org
Precedence: bulk

> >>>>> "Joe" == Joe Greco <jgreco@brasil.moneng.mei.com> writes:
> 
>     >> Interface matches name Interface matches IP.
> 
>     Joe> IF it is easy to do, "Interface matches type" (i.e. driver
>     Joe> type, let's say you want to toss a filter on ALL "ppp" or
>     Joe> "sl" devices).
> 
>     Joe> "drop all routing packets coming in via SLIP"
> 
> I think what you really want (and what I would like to have) is a
> "class" mechanism for grouping interfaces. E.g. I have several PPP
> connections, some of which need full outside access, and some don't.
> Keying off the link layer protocol isn't fine-grained enough for
> my purposes. On the other hand, I don't want to see this get bogged
> down in needless complexity.

It would be (very) easy to make it possible to say
	deny udp from any to any 520 via ppp*

I have no problem with adding support for "DWIM" keywords like
	deny all >routing< bla bla bla
if somebody will only tell me what this translates to.  In the case
of routing I can see at least:
	udp:520, icmp redirects, igrp, egp, ...

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.