From owner-freebsd-hackers  Tue Feb 27 04:52:29 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id EAA16601
          for hackers-outgoing; Tue, 27 Feb 1996 04:52:29 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA16596
          for <hackers@freebsd.org>; Tue, 27 Feb 1996 04:52:27 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0trOrv-0003wXC; Tue, 27 Feb 96 04:51 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id NAA13786; Tue, 27 Feb 1996 13:51:04 +0100
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: Joe Greco <jgreco@brasil.moneng.mei.com>
cc: hackers@freebsd.org
Subject: Re: IP filtering strawman, comments please. 
In-reply-to: Your message of "Mon, 26 Feb 1996 15:34:06 CST."
             <199602262134.PAA16026@brasil.moneng.mei.com> 
Date: Tue, 27 Feb 1996 13:51:02 +0100
Message-ID: <13784.825425462@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-hackers@freebsd.org
Precedence: bulk

> Wow.  That's all I have to say!  That's very artsy.  "divert", what an
> excellent idea!!!  "where a user-mode process can have fun with it"...  I
> nearly split in two when I read that.  Show me a Cisco that can
> automatically analyze and keep statistics about where dropped packets had
> been coming from!!  That would be like an ultimate firewall.
> 
> I'm proud to be wearing my "Free The Berkeley 4.4" T-shirt today!!
> 
> Wait.  One thing:
> 
> > 	Interface matches name
> > 	Interface matches IP.
> 
> IF it is easy to do, "Interface matches type" (i.e. driver type, let's say
> you want to toss a filter on ALL "ppp" or "sl" devices).
> 
> I am thinking mainly about trying to easily implement a rule such as:
> 
> "drop all routing packets coming in via SLIP"

I have thought about this, I can see a couple of (non-exclusive) solutions:

	... via ppp*
		interpreted as if_name must be ppp[0-9][0-9]* (for any value
		of ppp of course, ed* sl* tun* ...)

	... via P2P
		interpreted as if_flags must have POINTTOPOINT set.

> which might be mildly trickier to specify using more specific rules.  This
> would only be useful to the ISP community - where 16 or 32 SLIP lines is
> hardly unusual - but it WOULD be useful to them, if you can easily 
> accomplish it.
> 
> On the other hand, what you have outlined is very comprehensive as it
> stands, IMHO.

Thanks!

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.