From owner-freebsd-hackers  Tue Feb 27 06:27:25 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id GAA21522
          for hackers-outgoing; Tue, 27 Feb 1996 06:27:25 -0800 (PST)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA21514
          for <hackers@freebsd.org>; Tue, 27 Feb 1996 06:27:21 -0800 (PST)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA17168; Tue, 27 Feb 1996 08:26:49 -0600
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199602271426.IAA17168@brasil.moneng.mei.com>
Subject: Re: IP filtering strawman, comments please.
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Tue, 27 Feb 1996 08:26:48 -0600 (CST)
Cc: hackers@freebsd.org
In-Reply-To: <13784.825425462@critter.tfs.com> from "Poul-Henning Kamp" at Feb 27, 96 01:51:02 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@freebsd.org
Precedence: bulk

> > Wait.  One thing:
> > 
> > > 	Interface matches name
> > > 	Interface matches IP.
> > 
> > IF it is easy to do, "Interface matches type" (i.e. driver type, let's say
> > you want to toss a filter on ALL "ppp" or "sl" devices).
> > 
> > I am thinking mainly about trying to easily implement a rule such as:
> > 
> > "drop all routing packets coming in via SLIP"
> 
> I have thought about this, I can see a couple of (non-exclusive) solutions:
> 
> 	... via ppp*
> 		interpreted as if_name must be ppp[0-9][0-9]* (for any value
> 		of ppp of course, ed* sl* tun* ...)
> 
> 	... via P2P
> 		interpreted as if_flags must have POINTTOPOINT set.

My personal preference would still be for the former.  I use PPP for dynamic
links, but SLIP for 24/7 connections particularly if there's extra routing
that needs to happen.  That of course could be considered a personality
quirk  :-)  I have definite ideas about how things should work.  ;-)

Either is probably quite acceptable, and it is clear that one can get by
with neither as well.

> > which might be mildly trickier to specify using more specific rules.  This
> > would only be useful to the ISP community - where 16 or 32 SLIP lines is
> > hardly unusual - but it WOULD be useful to them, if you can easily 
> > accomplish it.
> > 
> > On the other hand, what you have outlined is very comprehensive as it
> > stands, IMHO.
> 
> Thanks!

No, thank YOU.  :-)

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/546-7968