From owner-freebsd-hackers Tue Feb 27 08:41:00 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA02167 for hackers-outgoing; Tue, 27 Feb 1996 08:41:00 -0800 (PST) Received: from etinc.com ([165.254.13.209]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA02162 for ; Tue, 27 Feb 1996 08:40:57 -0800 (PST) Received: from dialup-usr11.etinc.com (dialup-usr11.etinc.com [204.141.95.132]) by etinc.com (8.6.12/8.6.9) with SMTP id LAA03003; Tue, 27 Feb 1996 11:43:14 -0500 Date: Tue, 27 Feb 1996 11:43:14 -0500 Message-Id: <199602271643.LAA03003@etinc.com> X-Sender: dennis@etinc.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: hackers@freebsd.org From: dennis@etinc.com (dennis) Subject: Re: IP filtering strawman, comments please. Cc: Poul-Henning Kamp Sender: owner-hackers@freebsd.org Precedence: bulk >Wow. That's all I have to say! That's very artsy. "divert", what an >excellent idea!!! "where a user-mode process can have fun with it"... I >nearly split in two when I read that. Show me a Cisco that can >automatically analyze and keep statistics about where dropped packets had >been coming from!! That would be like an ultimate firewall. > >I'm proud to be wearing my "Free The Berkeley 4.4" T-shirt today!! > >Wait. One thing: > >> Interface matches name >> Interface matches IP. > >IF it is easy to do, "Interface matches type" (i.e. driver type, let's say >you want to toss a filter on ALL "ppp" or "sl" devices). > >I am thinking mainly about trying to easily implement a rule such as: > >"drop all routing packets coming in via SLIP" > >which might be mildly trickier to specify using more specific rules. This >would only be useful to the ISP community - where 16 or 32 SLIP lines is >hardly unusual - but it WOULD be useful to them, if you can easily >accomplish it. > >On the other hand, what you have outlined is very comprehensive as it >stands, IMHO. > >... Joe Our latest stuff does something similar to this on a serial line basis. Its pretty nice...it isolates the filtering overhead, allows you to set different rules for different interfaces, counts and can optionally log info about traffic as well. Its mainly implemented as a priority system but a priority of "discard" has the obvious effect. info at www.etinc.com/bsddata.htm#ABM dennis ---------------------------------------------------------------------------- Emerging Technologies, Inc. http://www.etinc.com Synchronous Communications Cards and Routers For Discriminating Tastes. 56k to T1 and beyond. Frame Relay, PPP, HDLC, and X.25 for BSD/OS, FreeBSD and LINUX