From owner-freebsd-security Thu Sep 25 23:49:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA13941 for security-outgoing; Thu, 25 Sep 1997 23:49:06 -0700 (PDT) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA13919 for ; Thu, 25 Sep 1997 23:48:48 -0700 (PDT) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.7/8.8.5) id IAA15067; Fri, 26 Sep 1997 08:45:42 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199709260645.IAA15067@oskar.nanoteq.co.za> Subject: Re: rc.firewall weakness? In-Reply-To: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> from Don Lewis at "Sep 25, 97 05:09:07 pm" To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Fri, 26 Sep 1997 08:45:42 +0200 (SAT) Cc: nate@mt.sri.com, jacs@gnome.co.uk, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Oops ... Sorry guys .. looks like I was a bit late with the dynamic packet filtering :)... I didn't see that you already did mention it. What we have for our firewalling system is a daemon that manges the packet filtering rules. Rules are grouped together e.g. you could get a block reading 2000 to 3000 reserved for ftp connections. Then a program e.g. ftpd can only add rules in that block and no where else. Rules are then added via a daemon that keeps track of all the rules. User level applications then have the ability to dynamically add and delete rules via this daemon, and this daemon could also inforce certain policy rules, e.g. refusing to add any rule reading "allow all from any to any" expect if done by root. Reinier ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za # # # ###################################################################