Date: Tue, 21 Aug 2001 19:04:11 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: Mikhail Teterin <mi@aldan.algebra.com>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010821190410.A27472@hades.hell.gr> In-Reply-To: <Pine.NEB.3.96L.1010821102552.56052B-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Tue, Aug 21, 2001 at 10:30:09AM -0400 References: <200108211221.f7LCLPq22354@aldan.algebra.com> <Pine.NEB.3.96L.1010821102552.56052B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Robert Watson <rwatson@FreeBSD.ORG> Subject: Re: cvs commit: src/etc inetd.conf Date: Tue, Aug 21, 2001 at 10:30:09AM -0400 > > On Tue, 21 Aug 2001, Mikhail Teterin wrote: > > > > > Can we control the ports just like we control devices? With file > > permissions? Then the admin will be able to use chown/chmod to grant > > permissions to particular ports: > > > > chmod g+rw /net/udp6/talk > > > > for example... The will require a portfs or some such, of course. ... > One of the downsides of the representation > above is that it can't represent rules like: "can bind port 'talk' on IP > 127.0.0.1", or "can bind port 'http' on IP 192.168.11.1". Oh but it can, if one makes the /net tree contain subdirectories for the active interfaces. I would prefer something more like: /net/lo0/127.0.0.1/udp6/517 where the /net/lo0 directory contains subdirs for each assigned IP address, something along the lines of: # /bin/ls -lF /net/lo0 total 5 drwxr-xr-x 2 root network 512 Aug 21 18:49 10.0.0.1/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.1/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.2/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.3/ lrwxr-xr-x 1 root network 9 Aug 21 18:49 primary@ -> 127.0.0.1 But this is just a thought... The overhead of maintaining so many i-nodes on a pseudo filesystem will probably make performance horrible on a system with more than a few hundred/thousand connections. Being able to control access to network ports with ACL's applied to a pseudo-fs though is a *very* attractive idea. Fascinating and makes one think of fine-grained access control to network resources. If one stretches the idea a bit further to include something like: /net/interfaces/lo0/ip.address.here/protocol/port-number Other network related things can be put under the /net pseudo-fs. For instance, /net/filters/ipfw/* or /net/filters/ipfilter/*, etc. This way, the ACL's can be used to control other network-related things too, such as who has access to 'read' the firewall rules, who can also modify them, etc, etc. But, I'm off on a tangent now. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821190410.A27472>