From owner-cvs-all Tue Aug 21 9: 8:59 2001 Delivered-To: cvs-all@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 8DBDF37B403; Tue, 21 Aug 2001 09:08:48 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-b092.otenet.gr [195.167.121.220]) by mailsrv.otenet.gr (8.11.1/8.11.1) with ESMTP id f7LG8iF09848; Tue, 21 Aug 2001 19:08:44 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.4/8.11.4) id f7LG4Ce42868; Tue, 21 Aug 2001 19:04:12 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 21 Aug 2001 19:04:11 +0300 From: Giorgos Keramidas To: Robert Watson Cc: Mikhail Teterin , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010821190410.A27472@hades.hell.gr> References: <200108211221.f7LCLPq22354@aldan.algebra.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Tue, Aug 21, 2001 at 10:30:09AM -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: Robert Watson Subject: Re: cvs commit: src/etc inetd.conf Date: Tue, Aug 21, 2001 at 10:30:09AM -0400 > > On Tue, 21 Aug 2001, Mikhail Teterin wrote: > > > > > Can we control the ports just like we control devices? With file > > permissions? Then the admin will be able to use chown/chmod to grant > > permissions to particular ports: > > > > chmod g+rw /net/udp6/talk > > > > for example... The will require a portfs or some such, of course. ... > One of the downsides of the representation > above is that it can't represent rules like: "can bind port 'talk' on IP > 127.0.0.1", or "can bind port 'http' on IP 192.168.11.1". Oh but it can, if one makes the /net tree contain subdirectories for the active interfaces. I would prefer something more like: /net/lo0/127.0.0.1/udp6/517 where the /net/lo0 directory contains subdirs for each assigned IP address, something along the lines of: # /bin/ls -lF /net/lo0 total 5 drwxr-xr-x 2 root network 512 Aug 21 18:49 10.0.0.1/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.1/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.2/ drwxr-xr-x 2 root network 512 Aug 21 18:49 127.0.0.3/ lrwxr-xr-x 1 root network 9 Aug 21 18:49 primary@ -> 127.0.0.1 But this is just a thought... The overhead of maintaining so many i-nodes on a pseudo filesystem will probably make performance horrible on a system with more than a few hundred/thousand connections. Being able to control access to network ports with ACL's applied to a pseudo-fs though is a *very* attractive idea. Fascinating and makes one think of fine-grained access control to network resources. If one stretches the idea a bit further to include something like: /net/interfaces/lo0/ip.address.here/protocol/port-number Other network related things can be put under the /net pseudo-fs. For instance, /net/filters/ipfw/* or /net/filters/ipfilter/*, etc. This way, the ACL's can be used to control other network-related things too, such as who has access to 'read' the firewall rules, who can also modify them, etc, etc. But, I'm off on a tangent now. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message