Date: Sun, 1 Mar 1998 01:39:15 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: current@FreeBSD.ORG Subject: Patches in support of security Message-ID: <199803010139.SAA02325@usr04.primenet.com>
next in thread | raw e-mail | index | archive | help
Here are a set of patches that implement Juniper-like trusted and untrusted interfaces (the default is untrusted). They incidently bump the interface flags from 16 to 32 buts (yea!): http://www.freebsd.org/~terry/DIFF.TRUST.txt http://www.freebsd.org/~terry/DIFF.TRUST http://www.freebsd.org/~terry/DIFF.ifconfig ======================================================================= The Juniper firewall code supports the idea of trusted interfaces. These patches add the ifconfig flags "trusted" and "-trusted" in support of a "poor man's Juniper firewall". An interface may be marked trusted by root. The default is untrusted. When a interface is marked "trusted", TCP sockets may be queried to determine if they will route over trusted or untrusted interfaces. Note: this code does not take into account the possibility of asymmetric routes! The basic idea is that a daemon can determine if a connection is made via a trusted or untrusted interface, and respond accordingly. A potential use of this code is SMTP relay. If a connection is made via a trusted interface, you could allow SMTP relay, and if made via an untrusted interface, deny it. There are a lot of other possibilities, including allowing/denying VPN startup, etc., etc.. For a firewall, the interior net would be trusted and the exterior would be untrusted. This would mean (in the relay example) that trusted hosts would be permitted to relay mail through the SMTP server, and untrusted hosts would not. A server tests for "trustworthyness" of an interface by: int trusted; int trustedlen = sizeof(trusted); ... if( !getsockopt( s, IPPROTO_TCP, TCP_TRUSTED, &trusted, &trustedlen)) trusted = 0; ... if( trusted) { ... } else { ... } Note: this applies to only TCP sockets! Readers may engage in future work: (1) set the flag in the socket at connect time rather than using the route (support for asymmetric routes). (2) Allow UDP socket route queries (ie: "if I were to send a packet via this socket, where would it go?"). EOF ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199803010139.SAA02325>