From owner-freebsd-net Mon Dec 20 12:48:18 1999 Delivered-To: freebsd-net@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id A7B6B153D9 for ; Mon, 20 Dec 1999 12:48:08 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id MAA22877; Mon, 20 Dec 1999 12:47:28 -0800 (PST) From: Archie Cobbs Message-Id: <199912202047.MAA22877@bubba.whistle.com> Subject: Re: ipfw feature requests In-Reply-To: from Ken Harrenstien at "Dec 15, 1999 10:11:02 pm" To: klh@netcom.com (Ken Harrenstien) Date: Mon, 20 Dec 1999 12:47:28 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ken Harrenstien writes: > IPFW is an amazingly useful and impressive piece of work. > Nevertheless, while wrestling a bit trying to write a new ruleset for > a 4-interface (!) firewall/gateway, I came up with the following > wishlist. A cursory inspection of netinet/ip_fw.c suggests that these > might be possible to implement without too much pain, if TPTB decide > they are worthy... > > [1] Provide some way to easily match packets that originate from or > are destined for the local host, regardless of the IP address. > Some approaches: > > [a] Add "local" as an acceptable keyword for or . > Thus "deny all from not local to local" suppresses attempts to contact > the gateway as a host, while allowing packet forwarding to continue. > > [b] Add "local" as a pseudo-interface name, to match packets that have > no interface. Thus "out recv local" would match packets > originating from the local host. I wish this could also be used > to catch packets destined for the local host, but unfortunately > "in xmit local" won't work as "xmit" can only be used/checked with > "out" packets, sigh... > > [c] Allow boolean negation of each interface specification; then you can > say "not any" which would be synonymous with "local" per [b]. > Note that this feature would be very handy in general as it can > be used with all of the existing interface specs. I think [b] is best. But note that you don't know an incoming packet is local at the time ipfw looks at it because it hasn't been routed yet. So this would only work for outgoing packets. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message