Date: Wed, 3 Feb 1999 14:18:17 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, "Jonathan M. Bresler" <jmb@FreeBSD.ORG>, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <199902031918.OAA13256@khavrinen.lcs.mit.edu> In-Reply-To: <199902031756.JAA74538@apollo.backplane.com> References: <199902022137.NAA07900@hub.freebsd.org> <9575.918011566@zippy.cdrom.com> <199902031717.KAA29988@mt.sri.com> <199902031756.JAA74538@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 3 Feb 1999 09:56:43 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said: > What if we extended the ipfw rules to cover bpf sockets? This way > we could enable bpf yet still restrict its use. Absolutely vile. > Even better, what if we were able to impose a bpf filter 'in front' of > any filter specified by a bpf user? We could then impose a filter that > only allows through packets related to the services we wish to support > via bpf. When securelevel is > 0, this imposed filter becomes locked. This, on the other hand, is not a bad idea -- and not very different from how DPF is used in the Exokernel to support secure networking outside the kernel. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902031918.OAA13256>