From owner-freebsd-current Thu Oct 15 13:44:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27604 for freebsd-current-outgoing; Thu, 15 Oct 1998 13:44:43 -0700 (PDT) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from smtp01.primenet.com (smtp01.primenet.com [206.165.6.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27563 for ; Thu, 15 Oct 1998 13:44:29 -0700 (PDT) (envelope-from tlambert@usr02.primenet.com) Received: (from daemon@localhost) by smtp01.primenet.com (8.8.8/8.8.8) id NAA22041; Thu, 15 Oct 1998 13:44:04 -0700 (MST) Received: from usr02.primenet.com(206.165.6.202) via SMTP by smtp01.primenet.com, id smtpd021975; Thu Oct 15 13:43:57 1998 Received: (from tlambert@localhost) by usr02.primenet.com (8.8.5/8.8.5) id NAA23406; Thu, 15 Oct 1998 13:43:51 -0700 (MST) From: Terry Lambert Message-Id: <199810152043.NAA23406@usr02.primenet.com> Subject: Re: [GIMPS] /proc/net/route needed To: brian@Awfulhak.org (Brian Somers) Date: Thu, 15 Oct 1998 20:43:51 +0000 (GMT) Cc: tlambert@primenet.com, brian@Awfulhak.org, mike@smith.net.au, rkw@Dataplex.NET, fjaccard@urbanet.ch, current@FreeBSD.ORG In-Reply-To: <199810151030.LAA00689@woof.lan.awfulhak.org> from "Brian Somers" at Oct 15, 98 11:30:32 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Any program can configure a tun interface and multiplex the data in > whatever way it chooses. The best that could be done to control this > would be to have a central ``transport policy'' file and some API for > reading/writing how many packets have been sent over which transports. > > So, for the moment, I suspect things will remain the same; the public > interface layer will be brought up despite the lower layers not yet > being available. When something arrives at the higher layer, the > dialup is performed. The point is to allow some programs use of the network to cause the link to automatically come up, while other programs use of the network will fail instead of causing the link to come up. Basically, blocking packets from some programs, but not others, based on administrative policy decisions. For example, you might want to cause outbound mail to bring up a link any time, but since you are intermittently connected to the net, and your ISP can't bring the link up, you only want to bring the link up to check for inbound mail when there are likely to be people around to receive it. As an instance of a specific policy, consider that it doesn't matter if you dial up and ETRN the ISP every half hour all night long, or if you ETRN them just before the normal working day begins; either way, the mail will arrive before the humans to whom it's addressed are available to read it, so between 6 PM and 8 AM, all you are doing is burning money by allowing the half-hourly cron job to actually successfully bring the link up. In other words, a differential administrative policy based on some definition of "work hours". I thought of the firewall because: o Packets are what bring the link up o The firewall's job is to block packets o The firewall can keep the link from coming up o It's a nice centralized chokepoint that could be managed by a daemon, in the same way that bandwidth management works by differentially preferring protocols that have a high likelihood of having humans connected to the other end, using a single daemon to administer policy. o The code's already there, and can be abused to do the job. 8-). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message