Date: Tue, 27 Feb 1996 09:13:38 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: Lyndon Nerenberg VE7TCP <lyndon@orthanc.com> Cc: Joe Greco <jgreco@brasil.moneng.mei.com>, hackers@freebsd.org Subject: Re: IP filtering strawman, comments please. Message-ID: <13338.825408818@critter.tfs.com> In-Reply-To: Your message of "Mon, 26 Feb 1996 22:36:35 PST." <199602270636.WAA11075@multivac.orthanc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> >>>>> "Joe" == Joe Greco <jgreco@brasil.moneng.mei.com> writes: > > >> Interface matches name Interface matches IP. > > Joe> IF it is easy to do, "Interface matches type" (i.e. driver > Joe> type, let's say you want to toss a filter on ALL "ppp" or > Joe> "sl" devices). > > Joe> "drop all routing packets coming in via SLIP" > > I think what you really want (and what I would like to have) is a > "class" mechanism for grouping interfaces. E.g. I have several PPP > connections, some of which need full outside access, and some don't. > Keying off the link layer protocol isn't fine-grained enough for > my purposes. On the other hand, I don't want to see this get bogged > down in needless complexity. It would be (very) easy to make it possible to say deny udp from any to any 520 via ppp* I have no problem with adding support for "DWIM" keywords like deny all >routing< bla bla bla if somebody will only tell me what this translates to. In the case of routing I can see at least: udp:520, icmp redirects, igrp, egp, ... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13338.825408818>