On Sun, Aug 01, 1999 at 10:17:54AM -0400, Sergey Babkin wrote:
> Warner Losh wrote:
> >
> > In message <[EMAIL PROTECTED]> Wes Peters writes:
> > : Do we have a list of all services that use bpf? I'm willing to edit the man
> > : pages, given a list. I guess I could just grep-o-matic here, huh?
> >
> > Yes. I'm also in a holding off pattern until we know the exact impact
> > for all daemons that use this...
>
> I think I found a solution that may be better (although more complicated):
>
> Let the sysadmin to define a bpf filter for the packets that are considered
> OK (say, DHCP or RARP or RBOOT or whatever else this installation needs for
> normal functioning). Provide some typical examples.
>
> After this filter is defined and the system goes to a higher security
> level bpf first applies this filter to all the incoming packets, and only
> if they pass this filter they are checked for application-specified filters.
> If there is no such "master" filter defined then bpf can just deny
> new open()s as proposed earlier. This will allow the applications to
> use bpf but only for the purposes defined in the master filter. This
> also resolves the problem of services re-opening bpf after SIGHUP.
>
I like this. I'd prefer the default to be that bpf forwards all
packets, unless there is a template filter defined. I see no reason
to change access to bpf at higher secure levels, because a master
filter can be installed at boot time to do this work. Of course
we may have an equivalent of 'IPFIREWALL_DEFAULT_TO_ACCEPT' to
accomodate this.
Joe
--
Josef Karthauser FreeBSD: How many times have you booted today?
Technical Manager Viagra for your server (http://www.uk.freebsd.org)
Pavilion Internet plc. [[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
