*BSD News Article 25996


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!sgiblab!sgigate.sgi.com!olivea!charnel!yeshua.marcam.com!news.kei.com!eff!usenet.ins.cwru.edu!agate!agate!glass
From: glass@postgres.Berkeley.EDU (Adam Glass)
Newsgroups: comp.os.386bsd.misc
Subject: Re: NetBSD on cheap boxes
Date: 14 Jan 94 17:04:32
Organization: Organization is evil.
Lines: 27
Message-ID: <GLASS.94Jan14170432@sun-lamp.postgres.Berkeley.EDU>
References: <2h2u3kINN6o3@ymir.cs.umass.edu> <2h63s8$4s2@smurf.noris.de>
NNTP-Posting-Host: sun-lamp.cs.berkeley.edu
In-reply-to: urlichs@smurf.noris.de's message of 14 Jan 1994 13:40:40 +0100

(Matthias Urlichs) writes:
   In comp.os.386bsd.misc, article <2h2u3kINN6o3@ymir.cs.umass.edu>,
     doyle@cs.umass.edu writes:
   > Hehe..  I bought a cheap 386sx box to run NetBSD solely as a router.

   Speaking of which... are there kernel patches to selectively block packets?
   For example, don't forward TELNET to this site, block IRC for that network, 
   only allow SMTP to the other machine. I assume a rather quick hack to 
   ip_forward should work; fragmented IP packets might be a problem except that 
   the first TCP or UDP packet on any given connection almost never is 
   fragmented.

Diffs for this kind of IP-only filtering were posted by someone to the
bsdi-users list.  They should apply with little incident to any of the
net2 derived *BSD.  I believe archives of this list are publicly accessible.

A better solution though would be a packet filterer based on BPF.  The
BPF "language" is pretty powerful, can express more powerful filters,
and is not IP-only.  I think this solution would be worth the
additional implementation complexity.

later,
Adam Glass
--
Adam Glass                        |E-mail home: glass@sun-lamp.cs.berkeley.edu
				  |Physical   : Seattle
		     "reality is for dead birds"