Hi All,
I finally got my NetBSD-1.0 box to act like a gateway, but now
I want to add more capability 8-)  What I want to do is pass
(mainly ethernet) packets selectively.  The behavior I'd like is:

  Anyone in my sub-domain can get out
  People outside can only get to specific addesses inside the sub-domain
    (NB: I realize this conflicts with the previous one, see below)

To do this, what I'd like to do is have the gateway maintain a list
of those addresses that people outside are allowed to access, and,
if someone inside on a different address goes out, temporarily (with
a timeout) place them into the outside access OK list.  Thus only
those addresses that I designate and those machines actively going
out would be accessable.  Later I'd like to add the ability to
screen types of packets based on outgoing packet type, but that's
for a later time!

I could do this by:

  a) hacking the kernel
  b) extending the kernal to pass packets to a user program
  c) running a single custom program on each interface

  d) something I haven't thought of?
Has anyone done this?  I know the screend program does part of (b),
but the user level program provides way more capability than I need
yet doesn't allow this timeout concept (and it has licensing
restrictions).  Is there already a hook in the kernel to allow me to
do this?  Any other programs that work in a similar vein that you know
of?

Any and all suggestions are most welcome.  If there are any really
cool solutions, I'll summarize back to the group.

Thanks,
Rob Ginn
rob@sun701.nadc.navy.mil