Subject: Packet Screening/Firewall Stuff Available/Recommended?
To: None <email@example.com>
From: x3673) <firstname.lastname@example.org ( Rob Ginn>
Date: 12/06/1994 16:46:06
I finally got my NetBSD-1.0 box to act like a gateway, but now
I want to add more capability 8-) What I want to do is pass
(mainly ethernet) packets selectively. The behavior I'd like is:
Anyone in my sub-domain can get out
People outside can only get to specific addesses inside the sub-domain
(NB: I realize this conflicts with the previous one, see below)
To do this, what I'd like to do is have the gateway maintain a list
of those addresses that people outside are allowed to access, and,
if someone inside on a different address goes out, temporarily (with
a timeout) place them into the outside access OK list. Thus only
those addresses that I designate and those machines actively going
out would be accessable. Later I'd like to add the ability to
screen types of packets based on outgoing packet type, but that's
for a later time!
I could do this by:
a) hacking the kernel
b) extending the kernal to pass packets to a user program
c) running a single custom program on each interface
d) something I haven't thought of?
Has anyone done this? I know the screend program does part of (b),
but the user level program provides way more capability than I need
yet doesn't allow this timeout concept (and it has licensing
restrictions). Is there already a hook in the kernel to allow me to
do this? Any other programs that work in a similar vein that you know
Any and all suggestions are most welcome. If there are any really
cool solutions, I'll summarize back to the group.