Subject: Perceived need: new IFF_ flag
To: None <tech-net@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 04/02/1997 10:07:49
I have a problem that I think is most easily addressed by adding a new
interface flag; I'm throwing it out here to get reactions to the idea
and possibly suggestions about better ways to address the problem.

The problem: I have a NetBSD/sparc machine (called "foo" below) running
1.2.  The network topology looks like this:

              | foo |---------------+
              +-----+               |
                 |     +--------+   |
(the world) -----+-----| router |---+---(many other machines)
                        | | .. |
                  (many other subnets)

The "router" is doing some firewalling (yeah, we've got some vendor-OS
machines that need firewall-style protection).  The "the world"
connection is subnet 1; the "inside" subnet foo appears on is subnet
73.  foo's subnet-73 interface is its principal interface (le0); the
machine - an IPC - has a second ethernet, le1.  le1 is physically on
sumbet 1 but is configured to address; a sniffer program runs
on foo that uses bpf on le1 to collect "interesting" packets from net 1
for assorted data analysis.  (foo runs no routing daemons at all; all
its routing is statically configured.  Everything points to le0.)

Now, the point of this is for foo to be able to sniff attacks stopped
by the router and alert us to the fact that they're taking place.

However, for this to be useful, foo must not itself be vulnerable to
nastiness appearing on subnet 1.  To compound matters, I now find
there's a reason to want to run with net.inet.ip.forwarding=1 on foo
(it's acquired another interface that's supposed to be behind the
firewall).  But with forwarding on and the net-1 interface in
promiscuous mode, foo will try to forward packets it shouldn't.

The IP portion of this could perhaps be addressed with something like
ipfilter.  But since what I really want is for le1 to receive nothing,
absolutely nothing, as far as the normal networking machinery goes,
have it receive only for bpf purposes, it seems that it would be good
to have an interface flag saying so, so I could "ifconfig le1 bpfonly"
or some such and then be confident that not only it won't receive and
therefore won't forward IP packets, but it won't be confused by forged
ARP replies or other non-IP packets.

So...any comments on the notion?  I'll probably add such a flag for my
own use, but still would be curious to hear any remarks y'all may have.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B