ok here's a more thought out idea a vpf is the same as a pf only that it has an ioctl that binds its device minor to a rule # in pf0. access to a vpf0 is the same, posix vfs permissions. (securelevel affects pf rule write-ability, but i don't think a per vpf equivalent is useful for this example). only that the bind ioctl can be done by root exclusively
if you want more vpfs, you need more device minors. that way the user interfaces are already there (pfctl, systat states), and the pf device protocol is already there, but the rules are now partitioned which was the true purpose from the start On Wed, Jul 4, 2012 at 11:11 AM, Andres Perera <andre...@zoho.com> wrote: > out of curiosity, how would you make pf(4) only handle rules > pertaining to a certain anchor depending on the process that's > interfacing with them? i ask because; e.g., pfctl -sr should only > show rules for that client, and other pf(4) operations need to be > equally restricted. i know that originally you said that the loading > of the rules is not up to the client but a periodic batch job, however > that does not match "CheckPoint VSX" > > would you make the pf driver check the uid of the caller itself and > spread out this code throughout every routine that fetches and set > rules, or where would you place the namespacing? > > On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer <lists-open...@bsws.de> wrote: >> * Franco Fichtner <slash...@gmail.com> [2012-07-04 11:43]: >>> No, the great catch here is that VSX offers you tools to manage up >>> to 250 of these virtual monsters in a centralized fashion. You can >>> also give control of these firewalls to your customers. You can put >>> lots of OpenBSD guests on a host, but there's no way you will be >>> happy when you are seriously thinking about deploying a VSX. >> >> ok, you've been brainwashed by marketing. >> >> this is not a question of the firewall at all, but a question of the >> management interface around it. >> >> as said and I repeat it again, use anchors and build sth for specific >> users to be able to edit specific anchor rulesets. could be as easy as >> a file per anchor owned by the user in question and a little cronjob >> that reloads your ruleset including anchors hourly or so. >> >> -- >> Henning Brauer, h...@bsws.de, henn...@openbsd.org >> BS Web Services, http://bsws.de, Full-Service ISP >> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully >> Managed >> Henning Brauer Consulting, http://henningbrauer.com/
