On Sat, 1 Apr 1995 18:34:00 PDT Ken Sletten said:
>TASKS:
>Kirby Joss, Chris Bartram, and others laid out some good
>scenarios.  Without trying to repeat the good points that have
>already been raised, a couple more thoughts/refinements:
>
>(1)  Expanding on one of Chris Bartram's suggestions to be
>       able to configure lists of allowed originating IP addresses:
>       We would like to be able to configure both an ALLOW *and*
>       a DISALLOW list, and be able to do that using at least basic
>       wild card syntax.  I.e:  Be able to put in everything from one
>       or more specific IP entries, to something like [log in to unmask]@
 
This is inadequate.  I would like to propose something along the lines of
 {permit | deny} {IP-address} {address-mask} [{tcp|udp|icmp} {<|=|>} {port}]
and a possibility to
 {permit | deny} {IP-address} {address-mask} established
 
The "@" nomenclature doesn't allow for subnet masking (actual subnets or
logical subnets).  Blunt acceptance/denial of a "network" may be OK, but we
really need to address the protocol level.  The above is a revised format as
used by cisco routers (except that they have a source/destination address,
and in this case the source is given).
 
The latter format can be used FIRST to avoid filtering overhead on every
packet - then subsequent access specs are examined only when a connection
request is made (the SYN packet).  The former format can let you allow certain
services, e.g., permit 0.0.0.0 255.255.255.255 tcp eq 25 to leave SMTP open, or
simply permit 140.178.0.0 0.0.255.255 to equate to Ken's example.
 
[\] Jeff Kell, [log in to unmask]