The Juniper firewall code supports the idea of trusted interfaces.

These patches add the ifconfig flags "trusted" and "-trusted" in
support of a "poor man's Juniper firewall".

They incidently increase the available interface flags from 16 to 32
bits (and there was much rejoicing).

An interface may be marked trusted by root.  The default is untrusted.

When a interface is marked "trusted", TCP sockets may be queried to
determine if they will route over trusted or untrusted interfaces.

Note: this code does not take into account the possibility of
asymmetric routes!

The basic idea is that a daemon can determine if a connection is made
via a trusted or untrusted interface, and respond accordingly.

A potential use of this code is SMTP relay.  If a connection is made
via a trusted interface, you could allow SMTP relay, and if made via
an untrusted interface, deny it.

For a firewall, the interior net would be trusted and the exterior
would be untrusted.  This would mean (in the relay example) that
trusted hosts would be permitted to relay mail through the SMTP
server, and untrusted hosts would not.

A server tests for "trustworthyness" of an interface by:


	int	trusted;
	int	trustedlen = sizeof(trusted);

	...

        if( !getsockopt( s, IPPROTO_TCP, TCP_TRUSTED, &trusted, &trustedlen))
		trusted = 0;

	...

	if( trusted) {
		...
	} else {
		...
	}

Note: this applies to only TCP sockets!

Readers may engage in future work:

(1)	set the flag in the socket at connect time rather than using
	the route (support for asymmetric routes).

(2)	Allow UDP socket route queries (ie: "if I were to send a packet
	via this socket, where would it go?").

EOF