[Systrace] Basic usage of systrace

[Kim Onnel]

hi,

I'm a network engineer at an ISP, my daily work involves routers and
their protocols, definitely, there is a gap between what we do and the
systems world, specialy when it comes to security.

we've been using telnet and of course, there is no execuse for that,
but its a must until we have teh luxury to upgrade our weak network OS
(ios)

to get around that, i planned to setup 2 OpenBSD boxes as bastion
hosts, where people would jump-off to the rest of the network devices,
from there i will enforce login policy,

some googling lead me here, i have grasped what systrace does, but its
not easy for me to create policies, my unix background has helped me
so far to just install the BSD and get it running,

i intend to restrict users to only be able to telnet (it would be
great if i can restrict them to my network subnet range as well)

no need for anything else, ls or basic bash commands, from what i've
seen, i must be quite aware of the logging and the 'under-the hood'
operation of programs to write a policy for it (e.g.: use the connect,
open socket, use gethostbyname, use....)  am i right about that , or
can i just easiy allow users to telnet and thast it, i am confused
with this part, i know this mailing list is all about coplex systrace
policies and probably development, but can anyone reply privately on
whats needed to do my simple task,

Regards