I have a problem here. I'd like to add a packet filter rule dynamically.
What I mean is a scenario like this:

1) The (default) Internet access on any machine is "denied".

2) The user on machine decides she needs Internet access. So she does
something (like running a program I wrote, for example) which adds a
temporary packet filter rule saying "machine ABCD is allowed internet access".

3) Some time later she decides she does not need this access any more and
does something else which disables/removes this rule. The machine is denied
Internet access.

Of course, there are corner cases like 'what if ABCD hangs' but a general
idea should be pretty clear: I need a way to directly manipulate packet
filter rules from my program.

Is this at all possible? And, if it is, what would be a performance impact
of every packet going through 50+ rules like this?

(What I really want to achieve is to divide our network into three areas:
internal servers, publicly accessible servers and Internet. I would like
any user in our network to choose at login time which areas (s)he wants to
access during this specific session. This access should of course be
controlled: if a user requests access to internal servers, (s)he should be
denied any access to public and external networks, and vice versa. This is
a much bigger problem, however, and it won't be solved today; nevertheless,
if any of you has some suggestions, you're welcome.)

My software is NetWare 6.5 with BM 3.8.

Any idea on how to manage filters from a program?

Thanks in advance,

Piotr Sulecki
Institute of Metal Cutting, Krakow, Poland.