* David Wagner (dawat_private) wrote: > Crispin Cowan wrote: > >> > Can we extend ipfirewalling/ipchains/iptables to allow firewalling > >> > rules to be specified on a per-process basis? > > > >We're in the middle of doing that for SubDomain, although we're not > >using the ip* family to do it. > > Out of curiousity: How do you plan to handle incoming packets? > How do you tell which process an incoming packet is destined for? > > (Some students in my security class proposed one possible trick > for handling this, but I'm curious to hear what your plans are. > The trick is very clever, but it has some practical drawbacks.) We took the simplest approach. Wait until you are in the process context to check inbound packets. This has its drawbacks: the packet is accepted and queued in the bottom half, rather than (like the firewall) thrown out in the bottom half; system calls will fail and propagate a permissions error to the user rather than continuing to block while silently (w/ an audit trace) dropping "bad" packets. -chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:29 PDT