Janus Perspective

From: Chris Wright (chrisat_private)
Date: Thu Apr 12 2001 - 18:21:16 PDT

  • Next message: David Wagner: "intercepting system calls"

    * David Wagner (dawat_private) wrote:
    > Crispin Cowan  wrote:
    > >> >     Can we extend ipfirewalling/ipchains/iptables to allow firewalling
    > >> >     rules to be specified on a per-process basis?
    > >
    > >We're in the middle of doing that for SubDomain, although we're not
    > >using the ip* family to do it.
    > 
    > Out of curiousity: How do you plan to handle incoming packets?
    > How do you tell which process an incoming packet is destined for?
    > 
    > (Some students in my security class proposed one possible trick
    > for handling this, but I'm curious to hear what your plans are.
    > The trick is very clever, but it has some practical drawbacks.)
    
    We took the simplest approach.  Wait until you are in the process
    context to check inbound packets.  This has its drawbacks: the
    packet is accepted and queued in the bottom half, rather than (like the
    firewall) thrown out in the bottom half; system calls will fail and
    propagate a permissions error to the user rather than continuing to block
    while silently (w/ an audit trace) dropping "bad" packets.
    
    -chris
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:29 PDT