Re: 2001_05_09 patch against 2.4.4

From: Chris Evans (chrisat_private)
Date: Tue May 15 2001 - 16:09:11 PDT

  • Next message: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"

    On Tue, 15 May 2001, Chris Wright wrote:
    > I agree the device is one piece that we need to watch, but i'm not sure that
    > it is the most important.  Look at packet filter firewall rules, they are
    > largely about complete tuples not just devices.  In your example, eth0 may
    > need finer granularity than low security.  Perhaps it is fine to talk out
    > eth0 to on port 22 using tcp even if I have
    > /etc/very/secret open.  I'd like to be able to support tcp connect/accept
    > and udp send/recv to/from host:port via device (howz that for non-sense? ;-)
    Sounds like a lot of code ;-) I wonder if Linux can be persuaded to create
    "clone devices" (I don't think the exisiting aliases will be sufficient).
    Then, mark the clone device as trusted, and firewall the cloned device
    such that it only sends on 22/tcp.
    Bingo, you've re-used Linux's powerful network/firewall code, and as a
    bonus wrote a hell of a lot less code yourself. Also, you just hook at the
    device level rather than all over the network stack/firewall etc.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue May 15 2001 - 16:10:29 PDT