On Tue, 15 May 2001, Chris Wright wrote: > I agree the device is one piece that we need to watch, but i'm not sure that > it is the most important. Look at packet filter firewall rules, they are > largely about complete tuples not just devices. In your example, eth0 may > need finer granularity than low security. Perhaps it is fine to talk out > eth0 to mysercurehost.com on port 22 using tcp even if I have > /etc/very/secret open. I'd like to be able to support tcp connect/accept > and udp send/recv to/from host:port via device (howz that for non-sense? ;-) Sounds like a lot of code ;-) I wonder if Linux can be persuaded to create "clone devices" (I don't think the exisiting aliases will be sufficient). Then, mark the clone device as trusted, and firewall the cloned device such that it only sends on 22/tcp. Bingo, you've re-used Linux's powerful network/firewall code, and as a bonus wrote a hell of a lot less code yourself. Also, you just hook at the device level rather than all over the network stack/firewall etc. Cheers Chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 16:10:29 PDT