Re: 2001_05_09 patch against 2.4.4

From: Chris Wright (chrisat_private)
Date: Tue May 15 2001 - 17:08:32 PDT

  • Next message: Crispin Cowan: "Network Outage"

    * Chris Evans (chrisat_private) wrote:
    > On Tue, 15 May 2001, Chris Wright wrote:
    > > I agree the device is one piece that we need to watch, but i'm not sure that
    > > it is the most important.  Look at packet filter firewall rules, they are
    > > largely about complete tuples not just devices.  In your example, eth0 may
    > > need finer granularity than low security.  Perhaps it is fine to talk out
    > > eth0 to on port 22 using tcp even if I have
    > > /etc/very/secret open.  I'd like to be able to support tcp connect/accept
    > > and udp send/recv to/from host:port via device (howz that for non-sense? ;-)
    > Sounds like a lot of code ;-) I wonder if Linux can be persuaded to create
    > "clone devices" (I don't think the exisiting aliases will be sufficient).
    > Then, mark the clone device as trusted, and firewall the cloned device
    > such that it only sends on 22/tcp.
    > Bingo, you've re-used Linux's powerful network/firewall code, and as a
    > bonus wrote a hell of a lot less code yourself. Also, you just hook at the
    > device level rather than all over the network stack/firewall etc.
    I ran into some problems using the firewall code directly (in 2.2).  First
    and foremost...all inbound packet filtering happens on the bottom half.  This
    means you don't have relevant process context for making process based
    decisions.  I haven't looked closely at 2.4 yet, but I assume this is the
    same.  This means we will at least have to add hooks to accomodate these
    needs.  With 2.2 there were a few other issues with the ipchains code that
    made it unusable (sorry, I can't remember off the top of my head what they
    were).  I'm hopeful that iptables will not give the same headache.  The idea
    of a clone device might allieviate the need to run inbound packet checks in
    the top half...hmm...
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Tue May 15 2001 - 17:10:33 PDT