Re: 2001_05_09 patch against 2.4.4

chrisat_private

* Chris Evans (chrisat_private) wrote:
> 
> On Tue, 15 May 2001, Chris Wright wrote:
> 
> > I agree the device is one piece that we need to watch, but i'm not sure that
> > it is the most important.  Look at packet filter firewall rules, they are
> > largely about complete tuples not just devices.  In your example, eth0 may
> > need finer granularity than low security.  Perhaps it is fine to talk out
> > eth0 to mysercurehost.com on port 22 using tcp even if I have
> > /etc/very/secret open.  I'd like to be able to support tcp connect/accept
> > and udp send/recv to/from host:port via device (howz that for non-sense? ;-)
> 
> Sounds like a lot of code ;-) I wonder if Linux can be persuaded to create
> "clone devices" (I don't think the exisiting aliases will be sufficient).
> Then, mark the clone device as trusted, and firewall the cloned device
> such that it only sends on 22/tcp.
> 
> Bingo, you've re-used Linux's powerful network/firewall code, and as a
> bonus wrote a hell of a lot less code yourself. Also, you just hook at the
> device level rather than all over the network stack/firewall etc.

I ran into some problems using the firewall code directly (in 2.2).  First
and foremost...all inbound packet filtering happens on the bottom half.  This
means you don't have relevant process context for making process based
decisions.  I haven't looked closely at 2.4 yet, but I assume this is the
same.  This means we will at least have to add hooks to accomodate these
needs.  With 2.2 there were a few other issues with the ipchains code that
made it unusable (sorry, I can't remember off the top of my head what they
were).  I'm hopeful that iptables will not give the same headache.  The idea
of a clone device might allieviate the need to run inbound packet checks in
the top half...hmm...

-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module