Re: 2001_05_09 patch against 2.4.4

• Previous message: Crispin Cowan: "Network Outage"
• In reply to: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Next in thread: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Next in thread: Jesse Pollard: "Re: 2001_05_09 patch against 2.4.4"
• Reply: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2001-05-15 17:08:32 +0000, Chris Wright wrote:
> 
> I ran into some problems using the firewall code directly (in 2.2).
> First and foremost...all inbound packet filtering happens on the
> bottom half.  This means you don't have relevant process context for
> making process based decisions.  I haven't looked closely at 2.4 yet,
> but I assume this is the same.  This means we will at least have to
> add hooks to accomodate these needs.  With 2.2 there were a few other
> issues with the ipchains code that made it unusable (sorry, I can't
> remember off the top of my head what they were).  I'm hopeful that
> iptables will not give the same headache.  The idea of a clone device
> might allieviate the need to run inbound packet checks in the top
> half...hmm...

Slightly offtopic, esp. because I don't consider the original proposal
very compelling, but...

I haven't looked at it closely either, but according to various articles
I've read you *can* filter based on process, at least to a certain
level. 

Quoted from the Linux 2.4 Packet Filtering HOWTO:

owner
    
    This module attempts to match various characteristics of the packet
    creator, for locally-generated packets. It is only valid in the
    OUTPUT chain, and even then some packets (such as ICMP ping
    responses) may have no owner, and hence never match.
    
    --uid-owner userid
        Matches if the packet was created by a process with the given
        effective (numerical) user id.

    --gid-owner groupid
        Matches if the packet was created by a process with the given
        effective (numerical) group id.

    --pid-owner processid
        Matches if the packet was created by a process with the given
        process id.

    --sid-owner sessionid
        Matches if the packet was created by a process in the given
        session group.

http://www.linuxsecurity.com/resource_files/firewalls/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-7.html

Shane

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: 2001_05_09 patch against 2.4.4"
• Previous message: Crispin Cowan: "Network Outage"
• In reply to: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Next in thread: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Next in thread: Jesse Pollard: "Re: 2001_05_09 patch against 2.4.4"
• Reply: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 23:54:28 PDT