Suppose I have a cluster of machines, running an application. The
application opens up TCP connections to other machines, without any form
of authentication.
If nothing else is running on these machines, it is possible to use
iptables, perhaps in combination with IPsec, to prevent misuse of these
services.
If there are other services running the cluster nodes which are supposed
to have different privileges, what are my options to preserve this
distinction in privileges? If those other services can connect to the
TCP port used by the clustered application, it's possible that the
(supposedly unprivileged) service takes over the cluster. Would
iptables owner match work here? Is there some way to pass on user
information with IPsec?
--
Florian Weimer / Red Hat Product Security Team
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
