On 04/28/2014 12:42 PM, David Woodhouse wrote:
Actually, I think the best way to fix this is with SELinux, rather than iptables. Why go for an overly complex solution where authorised processes have to prod a firewall dæmon to change the iptables configuration, when the kernel has a perfectly good "firewall" built in as a fundamental part of the IP stack? Send a TCP SYN to a port which nobody's listening on, and you'll get a TCP RST back. Send a UDP packet to closed port, and you'll get an ICMP 'port unreachable' back. No need for iptables at all. All you need to do, if you really want to control incoming connections, is use SELinux to limit who can bind() and listen() to certain ports.
Can we make this stick for the unconfined_t user as well? How can system administrators configure exceptions? What about developers who need to bind to various ports, e.g. while running test suites? Will it be as straightforward as with firewalld?
An explicit failure on bind() might actually give us better error reporting (especially if the EPERM details idea is implemented). I like the SELinux idea.
-- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
