On Sat, December 17, 2005 3:12 pm, Callum Lerwick said: > Actually, when you're talking about processes on the local machine, > firewall rules are a totally hackish way of going about this. > > What you want to do, is have some kind of local ACL that says what > processes and users can bind to what ports. This would solve a whole > mess of security problems. (Look around, a great many server daemons > have to be started as root, for the mere fact they want to bind to ports > <1024.) Instead of firewalling, make the kernel disallow processes from > even binding listen ports at all in the first place. Yes, I believe ports are given a security context as well, although I don't know how fine grained it is or if you still have to deal with iptables rules in addition. Sean > I know back when I was playing with grsecurity years ago, it had a > feature like this. It had group-based access control, you could set up a > certain group and say "This group can not bind listen ports" and even > "This group can't make outgoing connections" too. Or you could turn it > around and say "Only this group can bind to ports" etc. > > It had some weird side effects though. IIRC various things wanted to > bind to loopback... -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
