On Wed, 27 Feb 2008 07:43:20 -0800 Phil Oester <kernel@xxxxxxxxxxxx> wrote: > On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote: > > Phil Oester wrote: > > >I really don't think this is a good idea. We allow non-root users > > >on some of our firewalls, and I don't want them to see the ruleset. > > >Also, it helps miscreants to better pick their targets, if they > > >know in advance which ports are opened. > > > > > > They could also find out about this simply by probing ports ... > > And assuming a /16 with 65K ports, that would take a bit longer than > the few seconds it takes to dump the ruleset. Why make it easier > than it has to be? > > > >If making this change, *please* consider making it configurable, > > >with the default being NO access. > > > > > > No, in that case I prefer to keep it restricted to root > > unconditionally. Using sudo to get the rules is no big > > deal I guess. > Well in our case of router administration the risk of allowing an operator sudo access to iptables is higher than the risk of exposing ports to wankers. This is a special purpose distribution, so we will allow it, how about a config option or sysctl? - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html