Stephen Hemminger wrote:
On Wed, 27 Feb 2008 07:43:20 -0800
Phil Oester <kernel@xxxxxxxxxxxx> wrote:
On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
Phil Oester wrote:
I really don't think this is a good idea. We allow non-root users
on some of our firewalls, and I don't want them to see the ruleset.
Also, it helps miscreants to better pick their targets, if they
know in advance which ports are opened.
They could also find out about this simply by probing ports ...
And assuming a /16 with 65K ports, that would take a bit longer than
the few seconds it takes to dump the ruleset. Why make it easier
than it has to be?
If making this change, *please* consider making it configurable,
with the default being NO access.
No, in that case I prefer to keep it restricted to root
unconditionally. Using sudo to get the rules is no big
deal I guess.
Well in our case of router administration the risk of allowing an operator
sudo access to iptables is higher than the risk of exposing ports to wankers.
This is a special purpose distribution, so we will allow it, how about
a config option or sysctl?
I don't like having things like this controlled through config
options or sysctls. I'd take a patch, but I'd prefer not to.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
