Le ven 07/02/2003 à 02:44, Kelly Setzer a écrit : > We are in the process of implementing a firewall based on iptables. > Our basic implementation is laid out, and now we are searching for > every scrap that might improve security. One thing I'd like is the > ability to "lock" the iptables configuration so that no further > changes can be made (without rebooting). See LIDS : http://www.lids.org/ Things such as CAP_NET_ADMIN should do the trick. Consider also CAP_NET_RAW to prevent someone from injecting layer 2 stuff under the firewalling process. -- Cédric Blancher <blancher@cartel-securite.fr> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
