Le ven 26/09/2003 Ã 02:19, Daniel Chemko a Ãcrit : > I had a thought about this, and I see a lot of work taking this > approach. > > How about this: > > Write a jump target that applies only inside the filter table, since the > first revision would just implement filtering control. > > The module itself would be initialized by a userspace tool be adding > rules. An example would be: > > iptables -I INPUT -m expire --expire-condition timer=6000 --expire-id > 12123124325 --source 192.168.1.1/24 -j ACCEPT > iptables -I OUTPUT -m expire --expire-condition timer=6000 --expire-id > 12123124326 --destination 192.168.1.1/24 -j ACCEPT Great, but Have you any idea of the induced overload ? (I've never work with dynamic rules). > - The CONNTRACK entries for the allowed sessions are not dropped. Once > again, it would be nice if the jump module could clean up the CONNTRACK > entry. > My humble suggestion would be that this should be handled in the > stateful > connection tracking - If a session is authenticated and certain > connections > allowing different chains to be traversed based on the mark found. From my point of view this is a good idea for a mono user machine land. But I think this appproach is for more too restrictive and too unsecure. First, lot's of people use "terminal server" (X remote server, rdesktop, cytrix,...) so you've got different people coming from the same IP who should have dissociated IPs. In such a case, the permissions of these users is the sum of the permissions of all users. It's really unsecure. Second, you encounter harsh limitation with Full multiuser server. It's a nice security feature to be able to say for example : - Clamav daemon can connect directly to sites providing antivirus pattern update - Other users can't go directly out by http. It's a small example taken from my test environnement of NuFW, but I think it shows what can be done. BR, -- Eric Leblond Nufw, Now User Filtering Works (http://www.nufw.org)
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
