On Wed, Apr 20, 2005 at 12:49:15PM +0200, Anders Fugmann wrote:
> Hi,
>
> I would like to request a very simple feature: The possibility to lock
> all iptable rules in the kernel, making them immutable.
>
> This would be usefull on machines which act both as a firewall and as a
> server. The problem today if an unwanted guest manages to break into the
> machine running the firewall and becomes root, the person can easilly
> change the rules, compromising the network guarded by the hacked
> firewall.
>
> If it was somehow possible to lock the rules once setup, the attacker
> would be unable to modify the rules, the network guarded by the firewall
> would not (pending on how the firewall was setup) not be compromised,
> even if an attacker gained access to the firewall itself.
i'm guessing you're thinking about how the *BSD's have a concept of
kern.securelevel, and certain things (like firewall rules) become
immutable; even by root, at certain levels.
i'm not a kernel programmer, but i can tell you that the linux kernel
doesn't have anything like kern.securelevel; and without it, i don't
believe what you're asking for is possible. i'd also figure that
implementing kern.securelevel in the linux kernel would be beyond the
scope of what the netfilter developers are responsible for.
-j
--
"Stewie: Careful! You're washing a baby's scalp, not scrubbing
the vomit out of a Christmas dress, you stupid holiday drunk."
--Family Guy
