On Wednesday 2005-August-10 07:18, Lists wrote:
> Would it be possible to somehow disable changing iptables rules from
> scripts and enable changing only from config file, which loading
> would be protected by special password defined in kernel? Or even
And what process is going to read that config file? A kernel driver?
Sure, you can write kernel-space software to do things like this, but
the reasoning behind it is not clear to me. I'd think the chances of
inclusion in the mainstream kernel are close to zero.
> better, your could preset iptables rules in kernel. That rules would
> be unchangeable.
Is that good? BTW you can accomplish the same thing with an old 80386
and /sbin/halt ... the machine keeps passing packets after the OS
stops. I used to have a 386 firewall machine which died with a hard
drive crash. I left it running 3-4 weeks thereafter, until I needed to
make changes in the firewall rules.
> I think this would improve Linux firewall security on systems with
> complex and tight rules.
Complex rules often need care and attention. What is the threat model
addressed by such a change? If someone hostile gets root on your
machine, you're in trouble. Besides, I think SELinux presents a more
comprehensive and well-considered approach to that possibility.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
