On Wednesday 2005-August-10 07:18, Lists wrote: > Would it be possible to somehow disable changing iptables rules from > scripts and enable changing only from config file, which loading > would be protected by special password defined in kernel? Or even And what process is going to read that config file? A kernel driver? Sure, you can write kernel-space software to do things like this, but the reasoning behind it is not clear to me. I'd think the chances of inclusion in the mainstream kernel are close to zero. > better, your could preset iptables rules in kernel. That rules would > be unchangeable. Is that good? BTW you can accomplish the same thing with an old 80386 and /sbin/halt ... the machine keeps passing packets after the OS stops. I used to have a 386 firewall machine which died with a hard drive crash. I left it running 3-4 weeks thereafter, until I needed to make changes in the firewall rules. > I think this would improve Linux firewall security on systems with > complex and tight rules. Complex rules often need care and attention. What is the threat model addressed by such a change? If someone hostile gets root on your machine, you're in trouble. Besides, I think SELinux presents a more comprehensive and well-considered approach to that possibility. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header