On Mon, Feb 25, 2008 at 09:49:51AM -0800, Stephen Hemminger wrote: > Is there any strong reason why checking the status of iptables is restricted? It was ages ago that this question last came up. I believe it was the general concensus at the time that allowing anyone to read the packet filter policy can be considered an information leak. It's not only the policy information, but also quite extensive (and depending on the ruleset, detailed) statistics about the amount of packets / bytes from/to a particular machine/service/... - information that can be much more valuable than the generally readable per-interface packet/byte counters. Now yes, it may be arguable whether you should have regular user accounts on your firewall at all. However, especially in the case of co-located servers with no dedicated firewall in front (i.e. just local INPUT/OUTPUT rules), you don't have much of a choice but to have local users. Should they be able to obtain this detailed information? I think better not. There's no real reason for them to know this. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
