Re: block network access for certain users/groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ref: http://marc.info/?l=netfilter&m=128043201731932&w=2

On Thursday 2010-07-29 21:33, Lars Nooden wrote:
> On 7/29/10 10:09 PM, Elmar Stellnberger wrote:
>> iptables -A mychain -m owner --gid-owner blockedusergroup -j DROP
>
> For starters, consider using the REJECT target instead of DROP if for no other
> reason than that it will make your engineering easier:
>
> 	http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

That page - especially the summary - is leaving out one essential feature
Gáspar already mentioned it in another thread; the CHAOS target from
Xtables-addons.

It is hard to press its behavior into the three rows
"application connects to non-existent service" / "naïve network scanning" /
"specialist program", but the behavior can be summed up into:

1. Connect: With an x% (tunable) chance, failure is reported promptly to the
   user/scanner. (This is to elicit point 2.)
2. Scanning many ports will be slow/expensive. (nmap)
3. Syn scans produce nonsensical results. (nmap)

> 	http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux