The MLS Selinux policy go beyond a "everything a file" acl and offer much more protection, at the expense di some complexity <a href="http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19">http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19</a> Also james morris had post some useful docu on the subject in his blog. Regards <div class="gmail_quote">On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <<a href="mailto:lesmikesell@gmail.com">lesmikesell@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Callum Lerwick wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Why do we need a firewall when you can easily prevent services from being accessed...just stop the service! Don't bind to the port, and it won't be possible to connect to it. Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. </blockquote> But what you usually want to control are the ranges of source/destination addresses that are permitted. <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines. </blockquote> Unsustainable? But it is what you need to do, not kill functionality completely. <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture. </blockquote> Yes, this seems like a bizarre design decision in Linux but realistically, everything needs network access to be useful at all these days and what you need to control is where on the network something can/can't connect. -- Les Mikesell <a href="mailto:lesmikesell@gmail.com" target="_blank">lesmikesell@gmail.com</a> -- fedora-devel-list mailing list <a href="mailto:fedora-devel-list@redhat.com" target="_blank">fedora-devel-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/fedora-devel-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-devel-list</a> </blockquote></div>