Firewall and user services that needs open ports

[Nicolas Mailhot]

Le Lun 23 juin 2008 08:37, Callum Lerwick a écrit :

> Yes, the correct thing to do for local security is use something like
> selinux to prevent things from binding to interfaces/ports they
> shouldn't be
> binding to in the first place. Using iptables for this is a completely
> unsustainable hack. iptables firewalling is for machines that route
> packets to other machines.

Iptables is actually wonderfully simple and transparent to normal
users, unlike apps that do black magic using a system bus one can't
inspect, a registry system full of rotten undocumented keys, and
massive use of bandaids (PA startup I'm thinking about you).

You'll take iptables out of my system the day I can easily check the
spaguetti pile userspace is those days is not misbehaving. And no
current selinux is not an "easy to inspect" system.

-- 
Nicolas Mailhot