Firewall and user services that needs open ports
yersinia
yersinia.spiros at gmail.com
Mon Jun 23 15:48:02 UTC 2008
The MLS Selinux policy go beyond a "everything a file" acl and offer
much more protection, at the expense di some
complexity
http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19
Also james morris had post some useful docu on the subject in his blog.
Regards
On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
> Callum Lerwick wrote:
>
>>
>>
>> Why do we need a firewall when you can easily prevent services from
>> being accessed...just stop the service! Don't bind to the port, and
>> it won't be possible to connect to it.
>>
>>
>> Yes, the correct thing to do for local security is use something like
>> selinux to prevent things from binding to interfaces/ports they shouldn't be
>> binding to in the first place.
>>
>
> But what you usually want to control are the ranges of source/destination
> addresses that are permitted.
>
> Using iptables for this is a completely unsustainable hack. iptables
>> firewalling is for machines that route packets to other machines.
>>
>
> Unsustainable? But it is what you need to do, not kill functionality
> completely.
>
> Unfortunately for some reason network devices are exempt from the
>> "everything is a file" architecture thus don't recieve the benefit of the
>> pre-existing filesystem access control architecture.
>>
>
> Yes, this seems like a bizarre design decision in Linux but realistically,
> everything needs network access to be useful at all these days and what you
> need to control is where on the network something can/can't connect.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080623/4872d57c/attachment.htm>
More information about the fedora-devel-list
mailing list