Firewall and user services that needs open ports

Mon Jun 23 15:48:02 UTC 2008

The MLS Selinux policy go beyond  a  "everything a  file" acl and  offer
much more protection, at the expense di some
complexity

http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19

Also james morris had post some useful docu on the subject in his blog.

Regards

On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <lesmikesell at gmail.com> wrote:

> Callum Lerwick wrote:
>
>>
>>
>>    Why do we need a firewall when you can easily prevent services from
>>    being accessed...just stop the service!  Don't bind to the port, and
>>    it won't be possible to connect to it.
>>
>>
>> Yes, the correct thing to do for local security is use something like
>> selinux to prevent things from binding to interfaces/ports they shouldn't be
>> binding to in the first place.
>>
>
> But what you usually want to control are the ranges of source/destination
> addresses that are permitted.
>
>  Using iptables for this is a completely unsustainable hack. iptables
>> firewalling is for machines that route packets to other machines.
>>
>
> Unsustainable?  But it is what you need to do, not kill functionality
> completely.
>
>  Unfortunately for some reason network devices are exempt from the
>> "everything is a file" architecture thus don't recieve the benefit of the
>> pre-existing filesystem access control architecture.
>>
>
> Yes, this seems like a bizarre design decision in Linux but realistically,
> everything needs network access to be useful at all these days and what you
> need to control is where on the network something can/can't connect.
>
> --
>  Les Mikesell
>   lesmikesell at gmail.com
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080623/4872d57c/attachment.htm>