lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 10 Jan 2014 11:58:09 -0800 (PST)
From:	David Lang <david@...g.hm>
To:	Victor Porton <porton@...od.ru>
cc:	selinux@...ho.nsa.gov, linux-kernel@...r.kernel.org
Subject: Re: Create new NetFilter table

On Fri, 10 Jan 2014, Victor Porton wrote:

> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.

I would disagree with this idea.

If you make one special table, why would you not want others?

You would then need to define all the conditions where this table is used 
instead of, or in addition to, the existing tables.

Yes admins can shoot themselves in the foot with iptables, and any admin who 
flushes rules without understanding what is affected will probably be causing 
significant problems anyway.

Rather than doing this, have the tools that are programmatically creating rules 
also maintain a file that can be used to recreate all those rules. Then the 
Admins or init scripts can recreate things easily.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ