Re: restrict implicit binding to addresses

David Schwartz wrote:

Normally this would be done by a firewall. Why is iptables not
the answer?

Well, iptables will do the job, it just _must_ be configured
correctly.

The human factor is the problem: The system will be run mostly by
students, which don't care about such things. Important thing
is, that their simulation programs (running on the cluster in
one of the private networks) do their job. And on the data hub
they can install their own deamons for data selection and
proxying. A security nightmare, those programs won't be checked
for exploits and similiar stuff. The problem is, that the data
hub also needs reasonably fast connection to the local backbone
(Münchner Wissenschaftsnetz), either to transfer the data to the
supercomputer in the LRZ, the group sometimes get computing time
on it, or to feed a grid.

You need to configure allowed and un-allowed services,
obviously, so why not do it in the iptables? You can do it by
user, by port, or by any other method iptables allows.

Tonight I figured, I could filter for programs pid, gid and
command line for outgoing packets. Then put a small helper
program around the daemon, that opens the firewall for the
programs that are started by it. Hmm, thinking about it, I could
also ptrace for bind and open the ports in the iptable on demand
(think about protocols, that are as brain dead like FTP...).

Wolfgang Draxinger
--
E-Mail address works, Jabber: hexarith@xxxxxxxxxx, ICQ: 134682867

.

Relevant Pages

  • RE: redhat-list Digest, Vol 4, Issue 38
    ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
    (RedHat)
  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: restrict implicit binding to addresses
    ... You probably want a firewall that is not administered by the students. ... user, by port, or by any other method iptables allows. ... that opens the firewall for the ...
    (comp.os.linux.networking)
  • Re: Linux IPTables tutorial pdfs and plain text available.
    ... What you are referring to here are CHAINS. ... create as a user-defined chain in my iptables scripts to reject traffic ... need to allow port 20/tcp only if you're using active FTP. ... This is actually not a bash script, ...
    (comp.security.firewalls)
  • Re: Security....
    ... >The Portsentry setup is to block those people who are going to attack ... >port on which you have a service listening. ... Setup iptables with the following ... The second one opens up the return path for connections established by ...
    (Fedora)