Re: restrict implicit binding to addresses

On Oct 30, 1:40 am, Wolfgang Draxinger <wdraxin...@xxxxxxxxxxxxxxxx>
wrote:

Well, iptables will do the job, it just _must_ be configured
correctly.

That's true of any solution. Since you want to allow some things and
not others, somewhere there is going to have to be a configuration of
what's allowed and what isn't. I don't see that you have an
alternative.

The human factor is the problem: The system will be run mostly by
students, which don't care about such things. Important thing
is, that their simulation programs (running on the cluster in
one of the private networks) do their job. And on the data hub
they can install their own deamons for data selection and
proxying. A security nightmare, those programs won't be checked
for exploits and similiar stuff. The problem is, that the data
hub also needs reasonably fast connection to the local backbone
(Münchner Wissenschaftsnetz), either to transfer the data to the
supercomputer in the LRZ, the group sometimes get computing time
on it, or to feed a grid.

You probably want a firewall that is not administered by the students.

You need to configure allowed and un-allowed services,
obviously, so why not do it in the iptables? You can do it by
user, by port, or by any other method iptables allows.

Tonight I figured, I could filter for programs pid, gid and
command line for outgoing packets. Then put a small helper
program around the daemon, that opens the firewall for the
programs that are started by it. Hmm, thinking about it, I could
also ptrace for bind and open the ports in the iptable on demand
(think about protocols, that are as brain dead like FTP...).

You really can't do it by port?

DS
.

Relevant Pages

  • RE: redhat-list Digest, Vol 4, Issue 38
    ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
    (RedHat)
  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: OT: Trend Micro WFBS beta starting soon
    ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... default 3389 port, web browsing, email, etc. ... it opens inbound NetBIOS connections until the laptop is rebooted. ...
    (microsoft.public.windows.server.sbs)
  • Re: Any Good white Papers on remote access
    ... Port 4125 opens up on an as-needed basis. ... Something must be wrong in the firewall configuration. ... The question do you port foward 4125 to the external NIC server How do you do that??? ...
    (microsoft.public.windows.server.sbs)
  • Re: Warning: This question might be moronic :]
    ... Do you think there's some special port for communicating ... > with the firewall itself? ... machine without that the software opening up a listening port. ... tiny/kerio opens port 44334 when it's in operation ...
    (alt.computer.security)