Rules in config file

/dev/rob0 rob0 at gmx.co.uk
Wed Aug 10 20:20:24 CEST 2005


On Wednesday 2005-August-10 07:18, Lists wrote:
> Would it be possible to somehow disable changing iptables rules from
> scripts and enable changing only from config file, which loading
> would be protected by special password defined in kernel? Or even

And what process is going to read that config file? A kernel driver? 
Sure, you can write kernel-space software to do things like this, but 
the reasoning behind it is not clear to me. I'd think the chances of 
inclusion in the mainstream kernel are close to zero.

> better, your could preset iptables rules in kernel. That rules would
> be unchangeable.

Is that good? BTW you can accomplish the same thing with an old 80386 
and /sbin/halt ... the machine keeps passing packets after the OS 
stops. I used to have a 386 firewall machine which died with a hard 
drive crash. I left it running 3-4 weeks thereafter, until I needed to 
make changes in the firewall rules.

> I think this would improve Linux firewall security on systems with
> complex and tight rules.

Complex rules often need care and attention. What is the threat model 
addressed by such a change? If someone hostile gets root on your 
machine, you're in trouble. Besides, I think SELinux presents a more 
comprehensive and well-considered approach to that possibility.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list