Hello. I have an idea for implementing Iptables in HLFS, giving users and daemons the least privileges possible.
Basically Iptables rules are written for each network application or daemon, with a default deny policy. So when /bin/ping gets installed, an iptables policy for ping is added to allow outgoing pings. Same goes for ftp(1), web browsers, or daemons like sshd. Each network application would have it's own iptables file, in /etc/iptables, such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or /etc/iptables/servers/sshd.sh. Does this make sense, or is there a better way to do this? robert
signature.asc
Description: This is a digitally signed message part.
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
