On 8/13/11, Robert Connolly <rob...@linuxfromscratch.org> wrote: > Hello. > > I have an idea for implementing Iptables in HLFS, giving users and daemons > the > least privileges possible. > > Basically Iptables rules are written for each network application or daemon, > with a default deny policy. So when /bin/ping gets installed, an iptables > policy for ping is added to allow outgoing pings. Same goes for ftp(1), web > browsers, or daemons like sshd. > > Each network application would have it's own iptables file, in > /etc/iptables, > such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or > /etc/iptables/servers/sshd.sh. > > Does this make sense, or is there a better way to do this? > > robert > >
That makes sense. I would suggest creating a custom outbound & inbound chains for these purposes (such as 'INPUT-CLIENTS', 'OUTPUT-CLIENTS', 'INPUT-SERVERS', 'OUTPUT-SERVERS', etc..). Unless of course you think this is overkill. LinuxFromScratch projects are, in part, about learning so keeping it simple might be the better approach. -- Kevin Day -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
