On 11/1/05, Sukrit <[EMAIL PROTECTED]> wrote:
> But seriously the point is, call me paranoid, but I don't want *any*
> traffic other than the intended. I know name of application isn't
> embedded in a TCP/IP packet, I further know that you can filter packets
> based on process id from iptables. I'm looking for a hack.
I see what you are trying to do. I chalk this shortcoming up to the
lack of a good ACL for networking under Linux. It sort of leads to
what I always wondered - "If all devices in Linux are files under
/dev, why was there no /dev/ethX?" While a lot of thought has gone
into how access to file and directories are managed from the ground-up
with Unix, tcp/ip (like c shell and many things from BSD ;-) always
seemed bolted-on to me.
> OTOH, tell me is the above approach pointless? Should I just block all
> ports, then open port 80, 443 etc. Also, there is some way to stop
> people from intitating connection from remote end, I think one would
> have to block all ACK/SYN/Whatever TCP replies, right?
It is generally a good idea to block-all-and-allow-desired for
incoming traffic (specifying --source-port). If you are paranoid, you
could also do the same for outgoing traffic (specifying --dest-port)
> Generally what kind of rules should average Swaminathan have?
Not installing untrusted applications, patching and keeping the system
up to date, strenthening the system with something like Bastille, etc.
An off-grid system would, of course, be the most secure. But it would
be less than useful.
Thaths
--
"Facts are meaningless. You could use facts to prove anything that's even
remotely true!" -- Homer J. Simpson
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
linux-india-help mailing list
linux-india-help@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-india-help
