> Our approach to the first problem lies with the No-Net Location. When first > coming up (i.e. upon enable of the nwam service), before a location has been > selected, the No-Net location will be activated. This location will install > strict security policy, only allowing through the traffic necessary for > configuration (e.g. dhcp, router discovery, dns, ldap). > > There are several ways to implement this policy: > > 1) create ipsec rules that only allow packets related to the needed > services through > > 2) create ipfilter rules that do the same > > 3) create ipsec rules that block everything, and modify the apps that need > to pass traffic (e.g. dhcpagent) to set up bypass rules for themselves > > Option 3 is the cleanest in terms of the policy that needs to be created; > the down side, though, is that several different daemons/apps will need to > be modified to set up bypass policy.
Perhaps I'm misunderstanding part of the proposal, but having hardcoded policy in applications that cannot be overridden (e.g., by an admin who never wants to let DHCP through for a certain environment) seems bad. Or are there IPsec commands that would allow the daemon/app overrides to themselves be overridden? Also, can the daemon/app overrides be seen using some admin tool? -- meem
