Jeffrey Hutzelman wrote: > --On Wednesday, August 27, 2008 05:51:36 PM -0700 Bill Sommerfeld > <sommerfeld at sun.com> wrote: > >> On Wed, 2008-08-27 at 17:03 -0700, Darren Reed wrote: >>> On 08/27/08 16:37, Bill Sommerfeld wrote: >>> > Unless I'm mistaken, the spec as written would allow *any* service >>> > administrator to inject essentially arbitrary rules into the global >>> > ipf.conf. >> >>> Given David's replies, do you still see that as being possible? >> >> The spec needs to make it clear that it is unsafe to delegate access to >> these properties. >> >> smf could probably use a mechanism to make it harder to screw up access >> to critical properties like this. >> >>> Maybe I should ask, what would you define as being an "overall >>> policy"? >> >> A single coherent source for "what should be allowed on this system" >> which comes from a single origin. You are likely to lose that coherance >> when you take the policy, salami-slice it, and spread it through a bunch >> of service properties. > > It's not a bad model for the same packages and smf services that > provide a service to contain the required firewall rules, such that > those rules are installed when the service is installed, and enabled > when the service is enabled. However, that only works when the rules > are written according to a coherent model such that they don't > conflict with each other or leave gaps that do unsafe things. Hi Jeffrey,
Agree. A service is expected to only generate rules relevant to its network traffic. > I am very wary of a model that permits any service administrator to > inject arbitrary ipf rules. This is a problem even if you trust that > no service admin is malicious (a big leap), because ipf rules may > interact with each other in complex ways that the service admins may > be unable to predict. Yes, as Bill mentioned, some protection for firewall policy configuration, perhaps more specific property group authorization to assign to "firewall" administrator. Thanks, -tony
