> The more I think about it, the more I favor inserting the dropInvalid > rule in your rules file. If you do that, it is a moot point which > security context INVALID packets have since they won't be accepted. The > way your ruleset is right now, you are ACCEPTing such packets; that > creates new conntrack entries which will take some time to time out and > be deleted. > I am not too sure that is (always) the case. SELinux hooks kick in even before a packet is traversed (when it goes out for example as was in the case I listed here) - if the process/program doesn't have the right permissions set (my_program to send "http_client_t" type packets for example) then AVC is issued and no packet passes at all. Besides, when a security issue such as this is concerned, you can't be too careful! It would also allow me additional flexibility as to what to do with/mark these packets as.
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
