Herbert P�tzl <[EMAIL PROTECTED]> writes: >> > [... vservers & iptables ...] >> >> Just add >> >> | S_CAPS="CAP_NET_ADMIN CAP_NET_RAW" >> >> to the vserver-configuration. >> ... > > and remember, from this moment on, you will be able to > modify/overwrite any interface on the physical host from > within the vserver ... (including taking the interface > down, etc)
Yes, but this is still better than controlling the iptables from the physical host: It is true, that an attacker can do bad things with your network when scripts in the iptables-vserver are having a hole. But he could do yet worse things, when these scripts are running on the host machine. (I do not speak about giving every host these $S_CAPS, but about a dedicated iptables-vserver (there exists exactly one such a vserver per host). Other vservers on the host (e.g. a dialin-server) are communicating through a simple protocol with the iptables-vservers to set dynamic rules.) Enrico -- q: If you were young again, would you start writing TeX again or would you use Microsoft Word, or another word processor? a: I hope to die before I have to use Microsoft Word. -- Harald Koenig <[EMAIL PROTECTED]> asking D.E.Knuth
