robert at linuxfromscratch.org
Sat Aug 13 19:33:44 PDT 2011
I have an idea for implementing Iptables in HLFS, giving users and daemons the
least privileges possible.
Basically Iptables rules are written for each network application or daemon,
with a default deny policy. So when /bin/ping gets installed, an iptables
policy for ping is added to allow outgoing pings. Same goes for ftp(1), web
browsers, or daemons like sshd.
Each network application would have it's own iptables file, in /etc/iptables,
such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or
Does this make sense, or is there a better way to do this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the hlfs-dev