Robert Connolly robert at linuxfromscratch.org
Sat Aug 13 19:33:44 PDT 2011


I have an idea for implementing Iptables in HLFS, giving users and daemons the 
least privileges possible.

Basically Iptables rules are written for each network application or daemon, 
with a default deny policy. So when /bin/ping gets installed, an iptables 
policy for ping is added to allow outgoing pings. Same goes for ftp(1), web 
browsers, or daemons like sshd.

Each network application would have it's own iptables file, in /etc/iptables, 
such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or 

Does this make sense, or is there a better way to do this?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20110813/35fe92eb/attachment.sig>

More information about the hlfs-dev mailing list