Kevin Day thekevinday at gmail.com
Sun Aug 14 12:07:35 PDT 2011

On 8/13/11, Robert Connolly <robert at linuxfromscratch.org> wrote:
> Hello.
> I have an idea for implementing Iptables in HLFS, giving users and daemons
> the
> least privileges possible.
> Basically Iptables rules are written for each network application or daemon,
> with a default deny policy. So when /bin/ping gets installed, an iptables
> policy for ping is added to allow outgoing pings. Same goes for ftp(1), web
> browsers, or daemons like sshd.
> Each network application would have it's own iptables file, in
> /etc/iptables,
> such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or
> /etc/iptables/servers/sshd.sh.
> Does this make sense, or is there a better way to do this?
> robert

That makes sense. I would suggest creating a custom outbound & inbound
chains for these purposes (such as 'INPUT-CLIENTS', 'OUTPUT-CLIENTS',
'INPUT-SERVERS', 'OUTPUT-SERVERS', etc..). Unless of course you think
this is overkill. LinuxFromScratch projects are, in part, about
learning so keeping it simple might be the better approach.

Kevin Day

More information about the hlfs-dev mailing list