thekevinday at gmail.com
Sun Aug 14 12:07:35 PDT 2011
On 8/13/11, Robert Connolly <robert at linuxfromscratch.org> wrote:
> I have an idea for implementing Iptables in HLFS, giving users and daemons
> least privileges possible.
> Basically Iptables rules are written for each network application or daemon,
> with a default deny policy. So when /bin/ping gets installed, an iptables
> policy for ping is added to allow outgoing pings. Same goes for ftp(1), web
> browsers, or daemons like sshd.
> Each network application would have it's own iptables file, in
> such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or
> Does this make sense, or is there a better way to do this?
That makes sense. I would suggest creating a custom outbound & inbound
chains for these purposes (such as 'INPUT-CLIENTS', 'OUTPUT-CLIENTS',
'INPUT-SERVERS', 'OUTPUT-SERVERS', etc..). Unless of course you think
this is overkill. LinuxFromScratch projects are, in part, about
learning so keeping it simple might be the better approach.
More information about the hlfs-dev