On Wed, 16 Apr 2014, Florian Weimer wrote:
Suppose I have a cluster of machines, running an application. The
application opens up TCP connections to other machines, without any form of
Would iptables owner match work here?
You can use it to restrict outgoing connections to addresses and ports
where the application is listening. But it would be rather fragile because
the restriction would have be enforced at every individual node able to
connect to the app.
Is there some way to pass on user information with IPsec?
SELinux can do it with security contexts:
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /