Firewall and user services that needs open ports
Nicolas Mailhot
nicolas.mailhot at laposte.net
Mon Jun 23 07:58:52 UTC 2008
Le Lun 23 juin 2008 08:37, Callum Lerwick a écrit :
> Yes, the correct thing to do for local security is use something like
> selinux to prevent things from binding to interfaces/ports they
> shouldn't be
> binding to in the first place. Using iptables for this is a completely
> unsustainable hack. iptables firewalling is for machines that route
> packets to other machines.
Iptables is actually wonderfully simple and transparent to normal
users, unlike apps that do black magic using a system bus one can't
inspect, a registry system full of rotten undocumented keys, and
massive use of bandaids (PA startup I'm thinking about you).
You'll take iptables out of my system the day I can easily check the
spaguetti pile userspace is those days is not misbehaving. And no
current selinux is not an "easy to inspect" system.
--
Nicolas Mailhot
More information about the devel
mailing list