an that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Florian Weimer fweimer at
Mon Apr 28 18:09:59 UTC 2014

On 04/28/2014 12:42 PM, David Woodhouse wrote:

> Actually, I think the best way to fix this is with SELinux, rather than
> iptables. Why go for an overly complex solution where authorised
> processes have to prod a firewall dæmon to change the iptables
> configuration, when the kernel has a perfectly good "firewall" built in
> as a fundamental part of the IP stack? Send a TCP SYN to a port which
> nobody's listening on, and you'll get a TCP RST back. Send a UDP packet
> to closed port, and you'll get an ICMP 'port unreachable' back. No need
> for iptables at all. All you need to do, if you really want to control
> incoming connections, is use SELinux to limit who can bind() and
> listen() to certain ports.

Can we make this stick for the unconfined_t user as well?  How can 
system administrators configure exceptions?  What about developers who 
need to bind to various ports, e.g. while running test suites?  Will it 
be as straightforward as with firewalld?

An explicit failure on bind() might actually give us better error 
reporting (especially if the EPERM details idea is implemented).  I like 
the SELinux idea.

Florian Weimer / Red Hat Product Security Team

More information about the devel mailing list