an that is why we need a firewall -> Re: When a yum update sets up an MTA ...
fweimer at redhat.com
Mon Apr 28 18:09:59 UTC 2014
On 04/28/2014 12:42 PM, David Woodhouse wrote:
> Actually, I think the best way to fix this is with SELinux, rather than
> iptables. Why go for an overly complex solution where authorised
> processes have to prod a firewall dæmon to change the iptables
> configuration, when the kernel has a perfectly good "firewall" built in
> as a fundamental part of the IP stack? Send a TCP SYN to a port which
> nobody's listening on, and you'll get a TCP RST back. Send a UDP packet
> to closed port, and you'll get an ICMP 'port unreachable' back. No need
> for iptables at all. All you need to do, if you really want to control
> incoming connections, is use SELinux to limit who can bind() and
> listen() to certain ports.
Can we make this stick for the unconfined_t user as well? How can
system administrators configure exceptions? What about developers who
need to bind to various ports, e.g. while running test suites? Will it
be as straightforward as with firewalld?
An explicit failure on bind() might actually give us better error
reporting (especially if the EPERM details idea is implemented). I like
the SELinux idea.
Florian Weimer / Red Hat Product Security Team
More information about the devel