[linux-elitists] Integrating the firewall and the package manager?

Don Marti dmarti@zgp.org
Tue Apr 12 11:28:06 PDT 2005


(Forgive me for polluting your inbox with what seems
like an obvious idea, but some people might want
to print it out for the "neener, neener, Prior Art
on you, you obvious-idea-patenting pinhead" box.)

Problem: malware can spread without getting root.

Solution: Solution?  What is this, a banner for a
tradeshow booth?  There are no "solutions", just
extra hops on the attack path.

I think it's possible to combine the problem of
setting up local firewall rules with the easier
problem of using the package manager correctly.

Basically, the system boots up with all tables default
DROP.  Then, when any daemon starts, its init script
is responsible for setting up any rules necessary
for it to do its job.  If you start a local-only
daemon, the script should be smart enough to parse the
daemon's config file and only allow traffic that the
daemon will.  If you set up an MTA with a smarthost,
the script should be smart enough to allow outgoing
port 25 only to the smarthost. 

(If the config file is impossible to parse, add a
"--just-parse-your-freaky-config-file-and-dump-an-iptables-rule-please"
command-line option to the daemon itself.)

Likewise, the init script is responsible for taking
the rules down after stopping the daemon.

Any package that needs to do something
network-wise but doesn't have an init script
would be responsible for adding a script in
/etc/hey-let-me-talk-on-the-network-please and all
those scripts would get run at appropriate times.

For example, the package manager itself could add
a rule allowing outgoing connections on port 80 to
distro-updates.example.org -- but if the system didn't
have any other web clients installed, it couldn't
make any other outgoing port 80 connections.

-- 
Don Marti
http://zgp.org/~dmarti/
dmarti@zgp.org



More information about the linux-elitists mailing list