[linux-elitists] Integrating the firewall and the package manager?

Jim Richardson warlock@eskimo.com
Tue Apr 12 13:13:32 PDT 2005


On Tue, 2005-04-12 at 11:28 -0700, Don Marti wrote:
> (Forgive me for polluting your inbox with what seems
> like an obvious idea, but some people might want
> to print it out for the "neener, neener, Prior Art
> on you, you obvious-idea-patenting pinhead" box.)
> 
> Problem: malware can spread without getting root.
> 
> Solution: Solution?  What is this, a banner for a
> tradeshow booth?  There are no "solutions", just
> extra hops on the attack path.
> 
> I think it's possible to combine the problem of
> setting up local firewall rules with the easier
> problem of using the package manager correctly.
> 
> Basically, the system boots up with all tables default
> DROP.  Then, when any daemon starts, its init script
> is responsible for setting up any rules necessary
> for it to do its job.  If you start a local-only
> daemon, the script should be smart enough to parse the
> daemon's config file and only allow traffic that the
> daemon will.  If you set up an MTA with a smarthost,
> the script should be smart enough to allow outgoing
> port 25 only to the smarthost. 
> 
> (If the config file is impossible to parse, add a
> "--just-parse-your-freaky-config-file-and-dump-an-iptables-rule-please"
> command-line option to the daemon itself.)
> 
> Likewise, the init script is responsible for taking
> the rules down after stopping the daemon.
> 
> Any package that needs to do something
> network-wise but doesn't have an init script
> would be responsible for adding a script in
> /etc/hey-let-me-talk-on-the-network-please and all
> those scripts would get run at appropriate times.
> 
> For example, the package manager itself could add
> a rule allowing outgoing connections on port 80 to
> distro-updates.example.org -- but if the system didn't
> have any other web clients installed, it couldn't
> make any other outgoing port 80 connections.
> 


This seems like an interesting approach, but it would likely be distro
dependent, not that it's a bad thing though. 

One question would be some of the more convoluted transport protocols
like p2p and IM stuff, which are often problematic in this area. 

Although for servers, this sounds like a great idea. 

-- 
Jim Richardson http://www.eskimo.com/~warlock
I have an understanding with my local police--I have them outgunned, but
they have me outnumbered.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050412/d4c5e5c8/attachment.pgp 


More information about the linux-elitists mailing list