mobility and firewall
Michael R Head
burner at suppressingfire.org
Fri Jun 3 12:27:49 CDT 2005
On Fri, 2005-06-03 at 13:09 -0400, Dmitriy Kropivnitskiy wrote:
> On Fri, 2005-06-03 at 11:43 +1200, Christoph Georgi wrote:
> > Default Policy: DROP
> > Allow only ESTABLISHED and RELATED for incoming traffic
> > Allow outgoing connections only to port http, https, smtp, pop3, ...
> I wouldn't restrict outgoing connections, since that wuold lead to way
> to many dumb-user problems like
> "I cannot use AIM!" "Why cannot I connect to IRC?" etc.
But if your machine has been compromised, it allows the attacker to use
your computer to send attack or informational/spyware packets out, too.
> > Additionally you might want to specify the processes that are allowed to
> > connect to services.
> What do you mean by this? If you mean something like "Only
> mozilla-firefox can connect to port 80" it is rather difficult. The
> only way I see to do something like this transparently is to use
> netlink interface of netfilter. Unfortunately it is a bit
> under-documented and I am not sure how well it is supported.
Doesn't firestarter support this? Or is does it only work at the packet
level?
--
Michael R Head <burner at suppressingfire.org>
GPG: http://www.suppressingfire.org/~burner/gpg.key.txt (ID 23A02B1F)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050603/ae37e862/attachment.pgp
More information about the ubuntu-devel
mailing list