Guest session network lockdown
Matt Zimmerman
mdz at ubuntu.com
Thu Jul 31 19:40:09 BST 2008
On Thu, Jul 31, 2008 at 02:34:10PM +0200, Martin Pitt wrote:
> The spec also mentions restricting network access to the guest user.
> Standard TCP/UDP to the internet should of course be allowed in order
> to be useful, but it would be nice to e. g disallow the usage of VPNs.
> This can be implemented with some iptables rules and the 'owner'
> module.
Would it make sense to integrate with ufw for this?
> However, we didn't talk yet about which particular kind of network
> access should be allowed/denied. Some examples that come into my mind,
> together with my gut feeling of whether to allow or deny them:
>
> - default route (should certainly be allowed, even if that is through
> a VPN)
I think this should be allowed, but limited. Things like HTTP(S), FTP, DNS,
POP, IMAP, etc. should be allowed, but perhaps not arbitrary ports.
> - existing VPNs to non-default routes (deny) -> how to detect this?
> OpenVPN uses tun devices, but other solutions work differently; e.
> g. standard ipsec-tools uses regular ethernet interfaces and just
> magically declares the connections as encrypted/signed in kernel
> space; and then there's the Cisco "vpnc" package and a ton of
> others...
Perhaps outbound to RFC1918 space should be denied; in practice this will
cover most VPNs as well. tun devices are also a good exclusion.
> - other computers in the LAN (deny)
I'm not sure I agree entirely; consider the case of printing to a network
printer or accessing a local DNS server. Blocking RFC1918 would of course
usually prohibit this as well.
--
- mdz
More information about the ubuntu-devel
mailing list