bittorrent in core? what frontend?
Sean
seanlkml at sympatico.ca
Sat Dec 17 20:22:35 UTC 2005
On Sat, December 17, 2005 3:12 pm, Callum Lerwick said:
> Actually, when you're talking about processes on the local machine,
> firewall rules are a totally hackish way of going about this.
>
> What you want to do, is have some kind of local ACL that says what
> processes and users can bind to what ports. This would solve a whole
> mess of security problems. (Look around, a great many server daemons
> have to be started as root, for the mere fact they want to bind to ports
> <1024.) Instead of firewalling, make the kernel disallow processes from
> even binding listen ports at all in the first place.
Yes, I believe ports are given a security context as well, although I
don't know how fine grained it is or if you still have to deal with
iptables rules in addition.
Sean
> I know back when I was playing with grsecurity years ago, it had a
> feature like this. It had group-based access control, you could set up a
> certain group and say "This group can not bind listen ports" and even
> "This group can't make outgoing connections" too. Or you could turn it
> around and say "Only this group can bind to ports" etc.
>
> It had some weird side effects though. IIRC various things wanted to
> bind to loopback...
More information about the fedora-devel-list
mailing list