Firewall - Very limited Access - suggestions
T. 'Nifty New Hat' Mitchell
mitch48 at sbcglobal.net
Wed Jun 9 20:39:33 UTC 2004
On Tue, Jun 01, 2004 at 09:07:59PM -0400, Kevin F. Berrien wrote:
> Date: Tue, 01 Jun 2004 21:07:59 -0400
> From: "Kevin F. Berrien" <kblists at comcast.net>
> To: For users of Fedora Core releases <fedora-list at redhat.com>
> Subject: Re: Firewall - Very limited Access - suggestions
> Reply-To: For users of Fedora Core releases <fedora-list at redhat.com>
>
> Well, given the lack of "easy" options (which is probably a good
> thing). I'm going to have to build a script from hand. This way I'll
> understand it, and know its RIGHT. Actually, I've been mistating my
> project as a bastion firewall, when I really meant a choke firewall.
> This will seperate our WAN (with its own bastion) from the Police Dept
> LAN. SElinux sounds like a good idea, but I think I'll take smaller
> steps first.
SElinux is not as hard to turn on and work with as some will tell you.
The default policy is relaxed and provides a context to tighten,
restrict, restrain or isolate things. The hard part will be building
a local policy. It it gets in the way toggle to permissive mode
and the log messages will help discover what needs to be fixed.
In /etc/security/selinux/src/policy you will find about four hundred
files that address policy for most interesting functions in FC2.
Examples:
./file_contexts/program/rpm.fc
./domains/program/rpm.te
./file_contexts/program/qmail.fc
# lots more...
Once you have the default policy activated (permissive or enforcing)
there is a framework to begin working with. You can postpone working
on local policy extension for a long time and take advantage of simple
auditing. Start in permissive mode!
--
T o m M i t c h e l l
/dev/dull the destination for posts like this.
More information about the fedora-list
mailing list