Firewall - Very limited Access - suggestions

T. 'Nifty New Hat' Mitchell mitch48 at sbcglobal.net
Wed Jun 9 20:39:33 UTC 2004


On Tue, Jun 01, 2004 at 09:07:59PM -0400, Kevin F. Berrien wrote:
> Date: Tue, 01 Jun 2004 21:07:59 -0400
> From: "Kevin F. Berrien" <kblists at comcast.net>
> To: For users of Fedora Core releases <fedora-list at redhat.com>
> Subject: Re: Firewall - Very limited Access - suggestions
> Reply-To: For users of Fedora Core releases <fedora-list at redhat.com>
> 
> Well, given the lack of "easy" options (which is probably a good 
> thing).  I'm going to have to build a script from hand.  This way I'll 
> understand it, and know its RIGHT.  Actually, I've been mistating my 
> project as a bastion firewall, when I really meant a choke firewall.  
> This will seperate our WAN (with its own bastion) from the Police Dept 
> LAN.  SElinux sounds like a good idea, but I think I'll take smaller 
> steps first.

SElinux is not as hard to turn on and work with as some will tell you.

The default policy is relaxed and provides a context to tighten,
restrict, restrain or isolate things.  The hard part will be building
a local policy.   It it gets in the way toggle to permissive mode
and the log messages will help discover what needs to be fixed.

In /etc/security/selinux/src/policy you will find about four hundred
files that address policy for most interesting functions in FC2.
Examples:
   ./file_contexts/program/rpm.fc
   ./domains/program/rpm.te
   ./file_contexts/program/qmail.fc
   # lots more...

Once you have the default policy activated (permissive or enforcing)
there is a framework to begin working with.  You can postpone working
on local policy extension for a long time and take advantage of simple
auditing.  Start in permissive mode!


-- 
	T o m  M i t c h e l l 
	/dev/dull the destination for posts like this.





More information about the fedora-list mailing list