GNU bug report logs -
#32465
Add iptables service
Previous Next
Full log
View this message in rfc822 format
Hi,
it's not directly an answer to arun's patch (it is great), but I
recently came accross firemason
(http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and
https://github.com/BillHallahan/FireMason) and I thought we could
implement something similar. Basically, we declare a list of rules in
the iptables service, and we let other services extend that. A rule
would be a specification, independent of the order in which they are
specified. "Any packet that matches this rule must be rejected".
Of course, this means that we may have conflicting specifications, for
instance "any packet from this ip must be dropped" and "any packet
entering on this port must be accepted" are in conflict for packets
entering on this port from this ip address. All we need is a mechanism
to explicit these cases (when a packet may be dropped or accepted at the
same time), such as "repair: packets from this ip on this port must be
dropped", so the service will effectively see these rules: "any packet
from this ip must be dropped" and "any packet entering on this port but
not this ip must be accepted", then translated to:
-A INPUT -s ! <ip> -p tcp --dport <port> -j ACCEPT
-A INPUT -s <ip> ACCEPT
(see how they are independent from the order in which they are
declared?)
The hard part is to detect a conflict between two rules and give hints
to the user as to how to fix that.
Of course, we should provide a mechanism to load files as a fallback, in
which case additional rules from services should be ignored.
What do you think?
PS: Arun, in your patch for the manual you say: "This is the service
type to set up an iptables coniguration". This should be
"configuration".
This bug report was last modified 6 years and 301 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.