Saturday, January 31, 2009

Re: my debian does not read my own iptables script

On Sat, Jan 31, 2009 at 02:41:47AM +0100, Ansgar Wiechers wrote:
> I also strongly recommend running a custom
> (stripped-down) kernel.

Can you please explain why? As the distribution kernels are heavy
modularized you won't get much less kernel code, which is one attack
vector. The second one is also unchanged, priviledged userspace access
and kernel code injection via /dev/mem or are a changed kernel binary.

On the other side you loose any security support for this.

> Second problem. Don't set policies to ACCEPT without a good reason.

This applies to the filter chains only. Don't set it on the nat or
mangle tables.

Bastian

--
First study the enemy. Seek weakness.
-- Romulan Commander, "Balance of Terror", stardate 1709.2


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment