On Fri, 1 Apr 2005, Krisztian PIFKO wrote: > > What´s is the best way to enable iptables on a guest machine ? > the same like everywhere: have iptables support in the kernel and > tune it with the userspace utilities.
Or compile iptables and all the helper routines as modules, and install those modules inside the UML, making sure to get the ones that were compiled for the guest kernel, because the host kernel's modules won't work (unless you've turned off version idiotproofing and have a sufficiently close version match). Iptables autoloads (most of) its modules according to the matches and actions you ask for, and this is a lot easier when you're tweaking your firewall configuration, than having to recompile the kernel to add forgotten modules or omit unwanted ones. A maximally paranoid sysop will disable module loading, but this gives only a small benefit in security, because having done a root exploit the hacker can write nefarious code into /dev/kmem, as easily as he can load an inimical module or install a hacked version of a userspace binary. James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: [EMAIL PROTECTED] http://www.math.ucla.edu/~jimc (q.v. for PGP key)
