Re: [uml-user] uml and iptables.

Sun, 03 Apr 2005 17:52:34 -0700 

On Friday 01 April 2005 18:44, Jim Carter wrote:
> On Fri, 1 Apr 2005, Krisztian PIFKO wrote:
> > > WhatÂs is the best way to enable iptables on a guest machine ?
> >
> > the same like everywhere: have iptables support in the kernel and
> > tune it with the userspace utilities.
>
> Or compile iptables and all the helper routines as modules, and install
> those modules inside the UML, making sure to get the ones that were
> compiled for the guest kernel, because the host kernel's modules won't work
> (unless you've turned off version idiotproofing and have a sufficiently
> close version match).  Iptables autoloads (most of) its modules according
> to the matches and actions you ask for, and this is a lot easier when
> you're tweaking your firewall configuration, than having to recompile the
> kernel to add forgotten modules or omit unwanted ones.
>
> A maximally paranoid sysop will disable module loading, but this gives only
> a small benefit in security, because having done a root exploit the hacker
> can write nefarious code into /dev/kmem, as easily as he can load an
> inimical module or install a hacked version of a userspace binary.
As easily? Hmm, I read that this is possible, not that it's easy (I didn't 
read the original article). Also the script they provide may need adapting.

Finally, there's a ton of patches (out-of-mainline sadly) which disable 
writing into /dev/kmem, which is the good thing to do (if one must not run a 
physical X11).
-- 
Paolo Giarrusso, aka Blaisorblade
Linux registered user n. 292729
http://www.user-mode-linux.org/~blaisorblade




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
User-mode-linux-user mailing list
User-mode-linux-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user

Reply via email to