iptables / output *drop* policy
Suppose your iptables script starts with something like the following:
Code:
iptables -P OUTPUT DROP Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work. Apply this for all protocols. Again, would this be dangerous (sabotaging your system)? |
Quote:
For everything else, make a list of services you want to access out of the box, where, and under what circumstances... allow those. You'll soon know if you missed one. Quote:
It's usually only a concern if you know an application has a specific exploit that you would like to avoid. I understand you can use the --cmd-owner option to allow connections based on the launching process. There is a highly entertaining and interesting discussion on outbound policies here: http://ubuntuforums.org/showthread.php?t=131616&page=4 |
Yeah, starting with a DROP policy for OUTPUT is quite healthy. There are no "gotchas" at all. You basically make ACCEPT rules for the stuff you want to allow and that's it. Of course, if it's the first time you take this approach then most likely you'll have to look at your log file a couple times to figure-out why something isn't working.
As for the question about making rules for certain binaries, I think the --cmd-owner parameter for the owner module does this, but I've never used it so I'm not sure. From "man iptables" on Ubuntu 7.10: Code:
--cmd-owner name |
Thanks for the replies guys. Well, I was thinking restricting certain connections to specific originating binaries could help against *some* connect-back shellcode?
|
All times are GMT -5. The time now is 03:14 PM. |