Firewall Wizards mailing list archives
Re: DNS on the Firewall - security problem
From: Aleph One <aleph1 () dfw net>
Date: Sun, 12 Oct 1997 14:48:59 -0500 (CDT)
On Sun, 12 Oct 1997, Darren Reed wrote:
You might want to have a look around for implementations already available which do this. I'm pretty sure this has been done by a few people already, once for Linux and one for FreeBSD. Of course neither solution is what I'd call elegant (at this stage) but nor is there anything (that I know of) resembling a POSIX standard which defines how it should be done.
Actually there is, POSIX.1e. The particular capability that allows a process to bind to ports under 1024 is CAP_NET_BIND_SERVICE. You can find a reference implementation of POSIX capabilities at http://parc.power.net/morgan/Orange-Linux/linux-privs/ For those not familiar with POSIX.1e is an attempt at standarizing Capabilities (used to be Priviledges), Labels, MACs, Auditing, and ACLs. The work under Linux so far has included working capabilities and some inroads into auditing. Remy Card also claims to have a working ext2fs with ACLs but he always seems to fall of the face of the earth.
Darren
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 10)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Darren Reed (Oct 12)
- Re: DNS on the Firewall - security problem Perry E. Metzger (Oct 12)
- Re: DNS on the Firewall - security problem Aleph One (Oct 12)
- Re: DNS on the Firewall - security problem Gaddy Gumbao (Oct 13)
- Message not available
- Re: DNS on the Firewall - security problem Bernd Eckenfels (Oct 19)
- Re: DNS on the Firewall - security problem Adam Shostack (Oct 12)
- Re: DNS on the Firewall - security problem Alfred Huger (Oct 10)