I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
New table could be possibly be called:
- temp
- temporary
- auto
- automatic
- volatile
- daemon
- system
- sys
In iptables docs it should be said that this table should not be manipulated manually.
--
Victor Porton - http://portonvictor.org
Victor Porton wrote:
> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.
Is it possible that the solution to your sandboxing problem is seccomp
filter?
http://outflux.net/teach-seccomp/
You'd filter out any syscall that can make outbound connections and then
only pass already opened sockets to the sandboxed threads?
seccomp filter was actually created for sandboxing, so that user
applications could voluntarily shed the ability to call certain syscalls
before handling untrusted data.
10.01.2014, 21:39, "Joshua Brindle" <[email protected]>:
> Victor Porton wrote:
>
>> ?I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>>
>> ?Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>>
>> ?New table could be possibly be called:
>>
>> ?- temp
>> ?- temporary
>> ?- auto
>> ?- automatic
>> ?- volatile
>> ?- daemon
>> ?- system
>> ?- sys
>>
>> ?In iptables docs it should be said that this table should not be manipulated manually.
>
> Is it possible that the solution to your sandboxing problem is seccomp
> filter?
>
> http://outflux.net/teach-seccomp/
>
> You'd filter out any syscall that can make outbound connections and then
> only pass already opened sockets to the sandboxed threads?
>
> seccomp filter was actually created for sandboxing, so that user
> applications could voluntarily shed the ability to call certain syscalls
> before handling untrusted data.
seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp.
--
Victor Porton - http://portonvictor.org
On Fri, 10 Jan 2014, Victor Porton wrote:
> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.
I would disagree with this idea.
If you make one special table, why would you not want others?
You would then need to define all the conditions where this table is used
instead of, or in addition to, the existing tables.
Yes admins can shoot themselves in the foot with iptables, and any admin who
flushes rules without understanding what is affected will probably be causing
significant problems anyway.
Rather than doing this, have the tools that are programmatically creating rules
also maintain a file that can be used to recreate all those rules. Then the
Admins or init scripts can recreate things easily.
David Lang