Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 18 Dec 2000 17:56:27 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 18 Dec 2000 17:56:09 -0500 Received: from [203.36.158.121] ([203.36.158.121]:52998 "HELO kabuki.eyep.net") by vger.kernel.org with SMTP id ; Mon, 18 Dec 2000 17:55:52 -0500 To: Andreas Dilger cc: "Theodore Y. Ts'o" , Jamie Lokier , David Schwartz , Karel Kulhavy , linux-kernel@vger.kernel.org Subject: Re: /dev/random: really secure? In-Reply-To: Your message of "Mon, 18 Dec 2000 15:15:54 MDT." <200012182215.eBIMFsb14852@webber.adilger.net> In-Reply-To: <200012182215.eBIMFsb14852@webber.adilger.net> Date: Tue, 19 Dec 2000 20:27:44 +1100 From: Daniel Stone Message-Id: <20001218225557Z129525-439+4788@vger.kernel.org> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org > This would allow you to say "eth0 is my internal network and I'm not > trying to hack my own system, so use IP traffic on that interface to add > entropy to the pool, but not packets that are on port 6699/21/23 or reply > packets". It would probably just be a matter of adding a new flag to a > filter rule to say "use packets that match this rule for entropy", and > then it is up to the user to determine what is safe to use. The fact > that it is user configurable makes it even harder for a cracker to know > what affects the entropy pool. This isn't from the kernel, but works great in userspace: iptables -n RANDOM iptables -A INPUT -i eth0 -j RANDOM iptables -A RANDOM -p tcp --dport 6699 -j iptables -A RANDOM -p tcp --dport 21 -j iptables -A RANDOM -p tcp --dport 32 -j iptables -A RANDOM -m state --state ! NEW -j iptables -P RANDOM -j ULOG --ulog-nlgroup 32 This sends a message down netlink in ULOG format. ULOG is a userspace logging extension written by Harald Welte, but it's extensible like you wouldn't believe, so you could easily do some whacky stuff with it. Or just hook in to a Netfilter hook and do it all from kernel land. ULOG's homepage: http://www.gnumonks.org/gnumonks/projects/project_details?p_id=1 :) d - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/