[tech] flame, moray's kernel and transparent proxying
Ian McKellar
yakk at yakk.net.au
Thu Sep 16 14:59:18 WST 1999
On Thu, Sep 16, 1999 at 02:37:40PM +0800, Duncan Sargeant wrote:
>
> Redirection is a hack for cracks; you use redirection to get around
> firewalls.
>
> It would be much cleaner if you just bound the services to their
> correct ports on /flame/'s address. rlinetd lets you do this with the
> interfaces command.
>
It may be a hack, but its a more elegant hack than hacking MudOS to bind to
a particlar ip, and:
* running MudOS as root
or
* hacking the kernel to allow non-root to bind to low ports
Running MudOS as root would be an unacceptable security risk, and I feel
that enabling a kernel compile time option is less of a hack than writing
a kernel source hack to violate one of the most basic premises of the unix
security model. It would allow someone who got clever enough to get access
to the socket stuff in flame have effectively superuser access to stuff
like dispense (which trusts connections based on source port).
Doing it at the firewall level is the most elegant way I've come up with
(and I've been thinking about this on and off for a couple of years).
Ian
--
Ian McKellar | Email: yakk(a)yakk.net | Web: http://www.yakk.net/
Prefix: +61 8 | Fax/VoiceMail: 9265 0821 | Home: 9389 9162 | Work: 9380 3688
More information about the tech
mailing list