grsecurity forums

Skip to content

Allowing connect to all except one IP?

Submit your RBAC policies or suggest policy improvements
Topic locked

Allowing connect to all except one IP?

Postby man4atl » Tue Jul 13, 2004 3:27 am

How do I ban a process to connect to a particular IP, that is, to allow it to connect to all IP excetp one. For example,
/usr/local/bin/RealPlayer
{
...
connect ! ads.real.com
connect ! update.real.com
}

Such syntax does not seem to work.

Thanks.

Sicerely,
Peter
man4atl
 
Posts: 2
Joined: Tue Jul 13, 2004 3:23 am
Top

Postby spender » Tue Jul 13, 2004 8:32 am

It's something I have planned to do after the grsecurity2 documentation is done.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby man4atl » Tue Jul 13, 2004 3:23 pm

Thanks. It would be very useful.
But more general, if ACLs can include iptables commands or something like that, to apply iptables rules on a process basis, it would be even more powerful.

Peter
man4atl
 
Posts: 2
Joined: Tue Jul 13, 2004 3:23 am
Top

Postby spender » Tue Jul 13, 2004 3:34 pm

There is already an iptables module that can do that. It's called "owner". You can select it in the default kernel's configuration.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to RBAC policy development

Powered by phpBB® Forum Software © phpBB Group