From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: Nice ZoneAlarm that might be useful for Iptables Date: Tue, 31 May 2005 22:16:29 -0400 Message-ID: <20050601021629.GA6948@bender.817west.com> References: <429BDF9F.7070707@mindspring.com> <20050531043310.GF3681@der-frank.org> <429D1994.8070809@linuxmail.org> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <429D1994.8070809@linuxmail.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org On Wed, Jun 01, 2005 at 10:12:36AM +0800, Feizhou wrote: > I disagree. We do not have to provide a Zone Alarm clone. Its > functionality of checking what processes can use the network though > would be useful in providing mandatory controls on what processes get to > talk to the outside world. > > Right now there is simply no such ability. Having this on say a server > will prevent users from looking around the network if they have shell > access or sending info/data out. Obviously only root should be able to > see the list of process names allowed and the other conditions like uid > and ports allowed to use by the process. http://www.nsa.gov/selinux/ the mere act of saying something on a public mailing list doesn't make it true. -j -- "Lois: What's going on? Stewie: We're playing house. Lois: The boy is all tied up. Stewie: Roman Polanski's house." --Family Guy