From: Phil Oester <kernel@linuxace.com>
To: Patrick McHardy <kaber@trash.net>
Cc: mouss <mouss@netoyen.net>,
"Jozsef Kadlecsik" <kadlec@blackhole.kfki.hu>,
"Micha³ Miros³aw" <mirq-linux@rere.qmqm.pl>,
"Netfilter Developer Mailing List"
<netfilter-devel@vger.kernel.org>,
"Stephen Hemminger" <shemminger@vyatta.com>
Subject: Re: [RFC] Allowing non-root to get iptables info?
Date: Wed, 27 Feb 2008 07:31:24 -0800 [thread overview]
Message-ID: <20080227153124.GA20024@linuxace.com> (raw)
In-Reply-To: <47C578E8.8040800@trash.net>
On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
> Well, yes, the main question is whether this causes privacy issues.
> "Security by obscurity" is a pretty poor argument, does anyone have
> a well founded reason for not allowing users to see the rules and
> counters?
I really don't think this is a good idea. We allow non-root users
on some of our firewalls, and I don't want them to see the ruleset.
Also, it helps miscreants to better pick their targets, if they
know in advance which ports are opened.
If making this change, *please* consider making it configurable,
with the default being NO access.
Phil
next prev parent reply other threads:[~2008-02-27 15:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080225094951.5bd89c9c@extreme>
2008-02-27 11:52 ` [RFC] Allowing non-root to get iptables info? Patrick McHardy
2008-02-27 12:31 ` Michał Mirosław
2008-02-27 12:43 ` Patrick McHardy
2008-02-27 12:59 ` Jozsef Kadlecsik
2008-02-27 13:04 ` Patrick McHardy
2008-02-27 14:39 ` mouss
2008-02-27 14:51 ` Patrick McHardy
2008-02-27 15:31 ` Phil Oester [this message]
2008-02-27 15:34 ` Patrick McHardy
2008-02-27 15:43 ` Phil Oester
2008-02-27 16:34 ` Stephen Hemminger
2008-02-27 16:53 ` Patrick McHardy
2008-02-27 17:48 ` mouss
2008-02-27 16:51 ` Jan Engelhardt
2008-02-27 12:18 ` Patrick McHardy
2008-02-28 9:18 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080227153124.GA20024@linuxace.com \
--to=kernel@linuxace.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=mirq-linux@rere.qmqm.pl \
--cc=mouss@netoyen.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.