From mboxrd@z Thu Jan 1 00:00:00 1970 From: Feizhou Subject: Re: Nice ZoneAlarm that might be useful for Iptables Date: Wed, 01 Jun 2005 10:37:01 +0800 Message-ID: <429D1F4D.9000408@linuxmail.org> References: <429BDF9F.7070707@mindspring.com> <20050531043310.GF3681@der-frank.org> <429D1994.8070809@linuxmail.org> <20050601021629.GA6948@bender.817west.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20050601021629.GA6948@bender.817west.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Netfilter Jason Opperisano wrote: > On Wed, Jun 01, 2005 at 10:12:36AM +0800, Feizhou wrote: > >>I disagree. We do not have to provide a Zone Alarm clone. Its >>functionality of checking what processes can use the network though >>would be useful in providing mandatory controls on what processes get to >>talk to the outside world. >> >>Right now there is simply no such ability. Having this on say a server >>will prevent users from looking around the network if they have shell >>access or sending info/data out. Obviously only root should be able to >>see the list of process names allowed and the other conditions like uid >>and ports allowed to use by the process. > > > http://www.nsa.gov/selinux/ > > the mere act of saying something on a public mailing list doesn't make > it true. > :) I stand corrected.