Create new NetFilter table

Create new NetFilter table

[Victor Porton]

I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).

Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?

New table could be possibly be called:

- temp
- temporary
- auto
- automatic
- volatile
- daemon
- system
- sys

In iptables docs it should be said that this table should not be manipulated manually.

-- 
Victor Porton - http://portonvictor.org

Re: Create new NetFilter table

[Joshua Brindle]

Victor Porton wrote:
> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.

Is it possible that the solution to your sandboxing problem is seccomp 
filter?

http://outflux.net/teach-seccomp/

You'd filter out any syscall that can make outbound connections and then 
only pass already opened sockets to the sandboxed threads?

seccomp filter was actually created for sandboxing, so that user 
applications could voluntarily shed the ability to call certain syscalls 
before handling untrusted data.

Re: Create new NetFilter table

[Joshua Brindle]

Victor Porton wrote:
> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.

Is it possible that the solution to your sandboxing problem is seccomp 
filter?

http://outflux.net/teach-seccomp/

You'd filter out any syscall that can make outbound connections and then 
only pass already opened sockets to the sandboxed threads?

seccomp filter was actually created for sandboxing, so that user 
applications could voluntarily shed the ability to call certain syscalls 
before handling untrusted data.

Re: Create new NetFilter table

[Victor Porton]

10.01.2014, 21:39, "Joshua Brindle" <brindle@quarksecurity.com>:
> Victor Porton wrote:
>
>>  I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>>
>>  Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>>
>>  New table could be possibly be called:
>>
>>  - temp
>>  - temporary
>>  - auto
>>  - automatic
>>  - volatile
>>  - daemon
>>  - system
>>  - sys
>>
>>  In iptables docs it should be said that this table should not be manipulated manually.
>
> Is it possible that the solution to your sandboxing problem is seccomp
> filter?
>
> http://outflux.net/teach-seccomp/
>
> You'd filter out any syscall that can make outbound connections and then
> only pass already opened sockets to the sandboxed threads?
>
> seccomp filter was actually created for sandboxing, so that user
> applications could voluntarily shed the ability to call certain syscalls
> before handling untrusted data.

seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp.

-- 
Victor Porton - http://portonvictor.org

Re: Create new NetFilter table

[Victor Porton]

10.01.2014, 21:39, "Joshua Brindle" <brindle@quarksecurity.com>:
> Victor Porton wrote:
>
>>  I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>>
>>  Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>>
>>  New table could be possibly be called:
>>
>>  - temp
>>  - temporary
>>  - auto
>>  - automatic
>>  - volatile
>>  - daemon
>>  - system
>>  - sys
>>
>>  In iptables docs it should be said that this table should not be manipulated manually.
>
> Is it possible that the solution to your sandboxing problem is seccomp
> filter?
>
> http://outflux.net/teach-seccomp/
>
> You'd filter out any syscall that can make outbound connections and then
> only pass already opened sockets to the sandboxed threads?
>
> seccomp filter was actually created for sandboxing, so that user
> applications could voluntarily shed the ability to call certain syscalls
> before handling untrusted data.

seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp.

-- 
Victor Porton - http://portonvictor.org

Re: Create new NetFilter table

[David Lang]

On Fri, 10 Jan 2014, Victor Porton wrote:

> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command).
>
> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)?
>
> New table could be possibly be called:
>
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
>
> In iptables docs it should be said that this table should not be manipulated manually.

I would disagree with this idea.

If you make one special table, why would you not want others?

You would then need to define all the conditions where this table is used 
instead of, or in addition to, the existing tables.

Yes admins can shoot themselves in the foot with iptables, and any admin who 
flushes rules without understanding what is affected will probably be causing 
significant problems anyway.

Rather than doing this, have the tools that are programmatically creating rules 
also maintain a file that can be used to recreate all those rules. Then the 
Admins or init scripts can recreate things easily.

David Lang

Re: Create new NetFilter table

[Luis Ressel]

[-- Attachment #1: Type: text/plain, Size: 1646 bytes --]

On Fri, 10 Jan 2014 21:25:47 +0200
Victor Porton <porton@narod.ru> wrote:

> I propose to create a new NetFilter table dedicated to rules created
> programmatically (not by explicit admin's iptables command).
> 
> Otherwise an admin could be tempted to say `iptables -F security`
> which would probably break rules created for example by sandboxing
> software (which may follow same-origin policy to restrict one
> particular program to certain domain and port only). Note that in
> this case `iptables -F security` is a security risk (sandbox
> breaking)?
> 
> New table could be possibly be called:
> 
> - temp
> - temporary
> - auto
> - automatic
> - volatile
> - daemon
> - system
> - sys
> 
> In iptables docs it should be said that this table should not be
> manipulated manually.
> 

Just like the last thread, this one is also completely unrelated to
SELinux. And it doesn't make sense anyway. Only the admin can
manipulate netfilter rules, so he'll know if the can flush them or not.
If you want to separate automatically-created rules (which is a good
idea), just put them in a separate *chain*, not a separate *table*.
Side note: Even assuming creating such a table would make any sense,
one wouldn't suffice, you'd have to create five of them.

And if you're still prefer to create new kernel interfaces for your
specific requirements instead of using the well thought-out and much
more flexible preexisting ones -- nobody keeps you from patching your
kernel, just don't try to upstream them.


-- 
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 966 bytes --]