From: "Henning P. Schmiedehausen" <mailgate@mail.hometree.net>
To: linux-kernel@vger.kernel.org
Subject: Re: IP Acounting Idea for 2.5
Date: Fri, 20 Apr 2001 21:00:45 +0000 (UTC) [thread overview]
Message-ID: <9bq81t$9ct$1@forge.intermeta.de> (raw)
In-Reply-To: <Pine.LNX.4.33.0104152039130.1616-100000@asdf.capslock.lan> <01041708461209.00352@workshop> <20010416020732.30431.qmail@logi.cc> <20010416224321.O16697@corellia.laforge.distro.conectiva> <9bgpfa$329$1@forge.intermeta.de> <20010420131719.A2461@tatooine.laforge.distro.conectiva>
Harald Welte <laforge@gnumonks.org> writes:
>On Tue, Apr 17, 2001 at 06:56:42AM +0000, Henning P. Schmiedehausen wrote:
>>
>> Resettable counters in a security sensitive environment are just a
>> call for trouble. That's why you can't reset the SNMP counters on any
>> Cisco device I've encountered today. They learned their lesson. Maybe
>> you will, too.
>Well, I'm not sure about which SNTP counters you are talking, but I suppose
>it is not about per-filtering-rule counters, but something like per-interface
>counters, etc.
You don't want your counters going backward. Full stop. If a program
can reset your counter, your application will never know, if it was a
legal, correct, valid reason or just a hacker trying to hide his
traces. At least provide some sort of lock-down.
>There's always a way for somebody with root access to reset the counters of
>a rule:
>just delete and re-insert the rule.
Bad thing. If you want to use the rules in a security sensitive
environment, don't allow removal. If you need to, reset the whole
module and notify the user. Better, shut down the filter and yell for
help.
ipfilter is about security, isn't it?
>If somebody wants to reset the counter, he can. If we remove the functionality
>from iptables, people still can - but it's more difficult.
There is no "more difficult", just "different ways". If you bother to
use a filtering environment where the filter counters tell e.g. "we
rejected xxx attacks", you don't want anyone to mess with these
counters. If this is a counter for a filtering rule, don't allow the
rule (and its counters) to be removed. Inactivate the rule but keep
the evidence (counter settings) around till module removal or reboot.
Sorry, I may be anal about security but as more and more people start
thinking "why should I bother with FW-1 or PIX when I can get a $99
Linux box and hack some filters", at least I want the $99 software
trying not to be sloppy about security.
Regards
Henning
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.de
Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de
D-91054 Buckenhof Fax.: 09131 / 50654-20
next prev parent reply other threads:[~2001-04-20 21:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-16 21:53 IP Acounting Idea for 2.5 David Findlay
2001-04-16 0:21 ` Michael Clark
2001-04-16 0:40 ` Mike A. Harris
2001-04-16 22:46 ` David Findlay
2001-04-16 0:50 ` Mike A. Harris
2001-04-16 1:58 ` swds.mlowe
2001-04-16 1:24 ` Matti Aarnio
2001-04-16 2:07 ` Manfred Bartz
2001-04-16 9:43 ` Russell King
2001-04-16 22:24 ` Manfred Bartz
2001-04-17 10:29 ` Olaf Titz
2001-04-20 16:21 ` Counters [Re: IP Acounting Idea for 2.5] Harald Welte
2001-04-17 1:43 ` IP Acounting Idea for 2.5 Harald Welte
2001-04-17 2:37 ` Manfred Bartz
2001-04-17 6:56 ` Henning P. Schmiedehausen
2001-04-20 16:17 ` Harald Welte
2001-04-20 21:00 ` Henning P. Schmiedehausen [this message]
2001-04-16 11:21 ` Andreas Ferber
2001-04-16 2:40 ` Dax Kelson
2001-04-17 1:39 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2001-04-16 22:35 Leif Sawyer
2001-04-16 23:42 ` Ian Stirling
2001-04-17 1:13 ` Manfred Bartz
2001-04-17 10:34 ` Olaf Titz
2001-04-16 23:52 Leif Sawyer
2001-04-17 12:28 Jesse Pollard
2001-04-17 16:57 Leif Sawyer
2001-04-17 18:31 Jesse Pollard
2001-04-17 19:09 Leif Sawyer
2001-04-17 19:37 ` Matti Aarnio
2001-04-18 13:49 ` Michael Clark
2001-04-17 22:32 ` Manfred Bartz
2001-04-17 21:25 Jesse Pollard
2001-04-17 21:48 Leif Sawyer
2001-04-17 22:58 ` Manfred Bartz
2001-04-17 23:13 ` Alan Cox
2001-04-17 23:35 ` Manfred Bartz
2001-04-18 0:02 ` Alan Cox
2001-04-20 2:51 ` Ton Hospel
2001-05-01 23:13 ` Mark van Walraven
2001-04-18 8:16 ` Kenneth Johansson
2001-04-18 14:45 ` Jonathan Lundell
2001-04-17 23:06 Leif Sawyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='9bq81t$9ct$1@forge.intermeta.de' \
--to=mailgate@mail.hometree.net \
--cc=hps@intermeta.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox