Comments on: lockdown and the di-semi-default route http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/ a lowercase manifesto Thu, 15 Oct 2009 09:25:50 +0000 http://wordpress.org/?v=2.8.6 hourly 1 By: Ilya http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-388 Ilya Mon, 01 Oct 2007 14:47:32 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-388 Regarding finding the route through which the VPN is reached, you should probably check what "ip route get 1.2.3.4" does and do the same. It might work just as you do, by manually evaluating the routing rules in userspace, but perhaps it does something smarter, taking the more-complex routing options into account. Regarding finding the route through which the VPN is reached, you should probably check what “ip route get 1.2.3.4″ does and do the same. It might work just as you do, by manually evaluating the routing rules in userspace, but perhaps it does something smarter, taking the more-complex routing options into account.

]]> By: M Welinder http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-386 M Welinder Mon, 01 Oct 2007 13:26:36 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-386 If you want to isolate a process, you also need to make sure it cannot attach as a debugger to any process outside the jail. If you want to isolate a process, you also need to make
sure it cannot attach as a debugger to any process
outside the jail.

]]> By: blah http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-384 blah Mon, 01 Oct 2007 12:15:21 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-384 desrt: Also, on systems like Debian you can set the metric for each interface explicitly by using the "metric" stanza in /etc/network/interfaces. And there is this nifty tool called "ifmetric" which modifies all current routes on a specific interface to a certain value. desrt: Also, on systems like Debian you can set the metric for each interface explicitly by using the “metric” stanza in /etc/network/interfaces.

And there is this nifty tool called “ifmetric” which modifies all current routes on a specific interface to a certain value.

]]> By: blah http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-383 blah Mon, 01 Oct 2007 12:13:25 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-383 desrt: On Linux routing metrics can be negative! desrt: On Linux routing metrics can be negative!

]]> By: Stef Walter http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-377 Stef Walter Mon, 01 Oct 2007 05:52:45 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-377 di-semi-default route I never thought of that. Learned something handy today. di-semi-default route I never thought of that. Learned something handy today.

]]> By: desrt http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-374 desrt Mon, 01 Oct 2007 00:32:08 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-374 blah: the problem with using route metrics is that in almost every case ever the default route already has metric 0 :( blah: the problem with using route metrics is that in almost every case ever the default route already has metric 0 :(

]]> By: blah http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-373 blah Mon, 01 Oct 2007 00:27:45 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-373 Dude, that routing stuff you are suggesting is pure crack! Use route metrics for this! That way you may have multiple default routes, and can specify which one is the higher priority one. It's easy-to-use and actually invinted for cases like this one. Dude, that routing stuff you are suggesting is pure crack!

Use route metrics for this! That way you may have multiple default routes, and can specify which one is the higher priority one. It’s easy-to-use and actually invinted for cases like this one.

]]> By: blah http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-372 blah Mon, 01 Oct 2007 00:24:13 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-372 You might also want to set setrlimit(RLIMIT_FSIZE) to 0. That way, a process can no longer create any files on disk anymore. Also, consider setting RLIMIT_NOFILE to your highest fd+1. That way, the process may not create any further file descriptors. Just paranoia, though. You might also want to set setrlimit(RLIMIT_FSIZE) to 0. That way, a process can no longer create any files on disk anymore.

Also, consider setting RLIMIT_NOFILE to your highest fd+1. That way, the process may not create any further file descriptors.

Just paranoia, though.

]]> By: Matthew W. S. Bell http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-371 Matthew W. S. Bell Sun, 30 Sep 2007 23:31:14 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-371 This feels like badness to me This feels like badness to me

]]> By: desrt http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/comment-page-1/#comment-370 desrt Sun, 30 Sep 2007 21:51:11 +0000 http://blogs.gnome.org/desrt/2007/09/30/lockdown-and-the-di-semi-default-route/#comment-370 craig: i didn't consider this problem. i think the only reasonable thing to do here is to query the route table to see what route will match the ip of the vpn server. if it is the default route, then add another rule -- if not, then do nothing. thanks for the note. i was so excited about the other part that i didn't give this part due consideration. i now have something to think about :) craig: i didn’t consider this problem.

i think the only reasonable thing to do here is to query the route table to see what route will match the ip of the vpn server. if it is the default route, then add another rule — if not, then do nothing.

thanks for the note. i was so excited about the other part that i didn’t give this part due consideration. i now have something to think about :)

]]>