[rsbac] Re: How to limit network access

Thomas Mueller news-exp-jun04 at tmueller.com
Tue Apr 20 15:13:37 CEST 2004


On Mon, 19 Apr 2004 19:40:14 +0200 Amon Ott wrote:

>> > Whatever tcp6 is. This is a default Debian Sarge installation with 
>> > kernel 2.6.4 and RSBAC 1.2.3pre4.
>> 
>> TCP6 is IPV6. At first glance, it looks like you restrict access for IPV4,
>> but not for IPV6. Unless you do need IPV6, you should probably remove it
>> from the kernel configuration.
> 
> IPv6 / TCP6 ports are not yet supported, because noone ever asked for it. 
> Unless you really need IPv6, just turn it off in your kernel config.

I've recompiled the kernel, CONFIG_IPV6 is not set:
~# grep IPV6 /boot/config-2.6.4-586
# CONFIG_IPV6 is not set

I've removed the httpv6 template and get when I start Apache now:
Apr 20 15:05:47 geht-schon kernel: rsbac_adf_request(): request BIND, pid
9244, ppid 9242, prog_name apache2, uid 0, target_type NETOBJ, tid
c2125080 INET6 STREAM, attr none, value 0, result NOT_GRANTED by GEN RC

Several seconds after a http access:
Apr 20 15:09:42 geht-schon kernel: rsbac_adf_request(): request
NET_SHUTDOWN, pid 9248, ppid 9245, prog_name apache2, uid 33, target_type
NETOBJ, tid c2125680 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC
Apr20 15:09:43 geht-schon kernel: rsbac_adf_request(): request
NET_SHUTDOWN, pid 9247, ppid 9245, prog_name apache2, uid 33, target_type
NETOBJ, tid c2125080 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC

Apache can still bind to port 443:
~# netstat -l -p |grep apache
tcp6       0      0 *:www       *:*      LISTEN     400/apache2                                                                                             
tcp6       0      0 *:https     *:*      LISTEN     400/apache2


Thomas
-- 
http://www.tmueller.com for pgp key (95702B3B)



More information about the rsbac mailing list