[rsbac] Re: How to limit network access
Thomas Mueller
news-exp-jun04 at tmueller.com
Tue Apr 20 15:13:37 CEST 2004
On Mon, 19 Apr 2004 19:40:14 +0200 Amon Ott wrote:
>> > Whatever tcp6 is. This is a default Debian Sarge installation with
>> > kernel 2.6.4 and RSBAC 1.2.3pre4.
>>
>> TCP6 is IPV6. At first glance, it looks like you restrict access for IPV4,
>> but not for IPV6. Unless you do need IPV6, you should probably remove it
>> from the kernel configuration.
>
> IPv6 / TCP6 ports are not yet supported, because noone ever asked for it.
> Unless you really need IPv6, just turn it off in your kernel config.
I've recompiled the kernel, CONFIG_IPV6 is not set:
~# grep IPV6 /boot/config-2.6.4-586
# CONFIG_IPV6 is not set
I've removed the httpv6 template and get when I start Apache now:
Apr 20 15:05:47 geht-schon kernel: rsbac_adf_request(): request BIND, pid
9244, ppid 9242, prog_name apache2, uid 0, target_type NETOBJ, tid
c2125080 INET6 STREAM, attr none, value 0, result NOT_GRANTED by GEN RC
Several seconds after a http access:
Apr 20 15:09:42 geht-schon kernel: rsbac_adf_request(): request
NET_SHUTDOWN, pid 9248, ppid 9245, prog_name apache2, uid 33, target_type
NETOBJ, tid c2125680 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC
Apr20 15:09:43 geht-schon kernel: rsbac_adf_request(): request
NET_SHUTDOWN, pid 9247, ppid 9245, prog_name apache2, uid 33, target_type
NETOBJ, tid c2125080 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC
Apache can still bind to port 443:
~# netstat -l -p |grep apache
tcp6 0 0 *:www *:* LISTEN 400/apache2
tcp6 0 0 *:https *:* LISTEN 400/apache2
Thomas
--
http://www.tmueller.com for pgp key (95702B3B)
More information about the rsbac
mailing list