From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Wed 09 Jul 2003 - 18:45:17 BST
Herbert P÷tzl <herbert_at_13thfloor.at> writes:
>> > [... vservers & iptables ...]
>> Just add
>> | S_CAPS="CAP_NET_ADMIN CAP_NET_RAW"
>> to the vserver-configuration.
> and remember, from this moment on, you will be able to
> modify/overwrite any interface on the physical host from
> within the vserver ... (including taking the interface
> down, etc)
Yes, but this is still better than controlling the iptables from
the physical host: It is true, that an attacker can do bad things
with your network when scripts in the iptables-vserver are having
a hole. But he could do yet worse things, when these scripts are
running on the host machine.
(I do not speak about giving every host these $S_CAPS, but
about a dedicated iptables-vserver (there exists exactly one
such a vserver per host). Other vservers on the host (e.g. a
dialin-server) are communicating through a simple protocol with
the iptables-vservers to set dynamic rules.)
-- q: If you were young again, would you start writing TeX again or would you use Microsoft Word, or another word processor? a: I hope to die before I have to use Microsoft Word. -- Harald Koenig <koenig_at_tat.physik.uni-tuebingen.de> asking D.E.Knuth