[grsec] 2 connect questions
Brad Spengler
spender at grsecurity.net
Mon May 23 20:52:19 EDT 2005
> 1) I saw in the archives from a while back that at the time there was
> no way to negate the "connect" option. Is that still true? I'm looking
> to do an ACL that allows connections to external IPs but not to
> internal hosts. Obviously I can do this too in iptables but I trust
> grsec more than iptables (well, not that i don't trust
> iptables/netfilter, but less likely that someone will get around the
> connect ACL than someone figuring out a way to sneak in a iptables
> rule)
It will be possible to negate them in the next version of grsec. The
code already exists in CVS.
>
> 2) Is there a separate syntax for connect'ing to domain sockets? I'm
> getting errors in message saying:
>
> denied connect() to the unix domain socket /dev/log by
> /usr/bin/crontab[crontab:8319]
To connect to a unix domain socket, you need rw permissions.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050523/178df2c8/attachment.pgp
More information about the grsecurity
mailing list