documentation:administration_examples:network_access_control
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Basics

Due to the short lived nature of network connections and their related network objects, a scheme of Network Templates has been developed in RSBAC.

Network templates describe a set of connection endpoints, which shall be controlled together. Administration is done on the templates instead of the individual network endpoints. Each endpoint inherits the access control settings of the first template it matches. Templates are checked from lowest to highest index number.

In other words: If you plan to access control network connections to or from a network area, you first define a matching template and set the desired attribute values of the network area on the template.

More precisely, the template attribute values are only default values - you can still set individual network object attribute values, if you want or have to.

Only address families UNIX (name as address and valid len in chars) and INET (IPv4, all fields used) are matched with addresses, all other families are matched by family and socket type only.

Warning: Address based access control for incoming connections is always vulnerable to address spoofing. Before trusting an external address, you should ensure by appropiate firewall settings that an address is really correct. For technical reasons, the template description field 'Network Device' can only be used for local address matches - for remote addresses it must be empty or the template will never match.

Template Definitions

Each template definition contains the following fields, some of which are only used for some address families. Most description fields can be set to special value 'ANY', which matches any value.

  • Index number (important for match ordering): 32 bit integer.
  • Name (for human use only): 15 char string.
  • Address Family: Number of a Linux socket address family, e.g. AF_INET or AF_UNIX.
  • Socket Type: Linux socket type, e.g. STREAM or DGRAM.
  • Address: A socket address, format depends on the address family, e.g. 32 bit for INET or string for UNIX.
  • Valid Len: Length of address used for matching, e.g., leading bits for INET, leading chars for UNIX.
  • Protocol: IP protocol number, e.g. 6 for TCP or 17 for UDP.
  • Network Device: Name of the local network device, must currently only be used for local addresses. Leave empty for any.
  • Min Port: Minimum port number.
  • Max Port: Maximum port number.

Templates are defined with the rsbac_nettemp_def_menu or the net_temp commandline tool, their attributes are set in the rsbac_nettemp_menu or through the attr_set_net command line tool. As usual, the net_temp utility can also be used for template backups.

A rsbac_nettemp_def_menu example for the binding to all local addresses with port 80 could look like this:



Predefined Templates

For convenience, some example templates are created on the first boot of a 1.2.0 kernel. They give a base idea of how you could organize your own set of templates. All attributes are set to default values to avoid access control problems.

//
documentation/administration_examples/network_access_control.txt · Last modified: 2006/05/02 15:40 (external edit)

documentation/administration_examples/network_access_control.txt · Last modified: 2006/05/02 15:40 (external edit)
This website is kindly hosted by m-privacy