[Gllug] Port filtering question

Nix nix at esperi.org.uk
Fri Oct 1 21:30:17 UTC 2010


On 1 Oct 2010, salsaman at xs4all.nl stated:
> Apparently now iptables runs a kernel module [when did that happen ?!], so

Always. More precisely, iptables communicates with the iptables
infrastructure in the kernel, which will modprobe for the module if it's
not built in. ipchains and (going way back now) ipfwadm worked the same
way.

> the correct way is lsmod | grep iptables.

That's really not reliable. e.g. on my firewall

,----
| fold:~# lsmod | grep iptables
| -su: lsmod: command not found
| 
| fold:~# cat /proc/modules
| cat: /proc/modules: No such file or directory
| 
| fold:~# iptables --list | wc -l
| 126
`----

(I don't like modular kernels on firewalls. Yes, an attacker can take
you over if they get root, but why make it easy for them by building an
infrastructure into the kernel that *helps* him run arbitrary code in
kernel space?)

(actually the only modules I loaded have on any of my systems right now
are the firewire ones, not because I need them but because bloody udev
loads them at startup even though I currently have no hardware to attach
to the firewire ports. I wonder how to stop it doing that? I mean, yes,
I could avoid building the firewire module, but I'd rather not have to
rebuild the kernel simply due to getting some firewire hardware, given
that I do have appropriate ports on my machines.)
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list