Jails are great, but it's not a great idea for jail users to firewall their virtual interface. Best practices involve firewalling upstream, but this generally means someone has to maintain the firewall rules. We present an automated system that allows Jailed accounts to modify an upstream firewall using a combination of Guardian (http://www.chaotic.org/guardian/) and Snort. The benefit of this system is that Jailed users can now directly control their own firewall rules without adminstrator assistance.

The system comprises of a script that the Jailed user can execute which sends a packet through the upstream firewall. This packet contains a digitally signed set of instructions for modifying the firewall rules. The packet triggers a signature match in Snort, which is then captured by Guardian, which then adjusts the firewall rules accordingly.

speaker: Wes Sonnenreich

location not assigned