Jails are great, but it's not a great idea for jail users to
firewall their virtual interface. Best practices involve firewalling
upstream, but this generally means someone has to maintain the firewall
rules. We present an automated system that allows Jailed accounts to
modify an upstream firewall using a combination of Guardian
(http://www.chaotic.org/guardian/) and Snort. The benefit of this system
is that Jailed users can now directly control their own firewall rules
without adminstrator assistance.
The system comprises of a script that the Jailed user can execute which
sends a packet through the upstream firewall. This packet contains a
digitally signed set of instructions for modifying the firewall rules. The
packet triggers a signature match in Snort, which is then captured by
Guardian, which then adjusts the firewall rules accordingly.
speaker: Wes Sonnenreich
location not assigned