CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Op 8-7-2012 0:54, Mario Lipinski schreef:
> today I received a request to disable outbound packet filtering (for a
> host) within CAcert infrastructure.
> 
> While I can fully understand the request and personally have not that
> much concerns with outgoing traffic, This restrictive filtering has
> tradition at CAcert.
> 
> What do you think about allowing all outbound traffic for some or all
> CAcert infrastructure hosts?

Instead of fully "opening the gates" (outbound), you could consider
adding a firewall rule to allow only root to  enjoy this privilege.
That way a sysadmin will require "sudo" to perform outbound network
operations exceeding the normal firewall rules. Usually this is to
install software, which requires sudo privileges anyway, so no extra
burden is introduced.
In iptables language you can do this with something like:

        iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening