Milter-greylist

13 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 19:26:59 CEST, "Bob Friesenhahn bfriesen@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>On Mon, 12 Sep 2016, Jim Klimov jimklimov@... [milter-greylist]
>wrote:
>>
>> We use p0f (3.06b, 3.08b iirc is last) coerced to compile under 
>> solarish oses that we use (tweaks should be on my github). Depending 
>> on platform release we had libpcap issues that it processed packets 
>> by larger buffers at once, so p0f might not yet have answers when 
>> needed.
>
>Does using the p0f feature increase the opportunity for a security 
>weakness so it is more likely that the host machine can be 
>compromised?
>
>Can it work in VMs, containers, or Solaris zones, which are not 
>allowed access to raw packets due to network security concerns?
>
>Bob

I don't think it is a big issue: p0f relies on libpcap to get packet (OS) details and IIRC does little if anything with packet payloads. But I may be wrong here. Away from computer now, so speaking OTOH ;-)

It can run as a non-root user privileged to net_raw_access (iirc) on Solarish OSes, or as a root on older solarii (I have it on 8, 10 and SXCE). A zone can likewise be made privileged enough to sniff, but I vaguely remember it might not be needed at all.

See my recipe (PR) on github in hipster/oi-userland, I think sample XMLs with comments should be part of that. Alas, newer illumos exposed some issues with libpcap caching that were not problems on older kernels (or older libpcap?) so the PR lingered...

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android