Subject: Re: r/o filesystem restrictions for firewall?
To: Jon Lindgren <jlindgren@slk.com>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: port-sparc
Date: 10/23/2000 21:21:34
On Mon, Oct 23, 2000 at 12:26:07PM -0400, Jon Lindgren wrote:
> I finally have a spare sparc to use as a true firewall. I'm planning to
> burn a CD for this sucker to boot from. I don't want it to have local
> mass storage (besides the cd...).
>
> I've been looking around at regular processes which run and require
> temporary files, such as the daily security items, etc... I figure I can
> knock syslog stuff to a remote machine, I'll be disabling mail and other
> audit scripts (hmmm....), but what about items such as /var/log/wtmp and
> such?
>
> So the 1e6 dollar question is: does anyone have any ideas what other
> subsystems may be affected by having a r/o local filesystem when running
> multiuser? I've been able to experiment for a few hours or so, but I've
> not run the thing for months yet...
>
> Any ideas, tips, etc... are well appreciated.
If you intend to let users to log in, then you'll need a writeable /dev
too.
Here's what I've done for my sparc machines I use as telnet/ssh gateway:
/, /usr, /netroot and /tripwire are on a R/O filesystem (in my case a scsi
disk which have the appropriate jumper, but this shouldn't matter).
/netroot/home, /netroot/dev and /netroot/var are mounted R/W, noexec for all
and nodev for /netroot/home & /netroot/var (/netroot/dev is writable by
root ony anyway, and you can play with chflags to limit what can be done).
As you guessed, inetd & ssh are chrooted to /netroot.
/netroot has only a limited set of binaries (not mount, for example),
/netroot/dev a limited set of devices (tty/pty, zero, null, ... no disks of
course).
inside /var there are symlinks to /netroot/var for appropriate directories
(log, acct, run). /netroot/etc is a symlink to /netroot/var/netetc, so that
passwd, skey & all are writable.
BTW a local disk is usefull anyway, for logs & accounting.
--
Manuel Bouyer <bouyer@antioche.eu.org>
--