Subject: Re: r/o filesystem restrictions for firewall?
To: Jon Lindgren <jlindgren@slk.com>
From: Berndt Josef Wulf <wulf@ping.net.au>
List: port-sparc
Date: 10/24/2000 09:24:12
Jon Lindgren wrote
> I finally have a spare sparc to use as a true firewall. I'm planning to
> burn a CD for this sucker to boot from. I don't want it to have local
> mass storage (besides the cd...).
>
> I've been looking around at regular processes which run and require
> temporary files, such as the daily security items, etc... I figure I can
> knock syslog stuff to a remote machine, I'll be disabling mail and other
> audit scripts (hmmm....), but what about items such as /var/log/wtmp and
> such?
>
> So the 1e6 dollar question is: does anyone have any ideas what other
> subsystems may be affected by having a r/o local filesystem when running
> multiuser? I've been able to experiment for a few hours or so, but I've
> not run the thing for months yet...
>
> Any ideas, tips, etc... are well appreciated.
Maybe not what you want...
Create the desired filesystem, place it onto a bootable CD and have it
union-mount with a filesystem on a harddisk just large enough to hold
writeable files such as logfiles etc.
Alternatively, if memory isn't much of a problem, create a CD with the
desired filesystem and have it boot into a memory-based filesystem.
Should the system be comprimised or falling over, its a matter of
seconds to reboot and have it up and running again.
I don't know about your reasons of not using a local harddisk, but
if it is for security reasons, there is nothing stopping anyone
breaking into the firewall on any type of system if the opportunity
exists due to a flaw in operating system or application.
cheerio Berndt
--
Name : Berndt Josef Wulf | +++ With BSD on Packet Radio +++
E-Mail : wulf@ping.net.au | tfkiss, tnt, dpbox, wampes
ICQ : 18196098 | VK5ABN, Nairne, South Australia
URL : http://www.ping.net.au/~wulf | MBOX : vk5abn@vk5abn.#lmr.#sa.au.oc
Sysinfo : DEC AXPpci33+, NetBSD-1.4.2 | BBS : vk5abn.#lmr.#sa.aus.oc