Subject: Re: r/o filesystem restrictions for firewall?
To: Jon Lindgren <jlindgren@slk.com>
From: Simon Burge <simonb@wasabisystems.com>
List: port-sparc
Date: 10/24/2000 21:55:40
Jon Lindgren wrote:

> On Tue, 24 Oct 2000, Manuel Bouyer wrote:
> 
> > IHMO a the configuration of such a machine should be done only from
> > console. No telnet, ssh or whatever. If your machine gets breaked in,
> > the intruder could then remove ip filters.
> 
> I'd agree.

If you're worried about that level of security, you could set up the
kernel part of IP filter so that it only accepts the first load of
rules.  Same for ifconfig, and so on.  The list goes on.  This is one
of the reasons we like Open Source(TM) systems!

Simon.
--
Simon Burge                            <simonb@wasabisystems.com>
NetBSD Sales, Support and Service:  http://www.wasabisystems.com/