[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Start up scripts



Hello,

> Leaving modules in place make it easier to modify the kernels behavior.

Well, actually it is possible to disable the Modification of the kernel
after the modules are isntalled. This is the "securelevel" Feature from BSD.
Adding a few simple if statements in the kernel can even forbid root to
modify the modules. This means at the boot time the modules get installed,
and can't modified if the runlevel will be swiched. The runlevel will get
switched before there is access to any network on the firewall. Thats the
usual was.

The great win is, that you dont need to compile this special kernel for
everything, and you have the support for stuff like sf Firewall or
Masquerade Modules or IPSec.

The Problems with Modules is that if you can install a module you can do
everything, including to circumvent the securelevel. Securelevel (and
perhaps POSIX priveleges) are an important thing on a firewall. Including
the secure linux patches (disable executable stack) and adding a group
for binding to priveledged ports.

Its a good Idea to avoid root on the Firewall as much as possible. Nearly no
program on the firewall should/need to run as root if you do some small
modifications to the kernel. More Info Later...

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)       If privacy is outlawed only Outlaws have privacy


--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  E-mail to listmaster@debian.org .


Reply to: