Re: Start up scripts
Henry Hollenberg speed@barney.iamerica.net
On Fri, 6 Mar 1998, Bernd Eckenfels wrote:
> Well, actually it is possible to disable the Modification of the kernel
> after the modules are isntalled. This is the "securelevel" Feature from BSD.
> Adding a few simple if statements in the kernel can even forbid root to
> modify the modules. This means at the boot time the modules get installed,
> and can't modified if the runlevel will be swiched. The runlevel will get
> switched before there is access to any network on the firewall. Thats the
> usual was.
I asked around about this on the great circle firewall list and one of the
fellows said they were using "securelevel"....but he said they ran for
quite awhile without modules when they started out and that this was not a
bad idea....the other (4 i think) repliers said to avoid modules for the
reasons I pointed out earlier.
>
> The great win is, that you dont need to compile this special kernel for
> everything, and you have the support for stuff like sf Firewall or
> Masquerade Modules or IPSec.
>
> The Problems with Modules is that if you can install a module you can do
> everything, including to circumvent the securelevel. Securelevel (and
> perhaps POSIX priveleges) are an important thing on a firewall. Including
> the secure linux patches (disable executable stack) and adding a group
> for binding to priveledged ports.
Not sure I'm staying up with you on this paragraph.
>
> Its a good Idea to avoid root on the Firewall as much as possible. Nearly no
> program on the firewall should/need to run as root if you do some small
> modifications to the kernel. More Info Later...
keep us posted!
hgh
--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? E-mail to listmaster@debian.org .
Reply to: