[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux firewall question.

Hello all,

> > This is also true for /sbin/init. I think the firewall has to be designed to
> > be immutable/secure after a reboot (i.E. boot from read-only media) or/and
> > do some checksums.
> Not sure I follow the /sbin/init exploit, could you elaborate?

If you have the fear that someone can modify your modules (the files) and
compromise the firewall, this fear is true for all other binaries on the
system, too. The first bin loaded on your system will be the init process.

> In fact I guess that's another part of this project...figuring out which
> parts of the file system can go on the read only disk and which parts need
> to go on a writable disk....Bernd are you game?

This is addressed in the FHS, /usr is RO, /var is RW. From the Root
Filesystem all directories except of /tmp are read-only. /dev is
unfortunatelly special. The Permissions of the files (especially the owner
of the ttys) in the /dev directory will get modified at runtime of an normal
Unix System. On the other hand /dev must be present on the root partition
(which should be Read-only).

There are 2 solutions to the /dev problem:
a) root is read-only, and there will be a small ramdisk mounted over /dev
b) strip the system, since the Bastion is not for multiuser login you dont
need login to modify the permission of the TTYs.

/    RO
/usr RO
/var RW
/tmp Ramdisk for boot, then symlink to /var/tmp
/dev Ramdisk or static
/etc RO but needs to be written at configuration time (no state or
spoolfiles should be in /etc)

> With CD-recordables around $400 and dropping vs $130 for a nice SCSI plain
> CD-ROM putting the bootable parts on CD is a thought as well....Bernd?

Yes, thats a nice idea, of course a bootable CDROM drive will help. PAcket
filters can be based on Boot-Eproms, too.

Configuration Files in /etc can be read from a disk. The good thing about
this is, that you can make them Hardware-write protected, and they are very
easy to backup.

BTW:speaking of SCSI, old SCSI Harddisk had an jumper for making them
read-only. Not sure if one can modify the IDE wire to block write attempts.

  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)       If privacy is outlawed only Outlaws have privacy

E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  E-mail to listmaster@debian.org .

Reply to: