Re: [fw-wiz] Linux Firewall on CD

From: Paul Robertson (proberts_at_patriot.net)
Date: 07/12/03

Next message: Devdas Bhagat: "Re: [fw-wiz] OpenSource Firewall for ISP or Webhost"

Previous message: Marcus J. Ranum: "Re: [fw-wiz] Linux Firewall on CD"
In reply to: Marcus J. Ranum: "Re: [fw-wiz] Linux Firewall on CD"
Next in thread: Jyotish K Sen Gupta: "[fw-wiz] Telnet & ftp issues"
Reply: Jyotish K Sen Gupta: "[fw-wiz] Telnet & ftp issues"
Reply: Barney Wolff: "Re: [fw-wiz] Linux Firewall on CD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Fri, 11 Jul 2003 22:29:03 -0400 (EDT)

On Fri, 11 Jul 2003, Marcus J. Ranum wrote:

> Depends on how it's done, really. The CD bootable systems I used
> to build chrooted off the RAM disk onto the CD image, so there was
> no RAM disk to mess with, and there weren't any device nodes except

RAM disk, my own program to store code- it's really moot, however if I can
create a new RAM disk (and the point was that the kernel really wanted the
RAM disk stuff built in- so I can always create a new one if I can get to
a mount point.

> for the bare minimum since the device nodes needed to mount the
> CD and hard disk were back in the RAM disk behind the chroot. If you
> mount the hard disk noexec, and the CD image isn't writeable, it's

Noexec is useless, you can use the loader to execute anything off the
disk, and if you don't have the loader, you're not going to be running
much. If you could get rid of, or compartment out /dev, then the jail
would be more interesting- though I admit to not having looked at what
devfs brings to the table in terms of not needing to allow device nodes on
a disk or RAM disk.

> pretty hard to screw around with the system. Of course, one can
> always conjure up a scenario involving an infinitely clever attacker
> exploiting an infinite number of design flaws so in theory no firewall
> will ever be secure.
>

Again, the real game is going through the firewall- these days the way
most are deployed, there's not much to be gained on the firewall, unless
the attacker wants an open relay for spamming.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Devdas Bhagat: "Re: [fw-wiz] OpenSource Firewall for ISP or Webhost"

Previous message: Marcus J. Ranum: "Re: [fw-wiz] Linux Firewall on CD"
In reply to: Marcus J. Ranum: "Re: [fw-wiz] Linux Firewall on CD"
Next in thread: Jyotish K Sen Gupta: "[fw-wiz] Telnet & ftp issues"
Reply: Jyotish K Sen Gupta: "[fw-wiz] Telnet & ftp issues"
Reply: Barney Wolff: "Re: [fw-wiz] Linux Firewall on CD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]