Re: [fw-wiz] Linux Firewall on CD

From: Paul Robertson (proberts_at_patriot.net)
Date: 07/12/03

  • Next message: Devdas Bhagat: "Re: [fw-wiz] OpenSource Firewall for ISP or Webhost"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Fri, 11 Jul 2003 22:29:03 -0400 (EDT)
    
    

    On Fri, 11 Jul 2003, Marcus J. Ranum wrote:

    > Depends on how it's done, really. The CD bootable systems I used
    > to build chrooted off the RAM disk onto the CD image, so there was
    > no RAM disk to mess with, and there weren't any device nodes except

    RAM disk, my own program to store code- it's really moot, however if I can
    create a new RAM disk (and the point was that the kernel really wanted the
    RAM disk stuff built in- so I can always create a new one if I can get to
    a mount point.

    > for the bare minimum since the device nodes needed to mount the
    > CD and hard disk were back in the RAM disk behind the chroot. If you
    > mount the hard disk noexec, and the CD image isn't writeable, it's

    Noexec is useless, you can use the loader to execute anything off the
    disk, and if you don't have the loader, you're not going to be running
    much. If you could get rid of, or compartment out /dev, then the jail
    would be more interesting- though I admit to not having looked at what
    devfs brings to the table in terms of not needing to allow device nodes on
    a disk or RAM disk.

    > pretty hard to screw around with the system. Of course, one can
    > always conjure up a scenario involving an infinitely clever attacker
    > exploiting an infinite number of design flaws so in theory no firewall
    > will ever be secure.
    >

    Again, the real game is going through the firewall- these days the way
    most are deployed, there's not much to be gained on the firewall, unless
    the attacker wants an open relay for spamming.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] OpenSource Firewall for ISP or Webhost"