Re: Fw: Re[2]: FW: Linux server as it own firewall

From: Jeff Schaller (schaller@freeshell.org)
Date: 09/14/01


Date: Fri, 14 Sep 2001 17:24:32 +0000 (UTC)
From: Jeff Schaller <schaller@freeshell.org>
To: <focus-linux@securityfocus.com>
Subject: Re: Fw: Re[2]: FW: Linux server as it own firewall
Message-ID: <Pine.NEB.4.33.0109141718520.163-100000@sdf.lonestar.org>

On 13 Sep 2001, Scott Gifford wrote:

> The O'Reilly security book (sorry, don't remember the name;
> it's got a safe on the front) had some ideas for running a
> UNIX off of read-only media. The tricky problems are where to
> put logfiles (configure it to use remote syslog or a printer),
> PID files (no easy solution), etc. Depending on what you hope
> to accomplish, you may also need to make sure your kernel
> doesn't support any memory or network-based filesystems, such
> as a ramdisk or tmpfs, since that would be another place to
> put executables.

(The book is Practical Unix and Internet Security by Simson and
Garfinkel)

My work-in-progress plan for a floppy-based firewall has the
following ideas:

1. no unnecessary files. a minimal set to begin with, and several
   are removed after booting.
2. floppy disk is physically read-only
3. files that shouldn't change (most of them) are set immutable.
   the chattr program does not exist on the system.
4. no logging.
5. temporary files are avoided as much as possible. temp space
   is created with a ramdisk of less than 1 megabyte, mounted
   nosuid,noexec.

Sure it makes it a pain in the ass to set up, but helper scripts
... well, help :) That way I only have to think of things once,
put them in the script, and I'll never 'forget' them again.

-jeff

-- 
A disciple of another sect once came to Drescher as he was eating his morning
meal.  "I would like to give you this personality test", said the outsider,
"because I want you to be happy."  Drescher took the paper that was offered
him and put it into the toaster -- "I wish the toaster to be happy too".