Re: Fw: Re[2]: FW: Linux server as it own firewall
From: Jeff Schaller (schaller@freeshell.org)Date: 09/16/01
- Previous message: Rob 'Feztaa' Park: "Clever Firewall Rules, Second Edition"
- In reply to: Scott Gifford: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Next in thread: Seth Arnold: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Next in thread: Jeff Schaller: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Reply: Seth Arnold: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Sep 2001 13:58:45 +0000 (UTC) From: Jeff Schaller <schaller@freeshell.org> To: Scott Gifford <sgifford@tir.com> Subject: Re: Fw: Re[2]: FW: Linux server as it own firewall Message-ID: <Pine.NEB.4.33.0109161350520.10466-100000@sdf.lonestar.org>
On 16 Sep 2001, Scott Gifford wrote:
> Jeff Schaller <schaller@freeshell.org> writes:
>
> > My work-in-progress plan for a floppy-based firewall has the
> > following ideas:
> >
> > 1. no unnecessary files. a minimal set to begin with, and several
> > are removed after booting.
> > 2. floppy disk is physically read-only
> > 3. files that shouldn't change (most of them) are set immutable.
> > the chattr program does not exist on the system.
>
> It's probably not quite as simple as removing the chattr() program;
> there are other ways to get the equivalent ioctl() to run. The
> simplest would be to use perl's syscall() or ioctl() functions, if
> perl was available, but there are probably other ways. You would need
> to be extremely careful with the set of tools you allowed to be able
> to really prevent users from making this system call.
Of course, perl doesn't fit on the floppy, but wouldn't be
included for reasons like you mention :) There's also no compiler.
Basic assumption: if it's not /required/ to boot, it's not there.
Top of my head listing:
/sbin/init (can't be removed)
/bin/mount (removed after boot)
/sbin/ifconfig (removed after boot)
/sbin/ipchains (removed after boot)
/bin/ash (local shell on /dev/console, needed for shell scripts)
/bin/umount (unmounts /proc) (removed after boot)
ntpdate (removed after boot)
...
> > 4. no logging.
>
> That makes monitoring the system pretty hard...Maybe remote syslog
> would be a good option?
Well, I'll log to the console to start. IU'm pretty much counting
on the box to be impenetrable. If it gets rebooted, it'll come
back functional. Logging assumes that you do something with the
logs, and I've decided that I don't care how many code red scans I
get.
> > 5. temporary files are avoided as much as possible. temp
> > space is created with a ramdisk of less than 1 megabyte,
> > mounted nosuid,noexec.
>
> If a user gets root on the system, what prevents them from running:
> mount -o remount,suid,exec /tmp
Ah, because the mount command is gone :)
> (or wherever the ramdisk is mounted) and then putting nasty files
> there? Or, for that matter, mounting another ramdisk elsewhere and
> putting things there?
Nasty files: because there's no space left.
Mounting: no mount command left.
> And if the assumption is that a user won't get root on the
> system, why not just make everything owned by root and mode
> 755?
Everything is owned by root, since there is no /etc/passwd file.
Permissions are kept as restrictive as possible, but since we need
root to run stuff at startup...
> For similar reasons, you would want to make sure that no extra
> filesystems, like tmpfs, nfs, smbfs, loopback filesystems, or anything
> else that doesn't require a physical disk are not compiled in.
Of course :) I've got a ~300k kernel that barely :) boots. I think
I even used minix, but I might be wrong.
> Still, good ideas. If you know or can find solutions to these
> problems, this would be very useful.
I'm in the midst of writing up an article explaining my process
and reasoning; I'd greatly appreciate any other holes you can poke
in my fun :)
-jeff
-- The Treasury Department recently issued a new $1 Sacajawea coin, which is only available at banks and Wal-Mart. What do you think? "It seems appropriate, as Sacajawea was instrumental in opening up the West to competition-crushing retail chain stores." George Giroux, Auto Mechanic. http://www.theonion.com/
- Previous message: Rob 'Feztaa' Park: "Clever Firewall Rules, Second Edition"
- In reply to: Scott Gifford: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Next in thread: Seth Arnold: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Next in thread: Jeff Schaller: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Reply: Seth Arnold: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
