Subject: Re: r/o filesystem restrictions for firewall?
To: Jon Lindgren <jlindgren@slk.com>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: port-sparc
Date: 10/24/2000 10:44:51
On Mon, Oct 23, 2000 at 03:55:34PM -0400, Jon Lindgren wrote:
> Correct.  I want [read: need] this box to be:
> 
> 1) Insert NetBSD CD mod'd to be a firewall,
> 2) Boot
> 3) Enjoy
> 
> [lather, rinse, repeat]
> 
> I'd basically be happy with it logging to a specific IP addr (syslog...),
> perhaps mailing me little ditties every once and a while, and allowing me
> to telnet in to make temp changes (i.e. ifconfig's or such).  But

IHMO a the configuration of such a machine should be done only from
console. No telnet, ssh or whatever. If your machine gets breaked in,
the intruder could then remove ip filters.

> otherwise I'd like it to be immutable.  No spinning disks to worry
> about.  If it goes down, the only things I have to worry about are 1) is

Hum, I still believe a HD is better than a CD - CD drives are not that
reliable, especially if used as a root FS, with lots of accesses.

> there a vulnerability in NetBSD or a package or how I've set it up, and  
> if not then 2) will it reboot?
> 
> Kind of a 'no muss, no fuss' solution for a man too poor to buy a big
> cisco ;-)

If it's just to serve as a filtering router, IHMO you'd better have
a local hard disk, and dissalow any network access to the machine.
It's not because the disk is RO that an intruder couldn't manage to change
filter rules and break into your network.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--