by mail.netbsd.org with SMTP; 24 Oct 2000 17:45:14 -0000
	id xma016082; Tue, 24 Oct 00 13:46:29 -0400
 (Content Technologies SMTPRS 4.1.5) with ESMTP id <T5c0121d94f73ae0bb4@snt003.net.slk.com>;
 Tue, 24 Oct 2000 13:46:42 -0400
	id VMVPTHR2; Tue, 24 Oct 2000 13:34:45 -0400
Date: Tue, 24 Oct 2000 13:45:06 -0400 (Eastern Daylight Time)
From: Jon Lindgren <jlindgren@slk.com>
To: Thor Lancelot Simon <tls@rek.tjls.com>
cc: tech-security@netbsd.org, tech-kern@netbsd.org
Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
In-Reply-To: <20001024133647.A7740@rek.tjls.com>
Message-ID: <Pine.WNT.4.21.0010241344030.731-100000@a28043.net.slk.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 24 Oct 2000, Thor Lancelot Simon wrote:

> On Tue, Oct 24, 2000 at 11:05:38AM -0400, Jon Lindgren wrote:
> > I began a discussion a day or so ago on port-sparc and netbsd-help
> > regarding setting up a firewall with r/o local disks (specifically, using
> > a CD to boot, and allowing _no_ local writes to the disk).
> > 
> > After many suggestions on how to accomplish this, a suggestion was made as
> > to a theoretical securelevel 3 where not much at all can be changed (no
> > ipf rules added, etc...).
> 
> I don't at all understand what's "theoretical" about this, or what
> enhancements would be rquired.  The policy enforced at securelevel 
> 2 was designed and implemented *specifically* for this purpose and
> AFAICT works fine.  If you don't understand how to use it to achieve your
> goal, I suggest that you really shouldn't be tinkering with the system's
> security model.

Then I definitely don't know exactly what securelevel 2 is.  Is there a
spot to read up on exactly what it does and what it affects?

Thanks.

-Jon
 --------------------------------------------------------------------
 "Trout are freshwater fish, and have underwater weapons."
 "Zing, zing zing zing!"
 "Keep away from the trout."
 -- The opinions expressed are not necesarily those of my employer --
 "Who stole my lawn?"