On Mon, 23 Oct 2000, Manuel Bouyer wrote:

>On Mon, Oct 23, 2000 at 12:26:07PM -0400, Jon Lindgren wrote:
>> I finally have a spare sparc to use as a true firewall.  I'm planning to
>> burn a CD for this sucker to boot from.  I don't want it to have local 
>> mass storage (besides the cd...).
>> 
>> I've been looking around at regular processes which run and require
>> temporary files, such as the daily security items, etc...  I figure I can
>> knock syslog stuff to a remote machine, I'll be disabling mail and other
>> audit scripts (hmmm....), but what about items such as /var/log/wtmp and
>> such?
>> 
>> So the 1e6 dollar question is: does anyone have any ideas what other
>> subsystems may be affected by having a r/o local filesystem when running
>> multiuser?  I've been able to experiment for a few hours or so, but I've
>> not run the thing for months yet...
>> 
>> Any ideas, tips, etc... are well appreciated.
>
>If you intend to let users to log in, then you'll need a writeable /dev
>too.
>Here's what I've done for my sparc machines I use as telnet/ssh gateway:
>/, /usr, /netroot and /tripwire are on a R/O filesystem (in my case a scsi
>disk which have the appropriate jumper, but this shouldn't matter).
>/netroot/home, /netroot/dev and /netroot/var are mounted R/W, noexec for all
>and nodev for /netroot/home & /netroot/var (/netroot/dev is writable by
>root ony anyway, and you can play with chflags to limit what can be done).
>As you guessed, inetd & ssh are chrooted to /netroot.
>/netroot has only a limited set of binaries (not mount, for example),
>/netroot/dev a limited set of devices (tty/pty, zero, null, ... no disks of
>course).

One must question the intelligence of making his firewall dependent on
any other machine.  Get a hard drive, a couple hunded megs will do ya
just fine.  If you want to make a disk image of the fully confiured
firewall that might not be a bad idea so as to let you quickly reinstall
in case of a root compromise.  Trust me, you *don't* want your firewall
to depend on an NFS server being up.

-- 
Brandon D. Valentine <bandix@looksharp.net>
"Few things are harder to put up with than the annoyance of a
good example."  --  Mark Twain, Pudd'nhead Wilson