Subject: Re: r/o filesystem restrictions for firewall?
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Brandon D. Valentine <bandix@looksharp.net>
List: port-sparc
Date: 10/23/2000 15:48:10
On Mon, 23 Oct 2000, Manuel Bouyer wrote:
>On Mon, Oct 23, 2000 at 12:26:07PM -0400, Jon Lindgren wrote:
>> I finally have a spare sparc to use as a true firewall. I'm planning to
>> burn a CD for this sucker to boot from. I don't want it to have local
>> mass storage (besides the cd...).
>>
>> I've been looking around at regular processes which run and require
>> temporary files, such as the daily security items, etc... I figure I can
>> knock syslog stuff to a remote machine, I'll be disabling mail and other
>> audit scripts (hmmm....), but what about items such as /var/log/wtmp and
>> such?
>>
>> So the 1e6 dollar question is: does anyone have any ideas what other
>> subsystems may be affected by having a r/o local filesystem when running
>> multiuser? I've been able to experiment for a few hours or so, but I've
>> not run the thing for months yet...
>>
>> Any ideas, tips, etc... are well appreciated.
>
>If you intend to let users to log in, then you'll need a writeable /dev
>too.
>Here's what I've done for my sparc machines I use as telnet/ssh gateway:
>/, /usr, /netroot and /tripwire are on a R/O filesystem (in my case a scsi
>disk which have the appropriate jumper, but this shouldn't matter).
>/netroot/home, /netroot/dev and /netroot/var are mounted R/W, noexec for all
>and nodev for /netroot/home & /netroot/var (/netroot/dev is writable by
>root ony anyway, and you can play with chflags to limit what can be done).
>As you guessed, inetd & ssh are chrooted to /netroot.
>/netroot has only a limited set of binaries (not mount, for example),
>/netroot/dev a limited set of devices (tty/pty, zero, null, ... no disks of
>course).
One must question the intelligence of making his firewall dependent on
any other machine. Get a hard drive, a couple hunded megs will do ya
just fine. If you want to make a disk image of the fully confiured
firewall that might not be a bad idea so as to let you quickly reinstall
in case of a root compromise. Trust me, you *don't* want your firewall
to depend on an NFS server being up.
--
Brandon D. Valentine <bandix@looksharp.net>
"Few things are harder to put up with than the annoyance of a
good example." -- Mark Twain, Pudd'nhead Wilson