Subject: Re: r/o filesystem restrictions for firewall?
To: Brandon D. Valentine <bandix@looksharp.net>
From: Jon Lindgren <jlindgren@slk.com>
List: port-sparc
Date: 10/23/2000 15:55:34
On Mon, 23 Oct 2000, Brandon D. Valentine wrote:
[snip]
> One must question the intelligence of making his firewall dependent on
> any other machine. Get a hard drive, a couple hunded megs will do ya
> just fine. If you want to make a disk image of the fully confiured
> firewall that might not be a bad idea so as to let you quickly reinstall
> in case of a root compromise. Trust me, you *don't* want your firewall
> to depend on an NFS server being up.
Correct. I want [read: need] this box to be:
1) Insert NetBSD CD mod'd to be a firewall,
2) Boot
3) Enjoy
[lather, rinse, repeat]
I'd basically be happy with it logging to a specific IP addr (syslog...),
perhaps mailing me little ditties every once and a while, and allowing me
to telnet in to make temp changes (i.e. ifconfig's or such). But
otherwise I'd like it to be immutable. No spinning disks to worry
about. If it goes down, the only things I have to worry about are 1) is
there a vulnerability in NetBSD or a package or how I've set it up, and
if not then 2) will it reboot?
Kind of a 'no muss, no fuss' solution for a man too poor to buy a big
cisco ;-)
-Jon
--------------------------------------------------------------------
"Trout are freshwater fish, and have underwater weapons."
"Zing, zing zing zing!"
"Keep away from the trout."
-- The opinions expressed are not necesarily those of my employer --
"Who stole my lawn?"