On Tue, 24 Oct 2000, Manuel Bouyer wrote:

[snip]

> IHMO a the configuration of such a machine should be done only from
> console. No telnet, ssh or whatever. If your machine gets breaked in,
> the intruder could then remove ip filters.

I'd agree.

> > otherwise I'd like it to be immutable.  No spinning disks to worry
> > about.  If it goes down, the only things I have to worry about are 1) is
> 
> Hum, I still believe a HD is better than a CD - CD drives are not that
> reliable, especially if used as a root FS, with lots of accesses.

Yeah, point well taken.  I think I've had to replace too many drives in
the past.  I really want this box to be more of a "set it, monitor it, and
forget it" type of idea, tho - as long as the box is powered, it's
probably running and doing an okay job at it... Problem? Power cycle
it. No local disk checks, no disk to go bad, etc... just pop in a CD and
go.  Whole box dies?  Well, move the CD to another box.

See what I mean?  It may be pratically unatainable, but I'd like to give
it a shot.

> > there a vulnerability in NetBSD or a package or how I've set it up, and  
> > if not then 2) will it reboot?
> > 
> > Kind of a 'no muss, no fuss' solution for a man too poor to buy a big
> > cisco ;-)
> 
> If it's just to serve as a filtering router, IHMO you'd better have
> a local hard disk, and dissalow any network access to the machine.
> It's not because the disk is RO that an intruder couldn't manage to change
> filter rules and break into your network.

Again, point well taken. 

-Jon
 --------------------------------------------------------------------
 "Trout are freshwater fish, and have underwater weapons."
 "Zing, zing zing zing!"
 "Keep away from the trout."
 -- The opinions expressed are not necesarily those of my employer --
 "Who stole my lawn?"