[1210] in linux-security and linux-alert archive
Re: [linux-security] Linux firewall with ro fs?
daemon@ATHENA.MIT.EDU (Zoltan Hidvegi)
Sat Oct 12 07:41:29 1996
From: Zoltan Hidvegi <hzoli@cs.elte.hu>
To: kadlec@blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Thu, 10 Oct 1996 00:06:57 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu, kadlec@blackhole.kfki.hu
In-Reply-To: <Pine.LNX.3.91.961007102811.3463A-100000@blackhole.kfki.hu> from Jozsef Kadlecsik at "Oct 7, 96 10:36:36 am"
Jozsef Kadlecsik wrote:
> Hello,
>
> I'm thinking on building a firewall with Linux and have just thought
> the following: I'm paranoid on firewalls and want it to be as secure
> as possible. Is there any difficulty in running Linux with all
> filesystems ro? (The only writable fs would be /var = noexec, nosuid,
> nodev.) The mount command would be a patched one which wouldn't
> make possible to re-mount an fs to r/w.
It seems to be perfectly possible. On the Linux systems I manage I am able
to remount /usr and / ro any time. I have used this a few times to fsck /
and /usr without shutting down the system. None of these systems are
firewalls but one of them is a havily used NFS/ftp/www server with www
proxy cache etc. I think all current distributions allow ro mounted /usr
and / filesystems.
> [REW: Good idea. Remember to make /tmp a link to /var/tmp. Don't
> bother with the mount thing. I'd assume that the hackers would be
> able to get themselves a new mount binary. (If they are already running
> stuff as root.......)
They could not execute the mount binary with noexec on /var. But they can
probably write it in perl. Any program which can load user specified
birary modules should be disabled. The best solution is probably put
together such a system by hand including only those binaries which are
necessary for the firewall.
> I'd suggest delving into the kernel sources and finish off implementing
> "securelevel" which would disallow reading/writing devices, and remounting
> filsystems r/w, loading modules etc etc..]
That would be the real solution.
Zoltan