[1211] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Summary: Linux firewall with ro fs?

daemon@ATHENA.MIT.EDU (Jozsef Kadlecsik)
Sat Oct 12 07:41:53 1996

Date: Fri, 11 Oct 1996 09:17:42 +0100 (MET)
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: linux-security@tarsier.cv.nrao.edu
cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
In-Reply-To: <Pine.LNX.3.91.961007102811.3463A-100000@blackhole.kfki.hu>

Hello,

My question was:

> I'm thinking on building a firewall with Linux and have just thought 
> the following: I'm paranoid on firewalls and want it to be as secure
> as possible. Is there any difficulty in running Linux with all 
> filesystems ro? (The only writable fs would be /var = noexec, nosuid, 
> nodev.) The mount command would be a patched one which wouldn't
> make possible to re-mount an fs to r/w.

I received three type of answers/solutions

1. It's OK and doable, but don't forget about /var/spool/cron/crontabs/root
   and other critical files under the writable /var.

2. Better use SCSI disks with hardware pin for ro - or CD-ROM.

3. Use one-floppy system with ramdisk, so the system doesn't need a hard 
   disk at all.

I must admint I love the idea of the latter, however I cannot see how 
could I handle the problem of a possible big mail spool, not to mention the 
static binaries versus shared libraries question.

[REW: Oh.. naughty naughty, you want to run stuff on your firewall....
(Some people think a firewall shouldn't run any applications like mail)]

I think I choose the solution of a physically ro SCSI disk and a rw disk 
with carefully checked /var.

Thank you the answers sent to me private or in this mailing list.

With the best regards,
Jozsef Kadlecsik
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          P.O.B 49 Budapest, 1525 Hungary

home help back first fref pref prev next nref lref last post