Re: [suse-security] Re: Newbie firewall installation question
Hi Carl! Well, yes, I guess that would in deed be a very secure solution, but not very easy to administrate. Having a read-only root partition requires quite some work, although there are probably some good HOWTOs out there, describing the nesseccary steps. Another problem is that your read-write area doesn't survive a reboot, so stuff like logfiles (well, you can log to another machine) or squid caches (if you have that) are lost. In short: certainly doable, but IMHO not worth the hassel. Regards, Florian Kirchmeir Carl Albert Schreiber wrote:
Hi Florian & all the others,
additionally to what you said, wouldn't it be a good solution to have: one harddisk (or 2 raid..?) 'writeprotected' with alle the Linux- and the Firewall Stuff and another harddisk or just a old fashion Ram-Disk for all the folders, where the system and/or the programs and services are going to write and to strore in (probably bad english, sorry) With a cron this writeable disk has to be taken care of reguarly, which should be no problem.
Would such a system be a problem or would it be may be saver than the normal way? I'm asking because from my viewpoint it is save and I think it should be the 'default structure', no?
Carl
I have setup firewalls before that have / mounted read-only as well as the other partitions. It works, but it can be a hassle to administrate, especially if you make changes frequently, because a change usually requires at least two reboots. Syslog can really be a problem with a read-only file system. You either need to disable it or log to another server. If you have your firewall working and in place and dont plan on making any changes to it, go ahead and make it mount all partitions in read-only mode and while your at it (if you are using ext2 filesystem) do a chattr -R +i /* and you will definelty be secure. On Mon, 16 Jul 2001, Florian Kirchmeir wrote:
Hi Carl!
Well, yes, I guess that would in deed be a very secure solution, but not very easy to administrate. Having a read-only root partition requires quite some work, although there are probably some good HOWTOs out there, describing the nesseccary steps. Another problem is that your read-write area doesn't survive a reboot, so stuff like logfiles (well, you can log to another machine) or squid caches (if you have that) are lost. In short: certainly doable, but IMHO not worth the hassel.
Regards, Florian Kirchmeir
Carl Albert Schreiber wrote:
Hi Florian & all the others,
additionally to what you said, wouldn't it be a good solution to have: one harddisk (or 2 raid..?) 'writeprotected' with alle the Linux- and the Firewall Stuff and another harddisk or just a old fashion Ram-Disk for all the folders, where the system and/or the programs and services are going to write and to strore in (probably bad english, sorry) With a cron this writeable disk has to be taken care of reguarly, which should be no problem.
Would such a system be a problem or would it be may be saver than the normal way? I'm asking because from my viewpoint it is save and I think it should be the 'default structure', no?
Carl
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
Hi Chad! dog@intop.net wrote:
I have setup firewalls before that have / mounted read-only as well as the other partitions. It works, but it can be a hassle to administrate, especially if you make changes frequently, because a change usually requires at least two reboots.
Well, it's not that bad, fortunately. You can always remount your root-fs read-write (and than ro again), without rebooting: mount -o remount -o rw / mount -o remount -o ro / Otherwise I'm with you. Have a nice day! Florian Kirchmeir
participants (2)
-
dog@intop.net -
Florian Kirchmeir