Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Re: Newbie firewall installation question
  • From: <dog@xxxxxxxxx>
  • Date: Mon, 16 Jul 2001 11:14:39 -0500 (CDT)
  • Message-id: <Pine.LNX.4.31.0107161110240.27030-100000@xxxxxxxxxxxxx>
I have setup firewalls before that have / mounted read-only as well as the
other partitions. It works, but it can be a hassle to administrate,
especially if you make changes frequently, because a change usually
requires at least two reboots. Syslog can really be a problem with a
read-only file system. You either need to disable it or log to another
server. If you have your firewall working and in place and dont plan on
making any changes to it, go ahead and make it mount all partitions in
read-only mode and while your at it (if you are using ext2 filesystem) do
a chattr -R +i /* and you will definelty be secure.

On Mon, 16 Jul 2001, Florian Kirchmeir wrote:

>Hi Carl!
>
>Well, yes, I guess that would in deed be a very secure solution, but not
>very easy to administrate.
>Having a read-only root partition requires quite some work, although
>there are probably some good HOWTOs out there, describing the nesseccary
>steps.
>Another problem is that your read-write area doesn't survive a reboot,
>so stuff like logfiles (well, you can log to another machine) or squid
>caches (if you have that) are lost.
>In short: certainly doable, but IMHO not worth the hassel.
>
>Regards,
>Florian Kirchmeir
>
>Carl Albert Schreiber wrote:
>
>> Hi Florian & all the others,
>>
>> additionally to what you said, wouldn't it be a good solution
>> to have:
>> one harddisk (or 2 raid..?) 'writeprotected' with alle the Linux-
>> and the Firewall Stuff and
>> another harddisk or just a old fashion Ram-Disk for all the
>> folders, where the system and/or the programs and services are
>> going to write and to strore in (probably bad english, sorry)
>> With a cron this writeable disk has to be taken care of reguarly,
>> which should be no problem.
>>
>> Would such a system be a problem or would it be may be saver than
>> the normal way?
>> I'm asking because from my viewpoint it is save and I think it
>> should be the 'default structure', no?
>>
>> Carl
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>

Chad Whitten
Network/Systems Administrator
Nexband Communications
chadwick@xxxxxxxxxxx


< Previous Next >
Follow Ups
References