Date: Fri, 10 Aug 2001 03:14:30 +0200 From: Ivan Krstic <ike@gnjilux.srk.fer.hr> To: freebsd-security@freebsd.org Subject: Re: Separate firewall or not...OOPS no subject sorry! Message-ID: <20010810031430.S3889@gnjilux.cc.fer.hr> In-Reply-To: <20010810004749.15817.qmail@web12004.mail.yahoo.com>; from bsd2000au@yahoo.com.au on Fri, Aug 10, 2001 at 10:47:49AM %2B1000 References: <20010810004420.33780.qmail@web12008.mail.yahoo.com> <20010810004749.15817.qmail@web12004.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 10, 2001 at 10:47:49AM +1000, Keith Spencer wrote: > Should I build a separate preimeter firewall machine > with only that on it...restrict/remove compilers etc > (how do I do that?) and have the router/dns/web/wail > server inside the perimeter. This would be the most desired solution, if you have the resources to spare for a separate firewall machine. If this machine would serve no other purpose beside being a firewall, just about any old box (PI) will do for SOHOs. My recommendations would be not to have ANY services running on this box at all (firewalled ssh if physical access is not available). In that sense, don't forget to turn off inetd completely, and if your firewall configuration does not change often, you might want to put the machine in securelevel 3 (sysctl kern.securelevel) so ipfw chains cannot be changed without a reboot. Obviously, it would be best if this machine had only one user account - yours. With this setup, disabling gcc is not too important, but you can still chown it to root.root and set its permissions to 700. Do, however, keep in mind that if somehow this machine gets compromised, attackers will have alternatives to using your gcc (using pre-compiled binaries, using lynx or wget to acquire gcc, etc.) I'm currently in the process of writing a brief locking-down-FreeBSD paper, and I'll be sure to post its address here once it's completed. Best regards, -- Ivan Krstic - ike " life is the road beneath my feet, love is the girl I wait to meet, and art is everything I create, rob me of any and I will hate, you, my God, my devil, my fate " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010810031430.S3889>