From owner-freebsd-security Thu Aug 9 18:14:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from gnjilux.srk.fer.hr (gnjilux.srk.fer.hr [161.53.70.141]) by hub.freebsd.org (Postfix) with ESMTP id 9142837B403 for ; Thu, 9 Aug 2001 18:14:39 -0700 (PDT) (envelope-from ike@gnjilux.srk.fer.hr) Received: from gnjilux.srk.fer.hr (ike@localhost [127.0.0.1]) by localhost (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) with ESMTP id f7A1EU5J008475 for ; Fri, 10 Aug 2001 03:14:31 +0200 Received: (from ike@localhost) by gnjilux.srk.fer.hr (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) id f7A1EUEg008472 for freebsd-security@freebsd.org; Fri, 10 Aug 2001 03:14:30 +0200 From: Ivan Krstic Date: Fri, 10 Aug 2001 03:14:30 +0200 To: freebsd-security@freebsd.org Subject: Re: Separate firewall or not...OOPS no subject sorry! Message-ID: <20010810031430.S3889@gnjilux.cc.fer.hr> References: <20010810004420.33780.qmail@web12008.mail.yahoo.com> <20010810004749.15817.qmail@web12004.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <20010810004749.15817.qmail@web12004.mail.yahoo.com>; from bsd2000au@yahoo.com.au on Fri, Aug 10, 2001 at 10:47:49AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 10, 2001 at 10:47:49AM +1000, Keith Spencer wrote: > Should I build a separate preimeter firewall machine > with only that on it...restrict/remove compilers etc > (how do I do that?) and have the router/dns/web/wail > server inside the perimeter. This would be the most desired solution, if you have the resources to spare for a separate firewall machine. If this machine would serve no other purpose beside being a firewall, just about any old box (PI) will do for SOHOs. My recommendations would be not to have ANY services running on this box at all (firewalled ssh if physical access is not available). In that sense, don't forget to turn off inetd completely, and if your firewall configuration does not change often, you might want to put the machine in securelevel 3 (sysctl kern.securelevel) so ipfw chains cannot be changed without a reboot. Obviously, it would be best if this machine had only one user account - yours. With this setup, disabling gcc is not too important, but you can still chown it to root.root and set its permissions to 700. Do, however, keep in mind that if somehow this machine gets compromised, attackers will have alternatives to using your gcc (using pre-compiled binaries, using lynx or wget to acquire gcc, etc.) I'm currently in the process of writing a brief locking-down-FreeBSD paper, and I'll be sure to post its address here once it's completed. Best regards, -- Ivan Krstic - ike " life is the road beneath my feet, love is the girl I wait to meet, and art is everything I create, rob me of any and I will hate, you, my God, my devil, my fate " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message