Date: Thu, 31 Jan 2002 00:53:54 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: "Jacques A. Vidrine" <n@nectar.cc> Cc: Matthew Dillon <dillon@apollo.backplane.com>, freebsd-stable@FreeBSD.ORG Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <p0510122bb87e879d4ad3@[128.113.24.47]> In-Reply-To: <p0510122ab87e828d1b16@[128.113.24.47]> References: <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob> <200201310042.g0V0g3255325@apollo.backplane.com> <20020130202356.A47852@hellblazer.nectar.cc> <p05101226b87e6b0f9966@[128.113.24.47]> <20020130225454.A48040@hellblazer.nectar.cc> <p0510122ab87e828d1b16@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:28 AM -0500 1/31/02, Garance A Drosihn wrote:
>At 10:54 PM -0600 1/30/02, Jacques A. Vidrine wrote:
>>No, it won't work. Joe Experienced will configure a new system
>>based on FreeBSD 4.N, and configure `firewall_enable=NO' as he has
>>always done in the past. But [...] He has no firewall at all,
>>rather than a firewall which he configured by whatever mechanism.
>
>I am not trying to beat a dead horse here, but I will point out that
>any person who *meant* to disable all network access must be sitting
>at the console of the machine. We *can* do something to help that
>person out. But if a person turns on firewall_enable because they
>expected *no* firewall, [...] We can't do anything to help that
>person once the mistake is made.
Ooo. In fact, since you're the new security officer who needs to
be worried about such issues, let's see if I can tantalize you by
taking a different line of thought... :-)
Why should only Joe Experienced User be getting the benefit of
booting up with the firewall active? Now, I am *definitely* not
suggesting this for -stable, but why don't we have the default
GENERIC kernel include the firewall support? Why should anyone
*have* to compile a kernel to get this full-time protection?
("fulltime" meaning "firewall active for the entire boot sequence").
With the suggested meaning for firewall_enable, and some kind of
suitable warning message for console users when firewall_enable has
turned off the firewall, could we consider firewall=on in GENERIC?
[I don't know, but this just struck me as an interesting idea...]
If the net continues to be a more hostile place, something like
this might be prudent, particularly if we're also trying to
reduce the need for people to compile their own custom kernels.
I can't help but think of a Win2K system that we recently
reinstalled -- where it was broken into *during the install*
process, before we got to where we could apply security fixes.
I guess this is more of a blue-sky idea...
--
Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu
Senior Systems Programmer or gad@freebsd.org
Rensselaer Polytechnic Institute or drosih@rpi.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0510122bb87e879d4ad3>