From owner-freebsd-stable Wed Jan 30 21:54: 6 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id ED69537B404 for ; Wed, 30 Jan 2002 21:53:59 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id g0V5rtJ68424; Thu, 31 Jan 2002 00:53:55 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: <200201310042.g0V0g3255325@apollo.backplane.com> <20020130202356.A47852@hellblazer.nectar.cc> <20020130225454.A48040@hellblazer.nectar.cc> Date: Thu, 31 Jan 2002 00:53:54 -0500 To: "Jacques A. Vidrine" From: Garance A Drosihn Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Cc: Matthew Dillon , freebsd-stable@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 12:28 AM -0500 1/31/02, Garance A Drosihn wrote: >At 10:54 PM -0600 1/30/02, Jacques A. Vidrine wrote: >>No, it won't work. Joe Experienced will configure a new system >>based on FreeBSD 4.N, and configure `firewall_enable=NO' as he has >>always done in the past. But [...] He has no firewall at all, >>rather than a firewall which he configured by whatever mechanism. > >I am not trying to beat a dead horse here, but I will point out that >any person who *meant* to disable all network access must be sitting >at the console of the machine. We *can* do something to help that >person out. But if a person turns on firewall_enable because they >expected *no* firewall, [...] We can't do anything to help that >person once the mistake is made. Ooo. In fact, since you're the new security officer who needs to be worried about such issues, let's see if I can tantalize you by taking a different line of thought... :-) Why should only Joe Experienced User be getting the benefit of booting up with the firewall active? Now, I am *definitely* not suggesting this for -stable, but why don't we have the default GENERIC kernel include the firewall support? Why should anyone *have* to compile a kernel to get this full-time protection? ("fulltime" meaning "firewall active for the entire boot sequence"). With the suggested meaning for firewall_enable, and some kind of suitable warning message for console users when firewall_enable has turned off the firewall, could we consider firewall=on in GENERIC? [I don't know, but this just struck me as an interesting idea...] If the net continues to be a more hostile place, something like this might be prudent, particularly if we're also trying to reduce the need for people to compile their own custom kernels. I can't help but think of a Win2K system that we recently reinstalled -- where it was broken into *during the install* process, before we got to where we could apply security fixes. I guess this is more of a blue-sky idea... -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message