From owner-freebsd-security  Sat Aug 15 04:11:29 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA17236
          for freebsd-security-outgoing; Sat, 15 Aug 1998 04:11:29 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17231
          for <freebsd-security@FreeBSD.ORG>; Sat, 15 Aug 1998 04:11:27 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.254])
	by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA12405;
	Sat, 15 Aug 1998 13:16:05 +0200 (CEST)
	(envelope-from regnauld@deepo.prosa.dk)
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA23462;
	Sat, 15 Aug 1998 13:18:37 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA16199;
	Sat, 15 Aug 1998 13:09:56 +0200 (CEST)
Message-ID: <19980815130955.44989@deepo.prosa.dk>
Date: Sat, 15 Aug 1998 13:09:55 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Joe Orthoefer <orthoefe@gte.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK>
References: <19980814123240.63855@deepo.prosa.dk> <Pine.BSF.3.96.980813234929.368A-100000@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
In-Reply-To: <Pine.BSF.3.96.980813234929.368A-100000@localhost>; from Joe Orthoefer on Fri, Aug 14, 1998 at 12:04:29AM -0400
X-Operating-System: FreeBSD 2.2.6-RELEASE i386
Phone: +45 3336 4148
Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Joe Orthoefer writes:
> Secure Computing's Sidewinder firewall (built on top of BSDI 2.2) has
	[...]
> The set of ACL's is compiled into
> the kernel, with no way to easily change those ACL's once the machine is
> booted, to do major administration you boot into a different kernel with a
> lax set of ACL's and no network support. 

	Sounds like what Borderware had -- but I think it was just that
	one kernel (runtime) had most dangerous syscalls removed, and
	the other (maintenance) had those syscalls, but network was
	disabled.

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-

               The Internet is busy.  Please try again later.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message