From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr 24 03:09:28 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8EF0537B401
	for <freebsd-hackers@freebsd.org>;
	Thu, 24 Apr 2003 03:09:28 -0700 (PDT)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EAEA343F3F
	for <freebsd-hackers@freebsd.org>;
	Thu, 24 Apr 2003 03:09:27 -0700 (PDT)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id C8D953ABB51; Thu, 24 Apr 2003 12:11:03 +0200 (CEST)
Date: Thu, 24 Apr 2003 12:11:03 +0200
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: Peter <pfak@telus.net>
Message-ID: <20030424101103.GV20444@garage.freebsd.pl>
References: <001901c309ee$36029070$c601a8c0@oxygen>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="YttKMwf6abDJOSyE"
Content-Disposition: inline
In-Reply-To: <001901c309ee$36029070$c601a8c0@oxygen>
X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc
X-OS: FreeBSD 4.8-RELEASE i386
X-URL: http://garage.freebsd.pl
User-Agent: Mutt/1.5.1i
cc: freebsd-hackers@freebsd.org
Subject: Re: Keeping a large shellbox stable and secure
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2003 10:09:28 -0000


--YttKMwf6abDJOSyE
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 23, 2003 at 04:15:20PM -0700, Peter wrote:
+> Would ipfw2 or Ipfilter be better? Should I run RELENG_4 or RELENG_4_8.

I suggest RELENG_4_8 of course.

+> Any ideas would be appreciated. Basically, I'm attempting to make this b=
ox
+> as stable and secure as possible. Anything would be appreciated.

If we are talking about security, take a look at CerbNG project:

	http://cerber.sourceforge.net

But there is no stable release yet.
You can find on this page also two different kernel modules:
rexec and lrexec. Those two are stable, but not so functional and
doesn't provide so high security level as CerbNG.

--=20
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

--YttKMwf6abDJOSyE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPqe4Nz/PhmMH/Mf1AQETlwP8DDxiDZ03gFVet//auEui4WxAAdJdKEc/
jydV1LMgHu+mC39Nd6Rgsc2D6rkD80+Ks+fA9Ao+fQWvWSWtNFA1ohwM7KigYvdb
uR3r5MiwknyQHgBFkaI8F3sZA5e3n1Ya1mWCjsGEk5GQqxKaRpNQ2lJUAUIG0/EM
YRhnIfWIBpk=
=QyOb
-----END PGP SIGNATURE-----

--YttKMwf6abDJOSyE--