Firewall Wizards mailing list archives
Re: Here is my plan for firewall implementation
From: "Joseph S. D. Yao" <jsdy () cospo osis gov>
Date: Mon, 22 Sep 1997 12:01:57 -0400 (EDT)
These days I'd use qmail (Dan Bernstein's minimalist mailer) or sendmail running on a hacked kernel in a restricted environment. Smap was intended to be a place for hooking additional mail processing into a firewall, but nothing ever got hung on the hooks.
Well, a few things here and there.
Another fun fix I'd like to see on firewall boxes (but this takes more kernel expertise than I have) is modifications to the memory management to make stack space protected so it's not executable. When someone tries to hit a buffer overrun, *poof* instant SIGSEGV.
This is an entirely reasonable and logical thing to be able to want to do. It's also quite easy, given hardware support. Of the hardware architectures I just glanced at, it appears that the Alpha and HP-PA allow this, the x86 and MIPS and possibly the Sparc do not. Software implementations slow the system down, unforgivable to the Marketing departments [;-)]. It's possible/probable that hardware implementations also slow the system down by a nanosecond or two per command, and cost $0.02 more per chip, and so were nixed. ;-)/2 -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Here is my plan for firewall implementation Jim Raykowski (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Bennett Todd (Sep 22)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 22)
- NCSA's RECON Service Adept (Sep 22)
- Re: Here is my plan for firewall implementation Joseph S. D. Yao (Sep 22)
- Re: Here is my plan for firewall implementation Adam Shostack (Sep 22)
- Re: Here is my plan for firewall implementation Paul D. Robertson (Sep 23)
- Re: Here is my plan for firewall implementation Alfred Huger (Sep 24)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- <Possible follow-ups>
- Re: Here is my plan for firewall implementation See, Matthew (Sep 22)
- Re: Here is my plan for firewall implementation Peter Jeremy (Sep 22)
- RE: Here is my plan for firewall implementation Tong, Aaron (Sep 23)
- RE: Here is my plan for firewall implementation Jim Raykowski (Sep 26)