Firewall Wizards mailing list archives
Re: Here is my plan for firewall implementation
From: Craig Brozefsky <craig () onshore com>
Date: Sun, 21 Sep 1997 17:59:20 -0500
On Sun, 21 Sep 1997, Marcus J. Ranum wrote:
These days I'd use qmail (Dan Bernstein's minimalist mailer) or sendmail running on a hacked kernel in a restricted environment. Smap was intended to be a place for hooking additional mail processing into a firewall, but nothing ever got hung on the hooks.
We hooked some stuff into it for a client once who needed to be able to approve certain classes of email messages in order to comply with some federal regulations in their industry.
By sendmail on a hacked kernel I'm talking about things like running sendmail chrooted w/o privs and a configuration that doesn't have sendmail calling external mailers. Then all it has to do is fork itself off - at that point you can jigger the kernel to allow a specific UID (under which mail runs) to chroot, but you check so a chroot cannot be performed twice.* Also, wire the kernel so that the mail UID cannot call any of the exec( ) family.
Or you just run qmail. I like to stay away from such specific kernel mods when trying to make up for security shortcomings in userspace code.
Another fun fix I'd like to see on firewall boxes (but this takes more kernel expertise than I have) is modifications to the memory management to make stack space protected so it's not executable. When someone tries to hit a buffer overrun, *poof* instant SIGSEGV.
That is assuming the buffer overrun is a stack variable. Solar Designer, who released a patch to Linux which did such modifications as mark the stack as non-executable (with exceptions for certain things which happen during the normal course of execution, such as trampolining signal handlers), also recently released some very pretty code which doesn't bother with the stack, but rather overwrites some heap memory. There is also a patch for Saolaris which does the same thing. I am not positive but I bet there are BSD patches for it too. Craig Brozefsky craig () onshore com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) I hear my inside, the mechanized hum of another world - Steely Dan
Current thread:
- Here is my plan for firewall implementation Jim Raykowski (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Bennett Todd (Sep 22)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 22)
- NCSA's RECON Service Adept (Sep 22)
- Re: Here is my plan for firewall implementation Joseph S. D. Yao (Sep 22)
- Re: Here is my plan for firewall implementation Adam Shostack (Sep 22)
- Re: Here is my plan for firewall implementation Paul D. Robertson (Sep 23)
- Re: Here is my plan for firewall implementation Alfred Huger (Sep 24)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- <Possible follow-ups>
- Re: Here is my plan for firewall implementation See, Matthew (Sep 22)
- Re: Here is my plan for firewall implementation Peter Jeremy (Sep 22)
- RE: Here is my plan for firewall implementation Tong, Aaron (Sep 23)
- RE: Here is my plan for firewall implementation Jim Raykowski (Sep 26)