Firewall Wizards mailing list archives

Re: Linux Firewall on CD

From: Paul Robertson <proberts () patriot net>
Date: Fri, 11 Jul 2003 22:29:03 -0400 (EDT)

On Fri, 11 Jul 2003, Marcus J. Ranum wrote:

Depends on how it's done, really. The CD bootable systems I used
to build chrooted off the RAM disk onto the CD image, so there was
no RAM disk to mess with, and there weren't any device nodes except


RAM disk, my own program to store code- it's really moot, however if I can 
create a new RAM disk (and the point was that the kernel really wanted the 
RAM disk stuff built in- so I can always create a new one if I can get to 
a mount point.

for the bare minimum since the device nodes needed to mount the
CD and hard disk were back in the RAM disk behind the chroot. If you
mount the hard disk noexec, and the CD image isn't writeable, it's


Noexec is useless, you can use the loader to execute anything off the 
disk, and if you don't have the loader, you're not going to be running 
much.  If you could get rid of, or compartment out /dev, then the jail 
would be more interesting- though I admit to not having looked at what 
devfs brings to the table in terms of not needing to allow device nodes on 
a disk or RAM disk.

pretty hard to screw around with the system. Of course, one can
always conjure up a scenario involving an infinitely clever attacker
exploiting an infinite number of design flaws so in theory no firewall
will ever be secure.


Again, the real game is going through the firewall- these days the way 
most are deployed, there's not much to be gained on the firewall, unless 
the attacker wants an open relay for spamming.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Linux Firewall on CD james mcdermott (Jul 11)
- Re: Linux Firewall on CD Steve Ellis (Jul 11)
- Re: Linux Firewall on CD Paul Robertson (Jul 11)
  - Re: Linux Firewall on CD Marcus J. Ranum (Jul 11)
    - Re: Linux Firewall on CD Paul Robertson (Jul 11)
    - Telnet & ftp issues Jyotish K Sen Gupta (Jul 12)
    - Re: Linux Firewall on CD Barney Wolff (Jul 12)
    - Re: Linux Firewall on CD Paul Robertson (Jul 12)