[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Create a canned "Firewall Build"
Peter,
I think it depends on the environment one find oneself in. My first dive
into a unix based firewall was e-smith (http://www.e-smith.org). E-smith was
basically a stripped down version of redhat, providing a variety of services
to a small lan. These services include a time server, smb (each user can
get his or her own "ibay" which is also published on the web). The server
was preconfigured to do dhcp, ipchains etc. etc.
Is this an ideal firewall? Nah. And I've since then (this was about 4 years
ago) moved on to bigger abd better things (firewall w/ openbsd + 3 nics for
dmz with my servers in it (although of course the smb server is internal).
The e-smith firewall was online for 2 years without getting broken into or
anything of the sort.
Steve
On Thursday 21 February 2002 08:55, Peter wrote:
> That's a good one. A firewall shouldn't have any user accounts (besides
> your own)
> and on a firewall you shouldn't run anything besides nat and pf.
> Otherwise it wouldn't
> be a firwall anymore.
> I'm kind of afraid to hear next that somebody is running smbd/nmbd on
> his firewall :-)))
> Peter
>
> > >> Each user's files by default can be read by another user. Change
>
> the
>
> > >> umask.
> > >
> > > irrelevant to system security. so what if joe can read john's
>
> files?
>
> > > that's no closer to root. the only umask that matters is root. and
>
> if
>
> > > you're messing around as root, you should triple check everything
>
> you do
>
> > > anyway.
> >
> > if this is supposed to be a distribution of OpenBSD for firewalls, why
> > would it have a bunch of users on the system whom you have to play
>
> nanny
>
> > to?
> >
> > --Matt