[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comp34.tgz necessary on a firewall?

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: comp34.tgz necessary on a firewall?
From: Nick Holland <nick@holland-consulting.net>
Date: Sat, 01 Nov 2003 16:18:49 -0500
References: <20031023001550.437ced80.cp@teamrci.net> <200311010220.14747.e.conti@gmx.net> <3FA3BC08.3090704@houston.rr.com> <200311011740.06980.e.conti@gmx.net>

e.conti@gmx.net wrote:
> 
> After having installed OpenBSD a DMZed server, I'm going to use install it on
> a firewall. However, there's one thing I need to understand before doing so.
> Used to Linux Debian, I use apt-update && apt-upgrade to keep my system
> up-to-date. On OpenBSD, updates seems to require downloading a patch and
> recompiling the application/kernel to update.

Correct.

> Therefore, it seems necessary to have a compilator installed on the system.
> This is, in my opinion, a very bad idea for a firewall (even if it's a
> bastion-type firewall).

why do you think this?
Your answer is probably something like, "Well, it keeps bad guys from
building bad tools on my computer"

Think that through.
If they are *on* your computer so they could build such tools, they
can install 'em.  They can probably even "apt-get rootkit" or whatever
the Debian term is.  Making your life difficult does not render your
machine more secure automatically.

> Do I really need to install the comp34.tgz package on my firewall to keep it
> up-to-date? 

No, but it isn't a horrible idea.
It is probably the easiest way.

> Aren't patches available in a package/binary form?

only if you make them available.

> How do you guys cope with this problem? Do you apply patches on another
> computer and transfer the binary files to the target computers later?
> Thanks for the help.

Personally:  I put the compiler on my firewall. 8)

Granted, if you build a custom system so you can pack your entire
firewall into a flash module, flip a "read-only" switch on the module
(note that little switch on the SD flash modules?  Wonder how well
that works 8-), so the only writeable partitions are non-exec and the
exec partitions are HW not writable, you *might* achieve a theoretical
benefit by not having a compiler on the system.  Now you got to decide
if the time required to build and rebuild such a system is worth the
effort (that SD flash module with its seemingly HW write-protect is
still sitting in my drawer).

Nick.
-- 
http://www.holland-consulting.net

Follow-Ups:
- Re: comp34.tgz necessary on a firewall?
  - From: Chris Kuethe <ckuethe@ualberta.ca>

References:
- Re: Where can I set environnement variables?
  - From: Rick Barter <rvb@houston.rr.com>
- comp34.tgz necessary on a firewall?
  - From: e.conti@gmx.net

Prev by Date: Re: Ottawa (and area) BSD pizza meet
Next by Date: Re: comp34.tgz necessary on a firewall?
Prev by thread: Re: comp34.tgz necessary on a firewall?
Next by thread: Re: comp34.tgz necessary on a firewall?
Index(es):
- Date
- Thread