Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@orthanc.ca>:
> /etc is always going to be problematic. I've been experimenting
> to see if I can create a viable firewall config with a read-only
> root filesystem.
I do not know what do you mean by "experimenting if", and if you finally
realized your purpose.. but clearly what you suggest here is possible,
just matter of mounting a copy /etc readonly/writable at the proper moment.
I have a blog post "for paranoids" in https://bsdload.com and an old script
for production (for a dev station, not a firewall, with all the prompts and visual
feedback popping up).
But in the summary, if the securelevel allows you to mount/unmount /etc
and the machine or auth meanings are already compromised your
writable /etc should be well hidden.. maybe physically separated (a stick?), hoping
that the observer is not an OpenBSD enthusiast.
Mar 25, 2024 17:34:54 Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@orthanc.ca>:
> /etc is always going to be problematic. I've been experimenting
> to see if I can create a viable firewall config with a read-only
> root filesystem.
No comments:
Post a Comment