Eventually, having the kernel possibility to customize the config path from /etc in eg /heroxyz
could be helpful for a firewall, what do you think? :-)
-Dan
Mar 25, 2024 18:06:10 Dan <dan@nnnne-o-o-o.com>:
>> /etc is always going to be problematic. I've been experimenting
>> to see if I can create a viable firewall config with a read-only
>> root filesystem.
>
> I do not know what do you mean by "experimenting if", and if you finally
> realized your purpose.. but clearly what you suggest here is possible,
> just matter of mounting a copy /etc readonly/writable at the proper moment.
> I have a blog post "for paranoids" in https://bsdload.com and an old script
> for production (for a dev station, not a firewall, with all the prompts and visual
> feedback popping up).
> But in the summary, if the securelevel allows you to mount/unmount /etc
> and the machine or auth meanings are already compromised your
> writable /etc should be well hidden.. maybe physically separated (a stick?), hoping
> that the observer is not an OpenBSD enthusiast.
No comments:
Post a Comment