netfilter firewalling problems and solutions

Andrew Calkin calkin at ieee.org
Thu Feb 19 20:07:44 PST 2004


On Thu, Feb 19, 2004 at 08:05:28PM -0500, Archaic wrote:
> On Thu, Feb 19, 2004 at 06:32:21PM -0600, Dagmar d'Surreal wrote:
> > 
> > I can tell you from personal experience once you get above five or six
> > boxes, it becomes increasingly problematic to maintain them by building
> > packages on the hosts themselves.
> 
> I don't disagree. I just see it as more gray than black and white. Some
> people will want a compiler on their machine at all times. This book
> shouldn't cater to just the guy admining dozens of boxes (of course it
> shouldn't ignore that guy, either).
> 
Anyone considered the option of instructions to put all compilation
tools on, e.g. a cdrom, which can be mounted for compilation when
needed (with modification of the path), and left inaccessible to
crackers at all other times. Whilst it is a hassle to insert a cd
anytime you want to recompile something (especially if physical
access is difficult to machine) as leaving the disc in the machine
constantly may not be a good idea, even if device is unmounted- it
does still provide a physical separation between machine and 
building tools, which would add difficulty for crackers attempting
remote exploits. 

If only some kind of 'fingerprinting' of binaries
compiled on a given machine was available, this would make the
security measure more formidible. But i haven't heard of anything
like that yet, so it's just a pipe-dream.

//Andrew



More information about the hlfs-dev mailing list