binary only lfs system

Steve Crosby sneeble at paradise.net.nz
Sat Nov 23 16:40:00 PST 2002


Ian Molton <spyro at f2s.com> wrote in
news:20021123102823.5063e3f2.spyro at f2s.com: 

> On Sat, 23 Nov 2002 10:15:00 +0000 (UTC)
> Steve Crosby <sneeble at paradise.net.nz> wrote:
> 
>> >> hmmm, web server and firewall on the same machine?
>> > 
>> > 
>> > Whats wrong with that? a seperate machine for each task is not any
>> > more secure...
>> > 
>> 
>> It depends on your definition of "more secure"...
> 
> I just knew someone would say that...
> 
> I like your examples though. I may steal them :)

feel free.  No doubt I've probably stolen them from soneone one else at
some point...*grin* 

> 
> TBH though, any compromised machine on the wrong side of the firewall
> is a hazard... (like, thats not obvious ;))

not nearly as obvious as one could hope...at least firewalls in general
are becoming more prevalent... 

and (also obvious *grin*) the purpose of the DMZ is to keep the
compromised machine(s) behind a working firewall between the home
machines and the DMZ... 

i.e.

Internet
  |
  |
Firewall ---- Web/FTP/SSH Server (seperate network - DMZ)
  |
  |
Home Machine(s)

Compormising the servers still means breaching a firewall to access the
home machines.  And, if configured properly (which is always the catch),
the servers can be isolated from the internet too, so they can't be used
as DoS hosts... 

i.e.

  Web/FTP/SSH can only contact the Internet/Home machine(s) if they are
  *first* contacted from the outside.  This means anyone connecting to
  the compromised server cannot simply access the Internet from that
  server, since the TCP connection must be initiated from the
  Internet/Home machine side.... 

Hope that helps someone out there...my brain hurts now, so I'll be quiet
and go back to building/configuring/testing my CD-R based firewall using
LFS4.0 + hacks on my *sloooow* Pentium 150 (FYI: glibc-2.3.1 and gcc
3.2.1 built and working fine with the pwd-stub hack) - someone else on
the list expressed an interest in a minimal LFS-based firewall running
from CD, so I plan to write up the steps I used when it's done. 

- --
Steve Crosby
sneeble at paradise.net.nz
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-support' in the subject header of the message



More information about the lfs-support mailing list