http://linuxhelp.blogspot.com/2005/11/make-your-files-immutable-which-even.h...
I looked into a couple of things and had an idea that the link above plays into with this. What if you simply set the attributes for all of the files you wanted to read-only, set them to immutable, and any further attributes on the build system, but fail to put chattr on the router you are building. This means the files can't be removed, changed, etc on the router and if you tell it to mount Read-only for / on boot, problem solved. That would be the ulta-paranoid approach I would do. That way even if they managed to get it mounted RW, what can they change since the attributes would prevent changes and chattr wouldn't exist on the router. Another good way to ensure less issues is to minimize the system. Build it with a kernel, busybox, and the needed startup/support files for the router task. I would also suggest minimizing the abilities of apache if you decide to make it web configurable. Or look for a alternative web server thats hardened and small.
-John Frakes unixengineer@earthlink.net
-----Original Message-----
From: Leo Mauler webgiant@yahoo.com Sent: Mar 4, 2006 10:42 PM To: kclug@kclug.org Subject: Re: What is the modern "Floppy-Based" router based on?
The main problem with the CF card solution is that the CF card has no "write-protect" feature. The original reason this topic was brought up in the first place was that floppy-based routers have easily switched write-protect tabs, allowing one to easily edit the floppy if necessary, then switch it back to write-protect mode for normal operation.
Now, someone else has pointed out that there are a few USB memory keys which have write-protect tabs, which would make them an ideal substitute for the floppy-based router.
--- Michael mogmios@mlug.missouri.edu wrote:
Better yet get a small (cheap) CF card and CF to IDE converter and use that. Very reliable and can be put together with a GB of space for little more than a floppy drive. About $20 usually.
Kelsay, Brian - Kansas City, MO wrote:
I ran a firewall off one with Freesco for something like 2 years. If a floppy isn't going to work in this mode, you find out real quick when you try to format it and use rawwrite to put the .img file on it.
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug
On Sunday 05 March 2006 06:48, John wrote:
I looked into a couple of things and had an idea that the link above plays into with this. What if you simply set the attributes for all of the files you wanted to read-only, set them to immutable, and any further attributes on the build system, but fail to put chattr on the router you are building. This means the files can't be removed, changed, etc on the router and if you tell it to mount Read-only for / on boot, problem solved. That would be the ulta-paranoid approach I would do. That way even if they managed to get it mounted RW, what can they change since the attributes would prevent changes and chattr wouldn't exist on the router.
scp $(which chattr) root@rooted-router:/tmp
Just hack the kernel to disallow writing, toggleable with your ACPI power button. ;)