Hello, > Leaving modules in place make it easier to modify the kernels behavior.
Well, actually it is possible to disable the Modification of the kernel after the modules are isntalled. This is the "securelevel" Feature from BSD. Adding a few simple if statements in the kernel can even forbid root to modify the modules. This means at the boot time the modules get installed, and can't modified if the runlevel will be swiched. The runlevel will get switched before there is access to any network on the firewall. Thats the usual was. The great win is, that you dont need to compile this special kernel for everything, and you have the support for stuff like sf Firewall or Masquerade Modules or IPSec. The Problems with Modules is that if you can install a module you can do everything, including to circumvent the securelevel. Securelevel (and perhaps POSIX priveleges) are an important thing on a firewall. Including the secure linux patches (disable executable stack) and adding a group for binding to priveledged ports. Its a good Idea to avoid root on the Firewall as much as possible. Nearly no program on the firewall should/need to run as root if you do some small modifications to the kernel. More Info Later... Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy -- E-mail the word "unsubscribe" to [EMAIL PROTECTED] TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? E-mail to [EMAIL PROTECTED] .
