On Thu, 11 Apr 2002, Simon J. Gerraty wrote: > >proxies to all interfaces anymore. Also, since most are hybrids, they > >normally also packet filter everything on OSen where you can't just rip > >out all the non-proxy stuff (Solaris anyone?.) > > Actually you can remove big hunks of solaris's kernel. Just rm -f the > modules. You keep doing this until the box won't boot, then reinstall > from scratch, and repeat up to just before the last thing you removed :-) > > I haven't done this since 2.6 mind, and it helped having the process > automated, but its still a lot of work. Now if netbsd had run MP on > ultra 450's back then... > > That same bastion + ipfilter was also good for a low risk high > volume link too btw.
Yes, but you can't rip everything out if you expect to run a commercial firewall's GUI. Solaris wants rpcbind for the X font server for instance. Ripping listening sockets out of CDE *sucks* and is non-trivial. Compiling IPFilter gets to be unfun if you don't have a Sun compiler and you're running 64-bit (download the compiler, install it, yadda, yadda, yadda.) The long and short of it is that manually it's at least a full day to patch and harden and assumes things that most sites that aren't big Solaris shops don't have (admin clue being #1.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
