Lyndon Nerenberg (VE7TFX/VE6BBM) <[email protected]>:
> /etc is always going to be problematic. I've been experimenting > to see if I can create a viable firewall config with a read-only > root filesystem. I do not know what do you mean by "experimenting if", and if you finally realized your purpose.. but clearly what you suggest here is possible, just matter of mounting a copy /etc readonly/writable at the proper moment. I have a blog post "for paranoids" in https://bsdload.com and an old script for production (for a dev station, not a firewall, with all the prompts and visual feedback popping up). But in the summary, if the securelevel allows you to mount/unmount /etc and the machine or auth meanings are already compromised your writable /etc should be well hidden.. maybe physically separated (a stick?), hoping that the observer is not an OpenBSD enthusiast. Mar 25, 2024 17:34:54 Lyndon Nerenberg (VE7TFX/VE6BBM) <[email protected]>: > /etc is always going to be problematic. I've been experimenting > to see if I can create a viable firewall config with a read-only > root filesystem.
