[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Re: [m0n0wall] Restriction Modifications
 Date:  Mon, 27 Sep 2004 19:28:22 -0700 (PDT)
On Mon, 27 Sep 2004, Chris Buechler wrote:
> On Mon, 20 Sep 2004 10:44:06 -0400, Chet Harvey <chet at pittech dot com> wrote:
> > On the console password issue, I agree with Manuel. If someone has access to
> > your firewall to do bad things, you have bigger problems. Also it's not like
> > the user thru the serial interface can change rules. All they can do is
> > add/delete interfaces and change IP's. If you want to disrupt service, just
> > unplug it.
> > 
> > Not something a "hacker" would be too interested in anyway.
> > 
> > Rule change would be the badguys biggest thing. Any sys admin worth his/her
> > salary would certainly notice the addition of an interface.
> 
> I certainly agree that if someone has physical access to your firewall
> you have more problems than an open console (read: get some physical
> security!), but there are certainly situations where people would want
> to do it.  Especially since you can reset the webGUI password, and it
> would probably take the admins a while to realize (who logs into their
> production firewall every day?  Not many)

It should also be noted that the assumption that console access ==
physical access isn't necessarily true, partcularly with a serial console
that might not be in the same room (or even the same floor) as the
firewall.

					Fred Wright