[ previous ] [ next ] [ threads ]
 
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall feature request
 Date:  Sat, 24 Jan 2004 08:13:05 +1000
On Sat, 2004-01-24 at 01:17, Manuel Kasper wrote:
> EXT dash Mike dot Bradshaw at nokia dot com wrote:
> 
> > reboot is already there (diagnostics, Reboot system) i agree shutdown
> > would also be nice
> 
> No need for that - just pull the plug (or flip the switch).

Even on HDD versions?  I know the difference between the HDD and CF
version is rather minimal, but all other OSes tend to b0rk eventually if
their filing system is not shut down cleanly.  Not having played with
BSD before, I guessed that it was the same.

If the configuration has already been successfully written, then this
should be fine (and extremely easily backed up, edited and restored
thanks to the xml format - great idea, that).  It is just the logs being
written to HDD that could be an issue.

> > if someone has physical access to your Firewall console you are 
> > pretty much screwed right there. a simple console login is *SO* easy
> > to defeat that it just not funny (if you have physical access)
> 
> That is my point of view as well, but as this has come up enough times
> to get me bored, I'll just add a checkbox to the advanced setup page
> that allows you to disable the console menu altogether. I'm not going to
> bother about adding a login, though. The console menu is superfluous
> after initial setup anyway because the interfaces can now be assigned
> via the webGUI too. Of course if you forget the password you're in for a
> "hard reset", but isn't that what you do with commercial firewall boxes
> too...

I totally agree that if someone has physical access, it is time to say
goodnight.  However, with m0n0wall system that are based on regular
computer hardware, not those rather nice looking Soekris boards, then
seeing a logged in console on a security device is aking to using telnet
to access one (a la Cisco - that's a joke).

If you add this option to disable the console menu, this will most
definitely do the trick - stop the "appearance" of an insecure device
because of a permanently logged in user.  As I originally mentioned, "it
doesn't appear secure when it is constantly sitting there on a logged in
account".  The actual security is not *really* affected, just the
"appearance" of the security.  And that's what tends to matter to
Sysadmins when demonstrating things to suits - as suits have so limited
a technical comprehension they often cannot work out the difference
between their telephone handset and their laptop.  But they can
determine the difference between a logged in system, and a system
sitting at a login prompt.

> > and the problem with the Announce mailing list is?
> 
> I don't see one either because there's no more than one message per
> week, but I'll consider adding some automatic update check (no automatic
> download though) to the firmware upgrade page.

The problem is that emails are a dime a dozen - I get over a thousand a
day here - most in mailing lists - and I just don't have the time to
read 'em.  I administer a number of remote firewalls, and the current
software on most of them has an "Updsates" page - so as I am checking
logs and such on any one of the firewalls, I look at the "Updates"
page.  As Mark mentioned, if there is an update available, I then also
plan to spend whatever time necessary updating the machines that need
this update.

Basically, it is *significantly* easier in large installations to be
notified of updated by the webGUI than by yet another email that you
have to try not to ignore.

>  BTW it's being remade
> at the moment anyway - FTP upload will be gone soon, replaced by HTTP
> upload which finally works fine as well.

Excellent.

-- 

Regards,

Hilton Travis                   Email: Hilton at QuarkAV dot com
Manager, Quark AudioVisual      Phone: +61-(0)7-3343-3889
         Quark Computers        Phone: +61-(0)419-792-394
(Brisbane, Australia)            http://www.QuarkAV.com/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.