On Sat, 2004-01-24 at 01:17, Manuel Kasper wrote:
> EXT dash Mike dot Bradshaw at nokia dot com wrote:
> > reboot is already there (diagnostics, Reboot system) i agree shutdown
> > would also be nice
> No need for that - just pull the plug (or flip the switch).
Even on HDD versions? I know the difference between the HDD and CF
version is rather minimal, but all other OSes tend to b0rk eventually if
their filing system is not shut down cleanly. Not having played with
BSD before, I guessed that it was the same.
If the configuration has already been successfully written, then this
should be fine (and extremely easily backed up, edited and restored
thanks to the xml format - great idea, that). It is just the logs being
written to HDD that could be an issue.
> > if someone has physical access to your Firewall console you are
> > pretty much screwed right there. a simple console login is *SO* easy
> > to defeat that it just not funny (if you have physical access)
> That is my point of view as well, but as this has come up enough times
> to get me bored, I'll just add a checkbox to the advanced setup page
> that allows you to disable the console menu altogether. I'm not going to
> bother about adding a login, though. The console menu is superfluous
> after initial setup anyway because the interfaces can now be assigned
> via the webGUI too. Of course if you forget the password you're in for a
> "hard reset", but isn't that what you do with commercial firewall boxes
I totally agree that if someone has physical access, it is time to say
goodnight. However, with m0n0wall system that are based on regular
computer hardware, not those rather nice looking Soekris boards, then
seeing a logged in console on a security device is aking to using telnet
to access one (a la Cisco - that's a joke).
If you add this option to disable the console menu, this will most
definitely do the trick - stop the "appearance" of an insecure device
because of a permanently logged in user. As I originally mentioned, "it
doesn't appear secure when it is constantly sitting there on a logged in
account". The actual security is not *really* affected, just the
"appearance" of the security. And that's what tends to matter to
Sysadmins when demonstrating things to suits - as suits have so limited
a technical comprehension they often cannot work out the difference
between their telephone handset and their laptop. But they can
determine the difference between a logged in system, and a system
sitting at a login prompt.
> > and the problem with the Announce mailing list is?
> I don't see one either because there's no more than one message per
> week, but I'll consider adding some automatic update check (no automatic
> download though) to the firmware upgrade page.
The problem is that emails are a dime a dozen - I get over a thousand a
day here - most in mailing lists - and I just don't have the time to
read 'em. I administer a number of remote firewalls, and the current
software on most of them has an "Updsates" page - so as I am checking
logs and such on any one of the firewalls, I look at the "Updates"
page. As Mark mentioned, if there is an update available, I then also
plan to spend whatever time necessary updating the machines that need
Basically, it is *significantly* easier in large installations to be
notified of updated by the webGUI than by yet another email that you
have to try not to ignore.
> BTW it's being remade
> at the moment anyway - FTP upload will be gone soon, replaced by HTTP
> upload which finally works fine as well.
Hilton Travis Email: Hilton at QuarkAV dot com
Manager, Quark AudioVisual Phone: +61-(0)7-3343-3889
Quark Computers Phone: +61-(0)419-792-394
(Brisbane, Australia) http://www.QuarkAV.com/
Open Source Projects: http://www.ares-desktop.org/
Non Linear Video Editing Solutions & Digital Audio Workstations
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.