Quote:
|
Originally Posted by memed
Afaik pptp with mppe is one of those module only, also beeing able to load and unload ip_table modules is a common practice for me. despite that, you words are contrary to PMB, why should all possible ip_tables modules be in the kernel (iiiieeeek), that makes it bigger and bloated. And im prety shure that some modules are (where) mutaly exclusive, resulting in the need for modules to get all funtions.
I also don't want to reinvent the wheel on a waggon allready in motion, e.g. my "forensic" connection tracker tool relies on being able to load/unload some of those modules. So i terms of security we ain't no border gate or secure login server and the kernel running now is atleast save enough for pmb and me ;-), while Nova can still recover what PMB and me failed.
cheers
|
I didn't want you to do it this way but I wanted to say that it's possible. But you're right saying that this will blow up the size of the kernel without careful planing which features are required and which are not. For a production system those features normaly don't change very frequently therefore you can go with a static kernel.
And there is much more than the kernel regarding security. E.g. stopping unneccessary services, no direct root logins etc. (hardening systems)
Quote:
|
Originally Posted by memed
p.s. when i dream of security:
If there where time and local access i would make it a GSX server running a cascaded openbsd/linux environment, preferably guarded by two aravox'es used in asynchonous mode (one for in and one for out). not to mention that i would like to have access to the onion router ring for cnnectivity to "my" border network which would be staffed with cisco's routers and pix'es running CSM on an isolated outband management station.
(apart from outband management, the number of aravox'es and the onion router ring access is did that once)
|
I'm not sure this will result in a secure system but it will result in a hard to manage system because of the complexity you described.
Btw: aravox is out of buisness since last year...
Btw2: what is a "onion router ring"?