Re: How to login user automatically? (for IP Filter firewall)

From: WinGuy (no_spam_at_nomail.bot)
Date: 09/08/04 

Date: Wed, 08 Sep 2004 00:53:33 GMT

"fuji" <waiting@the airport> wrote in message
news:PI2dnU8rvrZ6vaPcRVn-jw@giganews.com...
> It's not a problem, it's a feature. ;-) Logging in automatically goes
> against everything a unix user believes in.
>
> Why do you need to? If it's to start something , a la the "startup
group",
> that gets done in /etc/rc.local or a "batch file" in /usr/local/etc/rc.d.
> Almost everything runs in the background with no user interaction.
> Configuration is the only reason to log in at all.
>
> For the firewall, start by reading the handbook, section 14.8. Or if all
> you need is just a firewall, checkout http://www.m0n0.ch/wall/. The
> hardest part about learning a new OS is unlearning everything you are used
> to.

and

"Lee Harr" <missive@frontiernet.net> wrote in message
news:slrncjs9cb.1ren.missive@homer.localdomain...
> On 2004-09-07, WinGuy <no_spam@nomail.bot> wrote:
> The way I do this is with a custom entry in
> /etc/gettytab
>
> man gettytab will give you all the details.
> Probably more than you could ever want.
>
> A couple of things I set are the automatic login
> (al) and the "interrupt character" (in).
>
> Once you have that, reference the new entry in
> /etc/ttys
>
> What I use this for before is to automatically
> log in a user, and then set a custom program as that
> user's shell. Works quite well.

Ah, yes. I did peek at the gettytab man, and yep it was more than I wanted
to know but I see that the al option (if I really understood how to do it)
might be of some benefit later on, for sure, Lee. And what you say, Fuji,
seems after reflection to be what I really want to do -- I think. For one
thing, I'm too inexperienced to know more than that I should wonder if I run
IP Filter (see http://www.obfuscation.org/ipf/ipf-howto.html ) via rc.local
then is it running with root permissions? Basically, I worry about some way
to hack IP Filter (via internet), some unsuspected weakness, with the result
being root privileges; and while I realize that's not at all likely it is
still prudent to to guard against a remote unlikelyhood anyway. So maybe I'd
want to run it from a less priviledged account, can I do that without having
to login to that account (this sounds a little dumb even to me, since I
assume IP Filter file and directory permissions can address that question
and so rc.local really doesn't expose root to a possible hack unless those
IP Filter file permissions are set wrong). I'm still ignorant and confused
in this regard.

But I might have made a mistake going with FreeBSD. Maybe I have to go with
OpenBSD. One of the cool things about IP Filter is that it can bridge
interfaces and not even use IP addresses on the 2 ethernet cards at all.
Search the above link for the text "What Firewall? Transparent filtering."
(without the quote marks), where OpenBSD allows a command such as "brconfig
bridge0 add xl0 add xl1 up". This I like, from a security view, and the box
IS intended to be the front line of a very powerfull and configurable
firewall for my entire LAN (i.e. sititng between the DSL modem and the hub
that routers connect to). Not just any firewall, but a darned good one. Does
FreeBSD support bridging like OpenBSD is supposed to? If so, do I need to
remove the activation of the NIC's and not even allow them to have an IP
address? I don't really have to have this feature, though.

Another cool thing about IP Filter is its "log body" keyword (search the
above link), which allows trapping the 1st 128 data characters of a packet.
This could be very usefull for another program to examine real-time, looking
for webserver attacks, etc, on ports that must normally be open. It's the
versatility and ability to be interfaced with IP Filter that has me now
beginning to learn how to use FreeBSD. :)

Relevant Pages

  • Re: D-Link 604 Router
    ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...
    (comp.security.firewalls)
  • Re: Hardware Firewall Recommendation
    ... Deny Java Applets ... Web Blocker Schedule - enable/disable at programmed times ... Web Blocker non-Operational Controls (what to filter when OFF) ... block .EXE you never have to go back and update the firewall to keep ...
    (comp.security.firewalls)
  • Re: BLOCKING IPs
    ... In the NAT/Basic firewall tab, ... In the right pane of the windows, right click Network connections. ... click Inbound filter. ... > If you are using SBS 2003 Premium, you can use ISA server to block this ...
    (microsoft.public.windows.server.sbs)
  • Re: FIREWALL CHECK
    ... at all (windows firewall). ... The job of a real FW, which I don't consider some 3rd party personal FW/packet filter or even Vista's FW/packet filter to be a FW is not to stop malware. ... A packet filtering FW router, FW appliance or host based software FW running on a secured gateway computer jobs are not to be stopping a malware program running on some computer. ... In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. ...
    (microsoft.public.windows.vista.security)
  • Re: ZoneAlarm and AVG cause "Shut Down" to Fail
    ... A second effect is, that before Windows XP SP2, "Personal Firewalls" had ... packet filter for Windows looks like a very good idea, ... It's idiotic from Microsoft to start so many servers, ... "Your Personal Firewall saved you from an attack again!!!1!11". ...
    (comp.security.firewalls)