Eventually, having the kernel possibility to customize the config path from /etc in eg /heroxyz could be helpful for a firewall, what do you think? :-)
-Dan Mar 25, 2024 18:06:10 Dan <d...@nnnne-o-o-o.com>: >> /etc is always going to be problematic. I've been experimenting >> to see if I can create a viable firewall config with a read-only >> root filesystem. > > I do not know what do you mean by "experimenting if", and if you finally > realized your purpose.. but clearly what you suggest here is possible, > just matter of mounting a copy /etc readonly/writable at the proper moment. > I have a blog post "for paranoids" in https://bsdload.com and an old script > for production (for a dev station, not a firewall, with all the prompts and > visual > feedback popping up). > But in the summary, if the securelevel allows you to mount/unmount /etc > and the machine or auth meanings are already compromised your > writable /etc should be well hidden.. maybe physically separated (a stick?), > hoping > that the observer is not an OpenBSD enthusiast.
