[Freedombox-discuss] Policy questions

Sandy Harris sandyinchina at gmail.com
Wed May 4 04:27:01 UTC 2011


Sandy Harris <sandyinchina at gmail.com> wrote:

> We have a bit of a design problem in that we want the FB to
> be very secure, but also to require a minimum of system
> administration.

Among other things, that means we want it to ship with
secure default policies in a number of areas.

Ubuntu comes with netfilter installed but no rules applied.
I do not know for Debian. Whatever the usual system
defaults -- null as for Ubuntu or something else -- they
probably need to change for the box since it will run a
different set of services than a default install.

Should the rules include blocking TCP resets?
http://news.techworld.com/security/6371/uk-boffins-douse-chinas-great-firewall/

Likely the exact set of rules needed will vary depending
on which FB services a particular box enables. Arranging
for this to happen without subjecting users to a heavy
system admin load will require some clever scripts.

DNS is an essential service but in some countries the
governments mess with it as part of a censorship
program. In the long run, we may need a design
where Freedom Boxes give each other DNS services.

At least for a box just coming up that does not know
where other boxes are, we need more, Likely a list of
open DNS servers -- Google's 8.8.8.8 and a few dozen
others -- and a script that pings them all to find ones
that are fast and reachable.

A standard tactic for security is isolation of services.
You put the web server and the mail server on two
different machines so that an enemy who finds a
flaw in the web server does not get your mail, and
vice versa.

Clearly we cannot expect to use a separate machine
for each FB service, but we need some strategy that
limits the damage if any one service turns out to have
a security flaw. Some list posts suggest using virtual
machines, and that is one plausible solution, though
costly. Can we do with careful use of user & group
IDs? With chroot jails? With capabilities? Whatever?

There are other security mechanisms available. We
might choose the Debian/FreeBSD distro instead of
LInux to get immutable files, or enable the Linux
capabilities stuff, or use Security Enhanced LInux.
However, none of those is useful alone; each needs
a set of policies appropriate for this application.



More information about the Freedombox-discuss mailing list