Rainer Wess - 2002-05-23

Hello freebsdfan,

i have played a litte with my box (thewall.pc.pppoe.0.2) and have found a few improvements that may be interessing for you:

Sorry, i'm a litte bit paranoid ;-)

1. I have deleted all users except root and there wasn't any error message, everything worked in the same way as before, so i think the other users are useless  - so i suggest to make a note in the documentation or delete them in the downloadpackage.

2. The file-permissions of most files could be more restrictiv:
   for example: they are  555 for all executable files in /stand - im not very familar with this, but is 500 enough?
                666 for most files in /dev - is 600 enough?
                and so on...

3. Every boot creates a file "passwd" in /etc - there are no passwords in it, but the rights are 644 so an intruder knows already the account-names, with a password-generator it is only a question of time until he gets root-permissions in..

4. It would be a nice hint in the documentation to change the name of the user root in the master.passwd to something else to improve security..

5. the last rule in rc.firewall is:
   ${fwcmd} add deny ip any to any  - im not very familar with it and just because im not knowing which protocols are else supported by the kernel i have changed it to:
   ${fwcmd} add deny all any to any

   Or dosn't this make any difference?


PS: I started translation of your documentation to german yesterday (README and EXAMPLE.PPPoE),
when i'am ready (~ in 14 days) i will email it to you.