this was a very good article Ladislav, I really enjoy reading your stuff here and on distrowatch. i would like to point out a point of disagreement though
"the system administrator will have to lower the securelevel in the BSD kernel by rebooting the system"
this may be true to some degree, however, all you have to do is go to run level 1 (single user console mode) by typing "kill -15 1" once in runlevel 1, all you have to do is edit the /etc/rc.securelevel to whatever(-1,0,1) and then type exit to return to runlevel 5. you will then notice that you are in whatever runlevel that you specified in the file:-)
and some people might say that this is similar to a reboot and i would say that pf is still routing traffic!!!!!!!!! and the network stays up!!!!
i have two scripts (syslock, sysunlock) that i use for my firewall/router. i simply execute the syslock script which recursively sets the schg flag for lots of directories, bumps up the securelevel 1->2 and then edits the /etc/rc.securelevel to reflect this. the sysunlock does the same things in reverse, unlocks the filesystem and then lowers the secure level to 1. i have to run the sysunlock script in single user though. but upon exiting to run level 5 everything is as it should be, an unlocked filesystem and a securelevel of 1
thanks for writing a wonderfull article, i really love your distrowatch site and am quite pleased that you decided to include *bsd :-)
oh yeah, i forgot to mention that i too own "Absolute OpenBSD" and absolutely love it. whenever i'm playing with my firewall/router away from my linux boxen i always have that book close by:-)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds