1. Manuals
  2. Brands
  3. GARZ&FRICKE Manuals
  4. Industrial PC
  5. GUF-Yocto-34.0-r5756-0-VINCELL
  6. User manual

Autostart; Flash-N-Go System; Networking; Firewall - Netfilter/Iptables - GARZ&FRICKE GUF-Yocto-34.0-r5756-0-VINCELL User Manual

Embedded computer systems
Hide thumbs
Table of Contents

Advertisement

10.3 autostart

Garz & Fricke devices are equipped with an
executes anything with root privileges without further checking, this is a possible vulnerability.
Restricting the physical access to the interfaces by the mechanical construction is one way to reduce the risk of
attacks. To disable this feature completely, execute:
mv /etc/udev/rules.d/automount.rules /etc/udev/rules.d/automount.rules.disabled
Note: Updating the device with
without the autostart feature.
It should be possible to add special security checks to the mount script to allow only an automatic update but
suppressing all other executables.

10.4 Flash-N-Go System

Newer Garz & Fricke devices are equipped with an
user has full control of the device's configuration and the partitions on the flash disk respectively eMMC without
a password or further authentication.
I
As described in
[
9 Deploying the Linux system to the target]
by pressing the bootmode switch
The bootselect tool can only change the bootmode when called with root privileges, so following password and
I
user suggestions from
[
The bootmode switch should be secured with restricing physical access by the mechanical construction.
If this is impossible, it is possible to disable the Backup OS with the following command sequence:
root@gufboardll:~# mount /dev/mmcblk0p2 /mnt/
root@gufboardll:~# mv /mnt/boot.cfg /mnt/boot-alt.cfg
root@gufboardll:~# umount /mnt/
root@gufboardll:~# mount /dev/mmcblk0p1 /mnt/
root@gufboardll:~# mv /mnt/boot-alt.cfg /mnt/boot-alt.cfg.bak
root@gufboardll:~# umount /mnt/
Note: This change disables the access to the backup OS
normal OS becomes inaccesible for some reason, there is no way for a custumer to fix the device.
Note: Updating the system normally without the backup OS
Though it is possble to revert the change and reenable
if it is functional.

10.5 Networking

10.5.1 Firewall - netfilter/iptables
By default, all network communication is allowed. Linux can be configured to block certain IP packets depending
on its header (e.g. by port or by protocol) using iptables, which is basically a firewall. As this mechanism is
very powerful and complex it is not documented here in detail. Please take a look at the following link for a basic
introduction:
I
https://help.ubuntu.com/community/IptablesHowTo
As a first start we show some basic usecases here.
Note: If you call these commands from a network login, your connection will/could break. Without
physical access to the serial or USB console, you won't be able to access the device anymore.
Block all network traffic:
I
[
4.1.9 Autostart]
Flash-N-Go Update
SW2
or with the bootselect tool from the yocto OS.
10.2 User permissions concept]
GUF-Yocto-34.0-r5756-0
I
and
[
4.1.8 Autocopy]
or any other automatic update tool is not possible
as backup OS. Within Flash-N-Go the
Flash-N-Go System
booting into
Flash-N-Go System
should solve this issue.
Flash-N-Go System
Flash-N-Go System
Flash-N-Go System
VINCELL
User Manual
¡
¡
service. As this service
can be triggered
completely. If the
is impossible.
from the normal OS,
51

Advertisement

Table of Contents
loading

Table of Contents