Run Your Linux Firewall Halted for Extra Security

Dustin Cross dusty at sandust.com
Fri Feb 8 15:21:31 PST 2002


Can you set-up a linux firewall as a bridge?  With OpenBSD several people are 
setting up OpenBSD with two NICs with NO IPs and then bridging between them.  All 
traffic passes through the bridge and the firewall determins what to do with it, 
but there is no way to connect to the firewall.  Here is an article about it.  I 
haven't tried it, because I use my firewall for NAT also, but it sounds pretty cool.

http://www.daemonnews.org/200103/ipf_bridge.html


Dusty


MonMotha (monmotha at indy.rr.com) wrote: 
>
>It most certainly does still work, at least when the hard drive fails.
>I had an IBM deskstar (see a trend here? it was 5 years old I guess)
>fail in my NAT box and I didn't even know it was down until I tried to
>log in to it and it of course couldn't authenticate as it couldn't read
>the passwd or shadow file.
>
>--MonMotha
>
>Warren Togami wrote:
>> http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
>> "There's a great article over at the SysAdmin magazine site that presents a
>> unique approach to improving network security: run your firewall in a halted
>> state. This means runlevel 0; no processes running and no disks mounted, but
>> with packet filtering still on. The author heard a rumor of this capability
>> in the 2.0 series kernels, and he's managed to get it working in 2.2 as
>> well."
>>
>> I once did this by accident with an early 2.2.x kernel when a defective new
>> IBM Deskstar hard drive crashed on my firewall. It continued to be pingable
>> and route packets though I could no longer log in.  Upon plugging in the
>> monitor I found kernel panic messages and IDE and DMA timeouts.
>>
>> Anyone know if this still works with 2.4.x iptables?
>>
>> What are the security implications?  The main drawback of course would be
>> that changing iptables rules would be a painful process of rebooting and
>> maybe 30 seconds of downtime (in an optimally configured setup).
>>
>> There has to be a simple way to hack the kernel to "revive" from runlevel 0
>> with certain key presses locally?
>>
>> If so, this would make another powerful method of running production Linux
>> firewalls.  IMPOSSIBLE to root remotely, and you can change iptables rules
>> without downtime locally.
>>
>> I'm thinking custom "Halted Linux Firewall" distribution that fits on a 4MB
>> flash IDE disk.  (Could also fit on a floppy, but floppies are unreliable
>> and slow pieces of crap.)  Anyone want to put together such a beast? =)
>>
>> Warren
>>
>>
>>
>> ---
>> You are currently subscribed to luau as: monmotha at indy.rr.com
>> To unsubscribe send a blank email to $subst('Email.Unsub')
>>
>>
>
>
>
>---
>You are currently subscribed to luau as: dusty at sandust.com
>To unsubscribe send a blank email to $subst('Email.Unsub')
>



More information about the LUAU mailing list