Run Your Linux Firewall Halted for Extra Security
MonMotha
monmotha at indy.rr.com
Fri Feb 8 15:53:02 PST 2002
There is briding support in the kernel, and some patch to allow the
netfilter to filter across it. So yes, you can essentially make
yourself a PIX :)
--MonMotha
Dustin Cross wrote:
> Can you set-up a linux firewall as a bridge? With OpenBSD several people are
> setting up OpenBSD with two NICs with NO IPs and then bridging between them. All
> traffic passes through the bridge and the firewall determins what to do with it,
> but there is no way to connect to the firewall. Here is an article about it. I
> haven't tried it, because I use my firewall for NAT also, but it sounds pretty cool.
>
> http://www.daemonnews.org/200103/ipf_bridge.html
>
>
> Dusty
>
>
> MonMotha (monmotha at indy.rr.com) wrote:
>
>>It most certainly does still work, at least when the hard drive fails.
>>I had an IBM deskstar (see a trend here? it was 5 years old I guess)
>>fail in my NAT box and I didn't even know it was down until I tried to
>>log in to it and it of course couldn't authenticate as it couldn't read
>>the passwd or shadow file.
>>
>>--MonMotha
>>
>>Warren Togami wrote:
>>
>>>http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
>>>"There's a great article over at the SysAdmin magazine site that presents a
>>>unique approach to improving network security: run your firewall in a halted
>>>state. This means runlevel 0; no processes running and no disks mounted, but
>>>with packet filtering still on. The author heard a rumor of this capability
>>>in the 2.0 series kernels, and he's managed to get it working in 2.2 as
>>>well."
>>>
>>>I once did this by accident with an early 2.2.x kernel when a defective new
>>>IBM Deskstar hard drive crashed on my firewall. It continued to be pingable
>>>and route packets though I could no longer log in. Upon plugging in the
>>>monitor I found kernel panic messages and IDE and DMA timeouts.
>>>
>>>Anyone know if this still works with 2.4.x iptables?
>>>
>>>What are the security implications? The main drawback of course would be
>>>that changing iptables rules would be a painful process of rebooting and
>>>maybe 30 seconds of downtime (in an optimally configured setup).
>>>
>>>There has to be a simple way to hack the kernel to "revive" from runlevel 0
>>>with certain key presses locally?
>>>
>>>If so, this would make another powerful method of running production Linux
>>>firewalls. IMPOSSIBLE to root remotely, and you can change iptables rules
>>>without downtime locally.
>>>
>>>I'm thinking custom "Halted Linux Firewall" distribution that fits on a 4MB
>>>flash IDE disk. (Could also fit on a floppy, but floppies are unreliable
>>>and slow pieces of crap.) Anyone want to put together such a beast? =)
>>>
>>>Warren
>>>
>>>
>>>
>>>---
>>>You are currently subscribed to luau as: monmotha at indy.rr.com
>>>To unsubscribe send a blank email to $subst('Email.Unsub')
>>>
>>>
>>>
>>
>>
>>---
>>You are currently subscribed to luau as: dusty at sandust.com
>>To unsubscribe send a blank email to $subst('Email.Unsub')
>>
>>
>
> ---
> You are currently subscribed to luau as: monmotha at indy.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
More information about the LUAU
mailing list