Run Your Linux Firewall Halted for Extra Security

MonMotha monmotha at indy.rr.com
Fri Feb 8 15:53:02 PST 2002


There is briding support in the kernel, and some patch to allow the 
netfilter to filter across it.  So yes, you can essentially make 
yourself a PIX :)

--MonMotha

Dustin Cross wrote:
> Can you set-up a linux firewall as a bridge?  With OpenBSD several people are 
> setting up OpenBSD with two NICs with NO IPs and then bridging between them.  All 
> traffic passes through the bridge and the firewall determins what to do with it, 
> but there is no way to connect to the firewall.  Here is an article about it.  I 
> haven't tried it, because I use my firewall for NAT also, but it sounds pretty cool.
> 
> http://www.daemonnews.org/200103/ipf_bridge.html
> 
> 
> Dusty
> 
> 
> MonMotha (monmotha at indy.rr.com) wrote: 
> 
>>It most certainly does still work, at least when the hard drive fails.
>>I had an IBM deskstar (see a trend here? it was 5 years old I guess)
>>fail in my NAT box and I didn't even know it was down until I tried to
>>log in to it and it of course couldn't authenticate as it couldn't read
>>the passwd or shadow file.
>>
>>--MonMotha
>>
>>Warren Togami wrote:
>>
>>>http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
>>>"There's a great article over at the SysAdmin magazine site that presents a
>>>unique approach to improving network security: run your firewall in a halted
>>>state. This means runlevel 0; no processes running and no disks mounted, but
>>>with packet filtering still on. The author heard a rumor of this capability
>>>in the 2.0 series kernels, and he's managed to get it working in 2.2 as
>>>well."
>>>
>>>I once did this by accident with an early 2.2.x kernel when a defective new
>>>IBM Deskstar hard drive crashed on my firewall. It continued to be pingable
>>>and route packets though I could no longer log in.  Upon plugging in the
>>>monitor I found kernel panic messages and IDE and DMA timeouts.
>>>
>>>Anyone know if this still works with 2.4.x iptables?
>>>
>>>What are the security implications?  The main drawback of course would be
>>>that changing iptables rules would be a painful process of rebooting and
>>>maybe 30 seconds of downtime (in an optimally configured setup).
>>>
>>>There has to be a simple way to hack the kernel to "revive" from runlevel 0
>>>with certain key presses locally?
>>>
>>>If so, this would make another powerful method of running production Linux
>>>firewalls.  IMPOSSIBLE to root remotely, and you can change iptables rules
>>>without downtime locally.
>>>
>>>I'm thinking custom "Halted Linux Firewall" distribution that fits on a 4MB
>>>flash IDE disk.  (Could also fit on a floppy, but floppies are unreliable
>>>and slow pieces of crap.)  Anyone want to put together such a beast? =)
>>>
>>>Warren
>>>
>>>
>>>
>>>---
>>>You are currently subscribed to luau as: monmotha at indy.rr.com
>>>To unsubscribe send a blank email to $subst('Email.Unsub')
>>>
>>>
>>>
>>
>>
>>---
>>You are currently subscribed to luau as: dusty at sandust.com
>>To unsubscribe send a blank email to $subst('Email.Unsub')
>>
>>
> 
> ---
> You are currently subscribed to luau as: monmotha at indy.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 



More information about the LUAU mailing list