Slashdot Mirror

← Back to Stories (view on slashdot.org)

Run Your Firewall Halted for Extra Security

Posted by michael on from the neat-trick dept.

n8willis writes: "There's a great article over at the SysAdmin magazine site that presents a unique approach to improving network security: run your firewall in a halted state. This means runlevel 0; no processes running and no disks mounted, but with packet filtering still on. The author heard a rumor of this capability in the 2.0 series kernels, and he's managed to get it working in 2.2 as well."

3 of 390 comments (clear)

  1. Why run an OS at all? by Mignon · · Score: 5, Interesting
    Now that you've read my provocative title, I'll tone it down a bit:

    There have been some great comments to this article (which I haven't read) but I got to wondering: if you're going to run in a sort of comatose state where your only ability to change the system is to reboot it, why bother booting in the first place?

    My idea was to use the Linix BIOS or something similar, and run your packet filtering from there. Then you can forget the hard drive and floppy (though you'd probably want that floppy to be able to flash your BIOS with updates and the like.)

    Does this make sense to anyone? Or is there something I'm overlooking like maybe that while running as a BIOS, Linux wouldn't be able to talk to the network interfaces, say?

    I guess if you're going to go to that kind of trouble, you might as well have an embedded system, or run from flash RAM, as others have mentioned. Still, it's always fun to get hardware and software to do things beyond what they were designed to do.

  2. Re:Logging? by Stary · · Score: 5, Interesting

    If you're seriously paranoid about it, get an old dot-matrix printer and hook it up as the logging output device. You'll have a logging device that nobody could alter no matter how compromised the system gets, without having to mount anything read-write.

    --
    Tomorrow will be cancelled due to lack of interest
  3. Solving the rebooting "problem" by vrmlguy · · Score: 5, Interesting
    There seem to be a lot of comments along the lines of "Yeah, but you have to reboot to change the config, and that takes down your firewall". I see this as an opportunity, not a problem.

    As the article points out, the kernel continues to run when halted, so the first part of the solution is to signal the kernel to transition out of run-level 0 in a safe way. There used to be ISA cards for debugging that had a push-button at the end of a cable; when pushed, an interrupt was triggered to invoke the debugger. I can't see any reason why the Linux kernel couldn't be patched to watch for that interrupt while halted and restart the boot process, say from the point where a boot disk is mounted. The second step would be to modify the init.d scripts affecting the IP stack to abort if the NICs are already configured.

    The end result would be a firewall with a button that, when pressed, would cause the system to "wake up" and allow configuration changes to be made. When you're all done, just do another "init 0". To guard against forgetful netadmins, you may want a watchdog process that also does an "init 0" fifteen minutes after the system comes up.

    I can't see any show stoppers to this idea. What do you think?

    --
    Nothing for 6-digit uids?