Slashdot Mirror
Run Your Firewall Halted for Extra Security
n8willis writes: "There's a great article over at the SysAdmin magazine site that presents a unique approach to improving network security: run your firewall in a halted state. This means runlevel 0; no processes running and no disks mounted, but with packet filtering still on. The author heard a rumor of this capability in the 2.0 series kernels, and he's managed to get it working in 2.2 as well."
Where is the log going without filesystems mounted or daemons running? Do you trust a firewall that much that you don't want to see if maybe some "interesting" patterns in traffic occur?
...run it unplugged! Now who will succeed to break into that?
Say no to software patents.
The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. The security levels are:
- -1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
- 0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
- 1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted filesystems,
/dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see
kld(4)) may not be loaded or unloaded.
- 2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with filesystems by unmounting them,
but also inhibits running newfs(8) while the system is multi-user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message ``Time adjustment clamped to +1 second''.
- 3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
dummynet(4) configuration cannot be adjusted.
-Fzz