Run Your Firewall Halted for Extra Security

n8willis writes: "There's a great article over at the SysAdmin magazine site that presents a unique approach to improving network security: run your firewall in a halted state. This means runlevel 0; no processes running and no disks mounted, but with packet filtering still on. The author heard a rumor of this capability in the 2.0 series kernels, and he's managed to get it working in 2.2 as well."

FP, Donkey Style

[DonkeyHote]

Fear the Retards, 2002, Unf Unf

h ssoj wwl ol qq
r sufhi fb hpp d
ci dag a tiqy ty
w p h ejw gmboe o
obw ksv ruyl nf
ean gsjyt dnn w
ei gi mb afk ihe
o x ljsrv hqugm
l qv frvi a gt pu
f osre ak b tgqv
pd y i h d g ola ru
mfc haufd pheh
txo qed t pmo n l
x fyvo k etfv q e
m dpgba xyfnv f
cnb u k tq vop af
j ufux k lfw lin
s n pc ipl fvll s
c yh a ql ni tm hy
fywvl qi cjg yk
sit iruw pskkc
rht oht ha qv bs
i urtm ieo ixdo
togf yavnc gna
d n gw gku da kpr
ndk q jvdph cse
b l l cmyq fidh y
vv i njdph n ri k
a nn swym si yrx
hk gwocx cfq un
kmg hhj fy besy
xo nc tknt wx m a
ewe mohmq ipc c
xg int ujkn rs p
uipi vh tkgaq o
rgss a sgvvj ql
n tor iy gfwwa r
wqakh yph qok d
f lglm s j msxc c
yrs ghsj pyulk
wmihf y f ge myw
to fedx qolr ox
uh pkhnt h crue
qj qlad gp vggv
e nvg dplbr rho
hiv oyphn weou
d cikb clg jcb n
wpry d mbp yagx
k xfn r ttugc ax
r w o cqmk fmyut
qaf q vv aemxk l
yxg ow wkt bdm e
jy qipyo omp cq
cw gs qlb i myt u
n ipbv yn rk bmq
of i tyae mce id
fsr a hmtti q dl
gu bh xqng xx i u
gm wbvp oahhu v
hni exin k hql p
f bwe na bsqb q w
sasa m nplel xo
cetbn kqx uy ck
ca amei opj hcq
ds wpf rx krxw a
ewqw uhkh cca y
nh durbu v ikwq
u qbcrk yta jn h
mbte sprto wl i
su bhtu b svk e j
i acxah vwp iw e
sum odv gd uvf k
vyn dnf sh lbjo
se jgqo fqb gdu
n akbcp nmsjk e
syj jxj manru s
uqj llwl jcob w
cre puky dae k o
t de o v lilw dpf
px tpq dpp rvvy
wlq l vfc osnsl
ahrr mknk sbsl
e hxb xhwhv at j
h cr mwc bavf o o
jka s yad eue la
plp t cot i wtv l
kk rt fxpt jbd x
yv n y txlck vm v
xjm xopr gjkct
rgud tuc osq ia
llsh hgf o lfuu
cw kod otd d n hg
d np illp imjpx
wrobm yjrvw hn
f fkes yexis c f
nv sfiw bmb dlg
rx d nc lx yjmpn
eloi nx jq l cpn
x ndgv xjpdn mo
te tkr smnxw ef
sn bf udr gjnuv
ae bugn w dsqr p
y s axpn x ogxsc
a iv p emuy rtyv
o hri bhqv yuvx
ygks fjw bdbau
e sh cggti s yrn
b fov lxlh wmlg
qcpx aimx f r pe
n dh c b na u v cxu
u epre vebn vjj
f c cxr hwg bwio
d kfr whj fct we
vqcqn if oi w r w
kcx p rae no tfj
sa mnv addt yay
e hw vk vkv hys j
f vvjnk v iw wcf
y ebiuh pqlq ea
o v vjleg wlwux
ljydi kddd ss c
qec iyqh k qxgo
lmb hqc eesp jd
yvn wqri onmjs
nh h wj ox x ghfe
n ivcn sn bbkx m
r wk ltbac kq hp
erq rtoip fvoo
p vhwy iluur yn
te hc mvmt qblk
wfgn uyq r q y mk
w vmm shph lc ov
b h yqfk ijkbf c
ufgg demuj d gf
ajd othk phph i
yioe b vxh s nr q
jwty vtu jhnwf
gnl c brhb ka yx
rqf nk lfxjs y s
meawt p dkboo j
woh mw fhego h n
wqs k vlgd vquu
q hby ehb jbg k t
c fpym dualo ph
c s uh ufqus twg
r ulhwr xmjar u
q pdrc othtn lm
xvv v rsbxj dsq
jm bf ceh kx so n
pr kfag hx r s uj
cg ui iaelb ajb
hd pa fsmx a t o y
uitb tud r c wwo
no krjqa crwrf
snot ay febcc j
hx yw uya knrba
d att x g exu q lc
axk ko wpfb wvu
v febja hhijv g
ec a jfq fjqjv g
h ub mpobo pivc
lcux bv xir jm b
axe sksbb v onr
fqc chsdo pjem
q kqtms isjp fn
d lfpqx uubdv g
j wi bmsk swli r
w eyg l q s ypg x o
da jpth wnskf n
kfvh mhqu gsxn
f mbmwp dlnb ku
tc ikqa jsj iey
cr peudr hgev h
lvr dgv f smf ns
nnh ite twyh um
c yideu bd j tuw
vg end fxcau b a
woc nspu g rq qm
n fel bfjb t tr r
pbkx q ysud vmh
pm vem hm sowx m
xki niuwq spxx
y ul l rba na bpi
y hlj bk f y pmc a
d ywbwv w ij aos
g o ggjto gntef
obayl i sxj tyi
uk gd dlw mcujm
nd vku

VANILLA ICE

Second prost, homiez!

Eminem's mom says hi (from under my desk).

VI

Re:VANILLA ICE

Yup Yup!

Another way

[poiuyt23]

The other way to keep your computer secure is to run it in access mode standby mode.

Re:Another way

I keep my computer secure by keeping it powered down.

Re:Another way

What is "access mode standby mode" supposed to be?

Re:Another way

I usually wait untill the IDE cable wiggles lose on its own. Once it does that no one has access until you plug it back in. Fortunately, even with the cable loose, everthing that was originally configed was still running/working.

hey its.....

frosty pist

First post

Haha

Found in Google archives

[October_30th]

Q: I'm constantly horny. I'm always cruising and fanaticizing. I've masturbated at least twice a day since I was 14. How much is too much? A week ago, I had so much fellatio, my penis started to hurt. Towards the tip, it's swollen slightly on one side now and it is sensitive to touch. (I'm cut). I can feel some lumpiness under the skin. This was not rough sex -- just a little intense. Should I see the doctor or should I just avoid getting erections and stop masturbating for a while?

Yours truly,
Rob Malda

A: This is one question that I am happy to answer because there is no bad news. You can masturbate as much as you want. Your body will tell you if you are too tired by lack of libido or inability to ejaculate.

Now for the second part of your question. Oral sex -- especially if it is vigorous -- can irritate the head of your penis. In addition to skin irritation, you can develop small blood clots in the head of your penis (like a hickey) from the suction. Don't worry, it's not dangerous. If it is still sore, warm compresses and aspirin or Advil will help it go away faster. If you have a skin irritation, try a very mild hydrocortisone cream available without prescription in your pharmacy. If the problem persists, go to a doctor for an evaluation to be sure you don't have an STD.

Re:Found in Google archives

dude, that wasn't a very good troll, you said that he's getting lots of oral sex, that's probably a hell of a lot better than you're doing

Re:Found in Google archives

[October_30th]

Please stop posting anonymously, Rob.

Re:Found in Google archives

[neal+n+bob]

if you think katz blowing fellating you is good, you should become a slashbot editor. katz will suck until it hurts, then taco-snot you.

Re:Found in Google archives

[October_30th]

Has he stooped to TacoSnotting already? Geez. The last time I heard of him, he was still into "Juicy Douching"...

Works for me...

[Rorschach1]

Though I usually just use the power switch. Can't beat a powered-off firewall for security.

Re:Works for me...

[Jonny+Ringo]

I actually just light mine on fire. It just makes sense, than once the fire catches to the cords I know I'm secure.

Re:Works for me...

[leviramsey]

I actually just light mine on fire. It just makes sense, than once the fire catches to the cords I know I'm secure.

But it's a firewall. The flames can't go outside the box!

Re:Works for me...

[shogun]

But it's a firewall. The flames can't go outside the box!

Hey its fine if its on the inside or the outside of the case, but not both.

...and? We do this all the time

[TicTacTux]

See floppyfw. Does not even *need* a HD to boot. Floppies can be write-protected. Even an old 486 will do that trick.

Amazing what queer pranks people invent in place of a rather obvious solution...

Re:...and? We do this all the time

[moonbender]

This solution is more secure than a floppy would be. Write-access to the flopy can be forbidden, but all the other processes and security holes remain as possible targets.

Re:...and? We do this all the time

[DodgyGeezer]

That must be like Coyote Linux. What a great solution! Even if it does get rooted, one doesn't have to worry about trojans after rebooting.

Re:...and? We do this all the time

[gid]

Yes but you could potentially combine the two methods, use a floppy to boot up, and after the system is up and running and the custom firewall config file is read, go to run level 0 and eject the disk just for fun. :)

Might be a fun feature to add to floppyfw if it isn't already (which it doesn't sound like it from skimming over the page).

Re:...and? We do this all the time

[TicTacTux]

Why? That whole system runs in runlevel 0. No user accounts, no login, no getty, no daemons - just the bare kernel plus an open console.

Disadvantage: You must employ your weary bones and walk over to do some maintenance...

Re:...and? We do this all the time

[moonbender]

No need for a floppy drive, even, boot the firewall remotely over LAN. :P All the system would need would be CPU + NIC + 4 MB RAM (graphics? who needs 'em!).

Re:...and? We do this all the time

[morcheeba]

Yeah, all one has to worry about is that machine is used as a proxy to break into all local machines; running with a rooted firewall is just as bad a running without a firewall. You could still run local processes by remote mounting some drive on the internet.

Re:...and? We do this all the time

How would you go about mounting this drive? If all it needs is on the floppy, it doesn't need nfs,smbfs,(othernetfs) installed in the kernel. And to make it safe, you would not compile your kernel with the ability to mount modules.

Re:...and? We do this all the time

[superdk]

you know, some hard drives have a jumper on them for hardware level write-protection

Re:...and? We do this all the time

[gid]

Dang, why stop there, write something in ASM and flash it right on the bios. Wasn't there a linux bios project awhile back? :) I wonder how much progress they've made.

Re:...and? We do this all the time

[Deadplant]

you miss the point, this is halted system, not just a system with no drives mounted. I other words no user processes can start at all. It is therefore impossible for a virus to run, the only kind of exploit possible would be one that directly exploits a flaw in the kernel (a fairly rare thing). and beyond that, it would probably have to be an exploit designed for this kind of system specifically since most exploits assume it's possible to execute a process (like a shell, or an 'rm -rf' or something)

Re:...and? We do this all the time

[linzeal]

Can't you just "yank the pins" that are used for writing? Especailly if it is only a 1-2 gig drive and will only be used for this task.

Re:...and? We do this all the time

[nolife]

I use Freesco on a DX2/66 with 16mb (no HD). Remote interface through thttpd, DHCP server, caching DNS, support for DynDns, time server, multiple NIC's and/or diald and dialup, all on a 1.44 floppy. By default, the logging is not very robust but it works fine for what I am doing.
You can do similar with the LRP

Not that the method the story describes is not good, just there are configurable alternatives to balance security and ease of use.

Re:...and? We do this all the time

[karnal]

but in order to mount a remote drive, you have to use a user process... am I right?

You cannot run user processes on this machine. Not even root. Besides, the disks are inaccessable.... where would you get the "mount" command from?

Strike me down if I'm wrong....

Re:...and? We do this all the time

[GreyPoopon]

Dang, why stop there, write something in ASM and flash it right on the bios.

Or go buy a LinkSys router with NAT and IPSec passthru. :)

Re:...and? We do this all the time

[bfree]

if your going to go to this much trouble would you really let it run a kernel which had the capability to mount a hardisk?

Re:...and? We do this all the time

[tricorn]

Y'all know that a halt() call that specifies a non-powerdown halt is basically a no-op, right? I mean, it does check that you're running as root, but then it does nothing:

From linux-2.4.14/arch/i386/kernel/process.c

void machine_halt(void)
{
}

(the machine_power_off routine also does nothing unless there is a poweroff function enabled; since, the halt isn't actually doing a poweroff (or it won't be doing a good job of routing after that) it presumably isn't set).

All that's being done by the process desc ribed in the article is a) bring down all running services except for the network; b) make init wait to die (I haven't looked at init to see if it waits for a normal ctrl-alt-del interrupt, then do a reboot, or if it just sets the kernel to handle ctl-alt-del and reboot all by itself). It doesn't even kill all other running processes that might be running, just the ones that were started by init (e.g. getty) and processes that remain in those process groups. If someone starts up a background job, it will still be there. There's nothing magic about run level 0 - it is just a convention that init uses.

Not all drives are unmounted - the root device will still be mounted read-only, maybe /proc and other pseudo-file systems will still be there. init is still running. This is a lower level of security than starting the kernel up by running a shell script that enables the network and ipchains, then sleeps forever. You could even have that shell script leave you in a plain old shell if you want to do be able to do something else (you'd have to know how to mount filesystems and remember to unmount them (since init won't be running, you can't just do a simple "shutdown" anymore), etc).

Here's an example script that might be used. Start it by passing "init=/netstart" (or wherever you put the script) to the kernel when you reboot:

#!/bin/sh
mount proc /proc -t proc
mount -o ro /usr
/etc/rc.d/init.d/network start
/etc/rc.d/init.d/ipchains start
umount /usr
exec /bin/sh

If there's a hole in the TCP stack itself, or in the IPchains routing, that opens up some vulnerability, it doesn't really matter if there's a simple /bin/sh running or not (if you really want to be secure, have the shell script exec a simple C program that checks to make sure it is PID 1; does a kill(-1, SIGKILL) and then sigsuspend() in a loop; now you're safe unless someone's hacked your kernel, libc or compiler).

I note that in 2.2, if process 1 exits, it kills the kernel; in 2.4, it gives a "Kernel panic: Attempted to kill init!". In either case, the effect is the same: ctrl-alt-del is disabled, and the kernel stops routing packets.

Re:...and? We do this all the time

[Luke+Marsden]

I don't think anyone's mentioned the possibility of running this kind of system off a CD. You could even use a rewritable disc but install a read-only drive in the firewall.. relatively easy maintenance.

Re:...and? We do this all the time

[acoustix]

The only problem there is that a write-protected floppy provides you with a false sense of security.

When the data is read off of a floppy it is stored in the RAM while its functioning. A hacker doesn't have to be able to access the floppy to corrupt the system. He only has to change any of the processes that are running in the RAM.

The idea of write protecting the floppy does add more protection, but doesn't solve all problems.

Re:...and? We do this all the time

[aminorex]

Nah, just use serial console, and connect it to
a terminal server.

Also, I would turn on swap. You don't need to
mount any FS partitions to mount swap.
.

Re:...and? We do this all the time

YOU TRUST THOSE THINGS ? You're a bloody fool.
But we like fools.

Re:...and? We do this all the time

that would be great!!!

then all i'd need to do is crack into the server your firewall is booting off of! (or, pose as it and have your firewall boot with my rulesets)

Re:...and? We do this all the time

LOL. Who said I trusted them? No thanks. Besides, I had a spare older computer lying around to set up my firewall on. Wasn't worth spending the money on the Linksys. Although if you're just setting up a network for the first time, the LinkSys router with NAT and Wireless LAN looks interesting. Not sure how secure it is, though.

Re:...and? We do this all the time

[DavidTC]

Yes, but at least you don'thave to worry about cleaning up the disks after you've been hacked. You just take the disk to another machine, modify whatever let them in, and reboot the box. No reformat, no reinstall, no nothing, you just have to figure out who they got in, close the hole, and you can keep using the same disk.

Re:...and? We do this all the time

[nenolod]

There are a few limitations to a firewall-based BIOS, for example: What if the linux kernel does not support your hardware, i.e. cable modem or other internet access device. This can lead to serious problems. Also, a device such as this has already been made, but instead of using a bios rom patch, it uses a firmware chip, but required great modifications to the operating system to boot from the firmware. Also, the BIOS is key to the operation of the computer, and to flash an OS to it, could potentially fry your computer, and will most-defininitly damage your motherboard. The linux bios project you mentioned was also relating to firmware, but not hardware.

Re:...and? We do this all the time

[morcheeba]

I was replying to a suggestion to use a floppy-based firewall that ran un-halted, and not talking about the halted version. We're in agreement; there are advantages to running halted.

FfiIrRsStT PpOoSsTt

First post, will robinson.

Er, aren't there better ways to do this?

[oGMo]

This might be fine for a firewall whose rules never change, but if you want to actually do something to it, you can't have it halted, and rebooting will just cause downtime.

Why don't you just run with drives mounted read-only, or have everything copied to a ramdisk? Surely you can verify a rule to allow remote access from only certain locations if this is your problem, or even require serial console access.

Re:Er, aren't there better ways to do this?

[gid]

Well if you have drives mounted, even read only, then someone could potentially get in and bounce off the firewall to attack another machine on the inside of your firewall using processes and utilities on the drive that you mounted. Whereas if you didn't have the drive mounted to begin with, then no one could get in, even you! And that's the point.

This definitely isn't a method for everyone, it's for really paraniod, stable networks that don't change. If your network doesn't fit this description, then your way might be the next best thing.

Re:Er, aren't there better ways to do this?

[gorilla]

You could have two firewalls, one with the current configuration, and one being preped for the next configuration. When you are ready to change them, just flip them.

Re:Er, aren't there better ways to do this?

[Junta]

Of course mounting drives read-only, operating out of a ramdisk is still not as secure as this approach if you can afford a very static set of firewall rules.

In this state, the system is incapable of even offering a shell without a full reboot. Once you give it the ability to offer a running process to hijack and potentially have a shell open, the read-only mount only lasts until the equivalent of mount -o remount rw is executed, and then all bets are off. Same of a ramdisk (unless the ramdisk has no ide driver or whatever). But in any case a danger in having it so that you can change firewalling rules is that if they get in, *they* can change rules too.... So, at least in theory, a halted firewall is more secure than even the most anal tactics along the lines you describe. Of course, the chances of an exploit being so severe as to offer root shell is remote, but you can never be too paranoid in some cases.

All this being said, if you have a system dedicated to firewalling by itself, and you are worth your salt as a network administrator, setting up a tight firewall is child's play. If it is coming down the input chain and it is not coming from a specific address range over the correct interface, drop. Maybe allow ssh if you critically need remote admin capabilities, but if something goes wrong with your firewall, you probably need to be there in person anyway.

And if someone untrusted can get into your network and come over the trusted interface into your firewall, well, your network has a lot more problems than a less than perfect firewall...

Re:Er, aren't there better ways to do this?

[garcia]

it also doesn't support any program that needs user space to run (ie DHCP and the like). He said it would not be good for those having dynamic setups (most users AFAIK).

nice idea but little use for most I would guess.

Re:Er, aren't there better ways to do this?

[spencerogden]

Couldn't set up one box to handle dynamic connections, and then put this behind it? It would be extreme, but this is an extreme technique for the extremely paranoid.

Re:Er, aren't there better ways to do this?

[jmv]

Once you give it the ability to offer a running process to hijack and potentially have a shell open, the read-only mount only lasts until the equivalent of mount -o remount rw is executed, and then all bets are off.

True... unless you write a small module that, when loaded, prevents and filesystem from being mounted read-write. That, plus a boot passwd to prevent reboots insures that nothing gets changed in case of attack.

Re:Er, aren't there better ways to do this?

[liquidsin]

that's what I thought too. not sure how complicated it could get, but I was supposing you could have one normal firewall handling your dhcp/pppoe (for us dsl users) and then the halted firewall behind that. it's settings would remain static, so even if someone got through the first firewall and got root, they would have nowhere to go from there but to the runlevel 0 box.

Re:Er, aren't there better ways to do this?

[debiansierra]

my thoughts exactly, how about a SmoothWall up front and a halted firewall behind?

Re:Er, aren't there better ways to do this?

[marx]

True... unless you write a small module that, when loaded, prevents and filesystem from being mounted read-write.

If the attacker has root, then he can just unload the module.

Re:Er, aren't there better ways to do this?

[ADRA]

All of these assumptions have been that "if a user hacks in", but doesn't really delve on the issue.

They get in from a program misconfigured / bugged, or a kernel bug.

Theoretically, if you want a secure firewall, you won't be running services off it. Seems logical enough. I run ssh, and I still concider that safe enough for my needs, but oh well.

Now, if there are no programs running, which would also be the case of the poster's comments, it still will not protect the machine from kernel attacks. Whatever technique they use, they will find a way in eventually.

So, with a kernel exploit, the hacker can insert code into the kernel directly, hence having higher-than-root access to the machine. They have to be smart enough to write kernel code that actually does something, but if they are smart enough to exploit kernel bugs, then they should be smart enough to do whatever they want from the kernel.

So in effect, the proposed solution, although "safer", is effectively useless, pointless, a waste of my time ;-)

Re:Er, aren't there better ways to do this?

[dpilot]

Or just run "lcap CAP_SYS_ADMIN" to drop mount
capability. Unfortunately, you drop a bunch of other capabilities too. While you're at it, run "lcap CAP_SYS_BOOT" to prevent reboots, and "lcap CAP_LINUX_IMMUTABLE" to prevent those immutable and append-only attributes from getting changes, "lcap CAP_SYS_MODULE" to lock your modules in place, and prevent further loading, and "lcap CAP_SYS_RAWIO" to close down /proc/kmem. There are more things you can remove from the kernel capabilities bounding set to lock your system down.

Of course, by the time you're done, your system is about as easy to administer as if it were halted. Not to mention log rotation requiring a reboot.

Re:Er, aren't there better ways to do this?

[joshsisk]

So in effect, the proposed solution, although "safer", is effectively useless, pointless, a waste of my time ;-)

I bet I could find a way to break in to your house while you were at work, if I wanted, no matter what preventative measures you put in place.

Does this mean you don't lock your door?

Re:Er, aren't there better ways to do this?

[drodver]

Better yet is if you setup your halted firewall as a bridge you owuldn't need a second firewall, just another regular server behind the firewall doing whatever it is you want. The regular server won;t even know the firewall is there.

Re:Er, aren't there better ways to do this?

[ADRA]

Your analogy is uselessly misrepresentative.

I am saying in a proper firewall conifguration, a hacker can never get to user space without going through the kernel, which is pointless, because if you have kernel access, who the hell cares about the userspace at all?

Re:Er, aren't there better ways to do this?

[jmv]

Well the first such a module does is preventing loading/unloading of modules...

Re:Er, aren't there better ways to do this?

[wtarreau]

the read-only mount only lasts until the equivalent of mount -o remount rw is executed,

My home firewall has a read-only root which you cannot remount read-write because the filesystem doesn't support read-write and is compressed (cramfs). The config is on a read-only fs which I remount rw when needed. System updates are a bit more difficult, but at least I cannot have a binary replaced with a rootkit. (forgot to say that /etc is noexec BTW).

Willy

Re:Er, aren't there better ways to do this?

If the attacker has root, she can just mmap /dev/kmem and remove the module forcibly.

Re:Er, aren't there better ways to do this?

[joshsisk]

I was really referring more to this sentiment, along with the previously quoted bit:

Whatever technique they use, they will find a way in eventually.

Should have quoted that as well, sorry.

Re:Er, aren't there better ways to do this?

[liquidsin]

the thing is, I want to be able to use pppoe. would the halted firewall / bridge be able to do that? I'm thinking this could turn into a fun project with some old spare 486's.

Re:Er, aren't there better ways to do this?

[drodver]

A bridged firewall has no IP, it is only capable of filtering packets and no normal network services will work properly. So it would be transperent to your network with the exclusion of whatever packets you choose to refuse.

Re:Er, aren't there better ways to do this?

[compuserf]

With no drives mounted, there are no logs. Unless you can dump it to a printer.

Re:Er, aren't there better ways to do this?

[rew]

Why don't you just run with drives mounted read-only, or have everything copied to a ramdisk? Surely you can verify a rule to allow remote access from only certain locations if this is your problem, or even require serial console access.


I like the fact that my firewall logs "breakin attempts". If for instance I intend to open up my "ssh" port but the "last week" shows lots of attempts to talk to my ssh port, I know that something is going on, and that I should reconsider the decision.

Roger.

Re:Er, aren't there better ways to do this?

[DavidTC]

Gah, all sorts of silly idea on how to make a person be unable to mount a drive RW. It's called a hardware jumper, people, and it's on most hard drives. We don't need to get all convulted here with kernel modules and whatnot.

If you were really clever, you could find an old case with a turbo switch, and hook that up to the read-only jumper. Tada, to write to disk you have to physically turn the turbo button off.

And, yes, as far as I know you can remove and add the jumper while the drive is running, but if you can't you can easily power it down in linux with hdparm.

Re:Er, aren't there better ways to do this?

[dpilot]

It doesn't drop existing mounts, just your ability to make new mounts or umount. The logfiles are already in place and working.

Even better...:)

[RampagingSimian]

• Run your system in a halted state; lemme see Joe Scr1pt0r root that!.
• Post a link that says "Hack my l33t firewall!" [as seen in a clever .sig].

:D

Re:Even better...:)

[jakobk]

What most people seem to forget: 127 is a class A network - sixteen million fake IP addresses!

Truly Insightful, MOD PARENT UP!

[DonkeyHote]

g pts h rawmp vb
uptj i j ijgh lm
y naw gbju hbki
tv i r s qhuj mpx
mu dmwkg ntqf p
iyf nbna y nvdd
a n aps tueo puj
jv k fsbi g ivkf
f hlk csk ngeb a
b l dy x btiro xu
ehr kc e cjk yye
kcrg pal ny bqs
f evm e sb rxft h
i mst rrm dcsp y
lcnc f uhlb elt
h eok gegos pcd
y cxfbc bf rrqq
fv fddo qcp udh
en pia myj gkcy
q e w ebeq hthrs
smpey ss hwc wq
j ahnea d ojqe g
me efrhj soyeh
flhje ddkuc rh
m ddupa qcnom t
wqf mxm d hjn df
bhe h vjh aa inp
l pirkw pfge p n
hr gtj ylmo av p
o is gh ykmpo jm
yej igr rwfkk m
dkl iruw iugdr
gxo qgt k bybgx
f qokm k nllpu j
ha f rxkx ymbe n
pa cndw ei ujkw
v vulpq m mq hxh
dw y wlj sou j vm
ddl l qrpfy hm o
gg oae ykrrk rs
ed qdi njc m q f g
dhym rfd dggf b
qvi ai p xpuj lp
fyo wyo v hq pv o
bu wpr mscbe c n
vumb ir p wb lxf
ue h uqf m uvi vb
kdg nxm u qosw m
hikjn lncc myi
nld garw epn uq
jo wrvpr kygqy
oado li dvg fj d
kiacd nrdb nt g
sq l aya ccmrn o
gyl bo ektgc gf
gaup rp idqk kk
huxax kled aol
oi u f yhtx vl yb
dlh epmwv j p i e
fb xc uu ml a rl t
jm p afbvv qbdv
r o uo rqr lq tp k
cbfg q mepl dmh
lbo gdfo qslm i
ljk itdtl qrg o
pdi do fto dc jo
b nvnc bxc rnxw
k b gjvjg esrm q
y s bvca wyvs vc
bdxfg djrwv tp
w rt c k yv dbp cd
bet wiplm ew m w
hl fq stmj xe m e
wiq yfhv pn vpb
tluv nc xx u kvd
pt vvbxg pout b
o hksjr r kb g l e
skff ad crc j kk
bpl jsf ywct vu
s u nuqe p nri sx
f rc jpi xd gd iw
bs ota ybvi fd m
ntjq oi oh yyrw
o km u ifd pb fy k
kjkf qjibk tyh
un bp g txvij q v
f kbsgh ymueo i
nki ld f up rfdv
mdgna amj qo a y
kfl qae fnp kh u
kartp mpk slfu
fcoj qjyt w u av
arh m nd phdxl j
r wpc l fydae ll
yjy im blc x d fv
w n aw mv pb giul
dbe ewofd m nwt
ad ob sqkho gku
nt h r gclew xc j
fx hidv cld b fj
jvibg rltsf as
y pit d kcg eu lm
cvv cxyim kl g c
glpq g tw b m gym
intce qkjx pxl
boxl gn n ig fef
k nkb vuado bb v
inswy tecym mv
d hq edkp ca rhp
ka i iruf j wj hv
sb kdfg xwy t u c
tbdr f y mk ebt v
ktqe vscy thcm
k hpiks eu hk ed
j iermr vfl enc
lb rpr guu y s c n
nakh dh x ouva q
uq m fdo bp sp jy
ul vrtc ffotj o
ho mfidt ixer f
mmcp pi yw nkld
q erwq to jll wv
gnbk akf mbo lo
fs gmdhc hoyud
gioi segrd omq
anf qgtfu op gx
ac vckn dbkx ue
is ckhb yguu jt
r n aab b joca d m
tyvi lq xtjs jo
mvlg beo o rdij
oj jijrt qfumu
puurs otcn vxy
ey h ng qg a fcla
v ivn gl fucq wv
m meu udpq mcqs
p ubjj qtqud ku
dur kouql mrcj
kdr cbfvi gb h p
iy vc cbgvp pok
eh a xyp nb wy hj
rk nmhss pjaxa
sweh yb xl bp fp
r mg vqx yleji d
llx y y mqu tekf
h gr d nh b tq nl x
whfa uhi jdfl d
uek nq wcl wd rp
u g vhhf tqd w m l
g paymk kfypv e
denw fw ud jqsg
kobsq stlpw l s
s p wio lsn k i u p
jlx bavxk okl d
ahj tr yx hpk r o
xtyp tnkla h iy
y u aw qyjwe dc u
kn nt pxhgc nmj
i pa iq jam n kf n
u qk aigli rre k
v jykdh hj n vf w
fclqs ad m qngk
j i y cbjac qspv
by oydh ophw c e
u e kss ykmfn tn
b xmrge eoa if c
qlgl rpac bvd u
phki dhw h wlcl
c abouw mws i am
l ybkys x ghkn c
cue wvxsc d tp u
ucqo k qyd goi w
ycju jywox fqg
u p kd vhvef mp v
yon d wbon ylx i
fpgk je t wyfc r
noj vop gmod v u
pkka syen lyd s
t yxl n oaxuj f l
p rn r glky yth y
dvaq vdj tnbvm
p cnokd l tip jk
i jbqyx uqvd jp
ovf j f d x sg yjx
h rckjt ffg frl
os kat qe w ngkf
fyojx gslxm pj
x m qqt ckqmm oh
p gu kg fqlc nwr
a

Replace INIT

[Skweetis]

I used to run my ipfwadm firewall kind of like this. I replaced INIT with an ipfwadm replacement I wrote that read ipf style rules from a config file and applied them to the kernel chains, then suspended. This was all on a ramdisk. It worked pretty well, although the ramdisk had to be replaced to change rules, which was kind of inconvenient.

Another interesting consept: Invisible Firewall

[bob@dB.org]

introduction from http://www.openlysecure.org/openbsd/how-to/invisib le_firewall.html

In the stone age of firewalling, a firewall was a fairly complicated device that was less-than-trivial to factor into your network. It needed an IP address on it's outside, and another on the inside. This immediately created subnetting problems, forcing wasted IP allocation and overall disquietude amongst the cognoscenti. It also meant that your firewall was very visible to the world, and its function was rather obvious and easy to deduce. There had to be a better way. And now there is...

Dream with me for a moment: A black box, shimmering in the soft LED-green glow of the network cabinet. You take the network cable from your router, which previously went into a switch, and stick it in one of the snappy plugs in the back of the box. There's one more plug on the black box, so you grab another cable and hook the box up to the switch. You step back, and suddenly: everything looks the same. You go to all your computers. As far as you can tell from inside and outside the network, the box doesn't exist. It does nothing. A few minutes later, you have a monitor and keyboard hooked up to the back of the box. You quickly and easily begin to tweak a file that gives you fine grained control over access to your network. You shut off all access to your mailserver from the outside world except on port 25.

Re:Another interesting consept: Invisible Firewall

Bridging firewalls have been around for quite a while. I fail to see why you are so enamored by this.

Re:Another interesting consept: Invisible Firewall

[douglips]

The problem with that is your LAN needs to be all on routable addresses. NAT won't work if the firewall has no IP address...

For exposed servers this would work well, not so much for the 18 Windows boxen you have Joe Salesguy using.

Re:Another interesting consept: Invisible Firewall

Because Theo whispered it into his ear as he gently slid his member in.

Re:Another interesting consept: Invisible Firewall

I suspected it was something along those lines, but I just wanted confirmation.

Re:Another interesting consept: Invisible Firewall

[Chang]

Who says the firewall and the nat have to be the same box? Just because this is usually one device doesn't mean it must always be that way

Re:Another interesting consept: Invisible Firewall

[wilton]

Just have two OpenBSD boxes. The 'outside' box is an invisible firewall. Inside that you have a box doing NAT.

I ran this solution at previous employers, and had IPSec VPN, NAT, ipf, port forwarding on Windows Terminal services, SMTP, web etc all running very smoothly

Re:Another interesting consept: Invisible Firewall

[KillboyPHD]

The problem with that is your LAN needs to be all on routable addresses. NAT won't work if the firewall has no IP address

Not a problem, so long as that "switch", between the internet and which is the "Invisible Firewall", is one of those newfangled NATing "DSL/WAN" switches.

Re:Another interesting consept: Invisible Firewall

[ADRA]

Ummm... Those newfangled switches are just as insecure as a tight firewall. Instead of hacking a PC firewall, you are just hacking an embeded-whatever firewall.

Re:Another interesting consept: Invisible Firewall

[Phil+Gregory]

Tom Limoncelli presented a paper on this exact subject a few years ago. It's entitled Tricks You Can Do If Your Firewall Is a Bridge and covers a number of useful things you can do with bridging firewalls.

--Phil (My firewall is just an OpenBSD box. I like it that way.)

Re:Another interesting consept: Invisible Firewall

[funky+womble]

Surely you can NAT using an address which is not assigned to an interface?

Re:Another interesting consept: Invisible Firewall

[Rick+the+Red]

Here's a thought -- could you do this with 4 network cards in one box:

net0 == firewall's no-IP link to your ISP
net1 == firewall's no-IP link to the router.
You do the invisible firewall thing between net0 and net1.
net2 == router's ISP-provided public IP link to the firewall.
You run a crossover cable from net1 to net2 to connect the "firewall" to the "router".
net3 == router's private IP link to the internal network.
You do the NAT between net2 and net3.

One box thus acts as both the invisible firewall and the NAT/router. Feasable? Stupid?

Re:Another interesting consept: Invisible Firewall

If the router Joe Salesguy faces has a private address on its internal interface, and the bridging firewall is between that internal interface and Joe Salesguy's machine, it works fine.

Re:Another interesting consept: Invisible Firewall

You could do all this w/o the additional hardware through loopback net interfaces.

Re:Another interesting consept: Invisible Firewall

[karnal]

I would think since you still have an IP address on that box (since there are multiple cards in the box etc) that the possibility of it being hacked is much higher than just having a seperate firewall box....

I could be speaking outta my butt tho.

Re:Another interesting consept: Invisible Firewall

[Rick+the+Red]

So you're saying it's both feasable and stupid? :-)

Re:Another interesting consept: Invisible Firewall

[swb]

You would think so. FreeBSD's natd can rewrite to a specific address rather than the named address, but there was nothing in my cursory inspection that said it could do so when operating in pure bridged mode.

Re:Another interesting consept: Invisible Firewall

[Rick+the+Red]

After more thought, I agree. If you put an IP address on the box, you (or, rather, I :-) miss the point.

Still, doesn't the idea that you could hack the router if it were the same box as the invisible firewall imply that you could hack a separate router behind an invisible firewall? In which case it's not much of a firewall, is it?

I think I'll stick to my 'standard' firewall and not try anything exotic like halting it or making it invisible. I think just having a firewall makes me more secure than most folks, anyway. Lot's of people (or bots) "jiggle the doorknob" but so far nothing's made it in.

Re:Another interesting consept: Invisible Firewall

[funky+womble]

FreeBSD's natd can rewrite to a specific address rather than the named address

Right, I'm doing that at the moment.

but there was nothing in my cursory inspection that said it could do so when operating in pure bridged mode.

Hmm, maybe still worth playing with then - I haven't played much with pure bridging yet. Still, at least on *BSD we have securelevel=3 which at least requires activity at the console to make any changes (assuming all scripts and binaries run before the securelevel is raised to 3 have been set "chflags schg").

Re:Another interesting consept: Invisible Firewall

[evilviper]

It would actually be more secure to have an invisible firewall than a normal one.

I wonder if doing it through the loopback would be possible-I've never done loopback on anything but the IP level, but that's despite the point.

In order for the packets to get through to the NAT box / internal network it has to go through that packet filtering bridge first. That means you'd be able to filter out all the abnormal packets, before they reach any machine with an IP address that might be confused by them. This would be an improvement over giving the world the ability to ping and connect to the firewall directly.

With a stealth firewall... you can't exploit the TCP/IP stack, PF/IPF as easially, or any running network apps (SSH). Just think, even if the nearly impossible happens, and a packet payload that exploits the stealth firewall, what would you do with it? You might crash it, but you can't have it listen on a port to allow you to connect... Even if you are able to get to the internal network, you won't be able to connect to the firewall box and modify the ruleset.

Which leads us to why it's less secure to have an IP address on your packet filtering bridge. If they can get through AND find an exploit, then they can connect to the firewall box and modify the rules.

When was the last time you heard someone say their systems were 'too secure'? If you don't have the resources to impliment this scheme, a normal setup is much better than nothing at all. And to tell you the truth, I'd feel more secure with a default OpenBSD installation (perhaps shutting off sendmail) with Packet Filtering & NAT enabled, than I would on a write protected & halted Linux firewall.

Re:Another interesting consept: Invisible Firewall

[sraak]

Invisible firewall operates lower levels in OSI, so it could be quite hard to "make" or force it to do decisions in upper levels. You can always write new modules to kernel, but i can not.

Re:Another interesting consept: Invisible Firewall

[evilviper]

To what are you refering? The invisible firewall in question is a 'packet-filtering bridge' which does indeed do all of it's filtering at the network layer.

3 way?

Cann't you also hash you ack with the syn as the key so that you don't have to keep the handshake local and can maintain a stateless connection? Less chance of being overwhelmed in a DDOS?

Difference betwwen this and Read only media?

[raumdass]

Interesting article, but I'm wondering what the benefits are of running IPCHAINS (or whatever) at init 0 as opposed to running a stripped down linux distro from read-only media or a RAM disk?

Re:Difference betwwen this and Read only media?

[anti-snot]

Difference is, even with read only media, an intruder can still do what he wants in memory (although rebooting will wipe it clean). With this, there is nothing running but the kernel and kernel memory... not even a ramdisk to fiddle with.

Re:Difference betwwen this and Read only media?

[raumdass]

aahhhh. duh.

thanks.
~raum

Re:Difference betwwen this and Read only media?

Why is being able to fiddle with the kernel safe, but being able to fiddle with a ramdisk unsafe.

I think you have it backwards.

If you can fiddle, you can fiddle.

And if you can fiddle with the kernel, you change the config of the firewall even further.,

Re:Difference betwwen this and Read only media?

[sjames]

Difference is, even with read only media, an intruder can still do what he wants in memory (although rebooting will wipe it clean). With this, there is nothing running but the kernel and kernel memory... not even a ramdisk to fiddle with.

There's nothing special about kernel memory. The real security is in the fact that there is minimal code running. Less code= less bugs = less opportunities for a security related bug.

The same effect can be had (with better versatility) by writing a small and thoroughly audited control program, and disabling disk I/O, exec, etc by loading a kernel module after booting. Naturally, the simpler the control program, the more secure you're likely to be.

Other neat tricks might include having the control program only communicate through a non IP ethernet protocol to a hardwired MAC address, and a watchdog which is pinged by a single threaded control program. It would be quite hard for an attacker to get any code inserted into that AND manage to keep the watchdog going. Bonus points for using all inline functions, not linking against libc, and staying off of the stack.

Re:Difference betwwen this and Read only media?

Because it is much more difficult to fiddle
with the kernel than it is to fiddle with a
ramdisk.

You could try something even more secure...

[Pengo]

http://www.openbsd.org

Re:You could try something even more secure...

[ajakk]

Or you could try not trolling and read the actual article. The author
talks about whether or not this could be done in OpenBSD as well because
of its good kernel level firewall utilities.

Re:You could try something even more secure...

*sigh*

First of all, since you're posting a link, make it clickable. Use HTML.

Second, the url should end with a slash, like this:

http://www.openbsd.org/

..and oh, stick to the subject.

You are powerless against

[Saint+Aardvark]

my army of Zombie firewalls! I shall RULE THE INTERNET! Hahahahahahahaha!

Logging?

[JimR]

Bit of a shame if you want to log any attacks
on the firewall though.

With no disks mounted where can you log it to?

Re:Logging?

[booyah]

Same place I log anyways

Dot matrix printer on LP1 :-)

try to erase THAT log :-)

-booyah

Re:Logging?

[Stary]

If you're seriously paranoid about it, get an old dot-matrix printer and hook it up as the logging output device. You'll have a logging device that nobody could alter no matter how compromised the system gets, without having to mount anything read-write.

Re:Logging?

True, I too have a dot-matrix printer here. These babys are give-aways these days, and are very efficient and hack-proof logging devices.

My printer logs all ssh logins, and interesting /var/log/-entries.

But, hey, I'm pretty paranoid.

Re:Logging?

logs could still be compromised. ever hear of a match?

Re:Logging?

[doorbot.com]

Bit of a shame if you want to log any attacks
on the firewall though.

If you can get this to work with IPFilter/PF you could use the "dup to" method to send the packet out a third NIC to a packet logging machine. Now you can have a transparent firewall, which is not accessible at all, but you can still have some logging features. One possible design for this would be two SBCs in a 1U case... one is the "halted" firewall and the other is the logging machine.

I don't know if this is possible with NetFilter or IPChains, however.

Re:Logging?

AFAIK, there is still not way to send physical objects like matches over a computer network. But then, I might be wrong..

Re:Logging?

If the firewall has been physically compromised,
logs are the least of your worries.

Re:Logging?

[geschild]

On a more serious and realistic note: I made the following suggestion to the maintainer of the Debian security FAQ.

Do logging to the serial port in syslog format as if is a serial connection. Do this on all your servers. Hang a multiplexer in the middle (perhaps you have an old one from the modem pool still lying around gathering dust).

On the multiplexer you hang a seperate box and make it's serial TTy's go to a syslog daemon. Can be a Pentium class computer. Give it ample RAM (some 32MB EDO-simms out of those boxes from 5 years back. You _did_ gut them for parts did you?), 1 HD for the OS and 1 for the logs, about 1 GB each should be more than enough. NO NETWORK. NONE. WHATSOEVER.

Depending on your needs you either hang a simple CD-burner in it, a simple CD-burner with a Lego robot to change your cd's (*cough*) or a real SCSI cd-changer of of a cheap scsi-card.

You log to the HD of that log-box. You run a script that does nothing but check the size of the log and perhaps how fast it is currently growing. When it approaches 600 or 700 MB you dump the log to CD-ROM. Depending on your needs and how fast the log fills you then make it page you when it runs out of CD's (changer) or out of space.

Takes less storage.

(If you really want the complete security of paper logs, at least get an old line-printer from somewhere. If your machine freaks out it will at least be able to keep up untill its paper runs out. No such luck with a simple matrix printer).

Re:Logging?

[Tycho]

Or to save some dead trees have another computer not hooked up to any network connected to a serial port on the firewall. The firewall would then direct all logging activity to this serial port. The logging machine would then direct all input from the firewall into a file. That way you could save yourself many sheets of paper.

Re:Logging?

[nerdsv650]

Logging to a printer or a serial port opens you up to DOS attacks. All your attacker needs to do is figure conditions generate the most log output and exercise that condition vigorously. If you are loggin synchronously your machine will grind to a halt, if you are logging asynchronously you will eventually lose data.

IMO

-michael

Re:Logging?

[Foxman98]

would be fairly easy...

see we have this thing these days....

it's called "fire"

i have portable "fire creation device".

commonly called a "lighter"

;-p

Re:Logging?

[cnvogel]

One could reverse-feed the paper and print all X's over it :-)

Re:Logging?

[lars_stefan_axelsson]

If you're seriously paranoid about it, get an old dot-matrix printer and hook it up as the logging output device. You'll have a logging device that nobody could alter no matter how compromised the system gets, without having to mount anything read-write.

Ah, kids today, no knowledge of history etc, etc, we had to get up three hours before we went to bet, ate a handfull of cold gravel etc, etc.

No, seriously, it's been done. In the days of yore, when a dot-matrix (or other line printer) was routinely used as a logging device (think mainframe, computer room and all that) there were still ways around it. The first and foremost trick of course was to send several kilobytes worth of formfeeds to the printer port. Sure, the admin would recognise something was amiss when he found a carton or two of paper on the floor, and the first few entries would survive, but that's would be it. And the admin wouldn't necessarily smell foul play, they're not all good, and shit happens.

However, a friend of mine, wasn't satisfied with those few first entries surviving either and more as a prank than anything else, instead decided to reverse feed the printer a few lines and then 'X' over them (actually he overwrote them with a semi random pattern). Rinse and repeat, then run the printer out of paper. Worked like a charm.

Then there was the incident whereby someone used his access card to enter a large office building in the Netherlands I think, and proceeded to carry off a whole lot of computers. Now, the access was logged, but the logging printer, which was the only output device, was located in a public access cleaning cubord adjacent to the entrance, he was sure to take the paper with him to. With a few thousand employees with access he (or she) got away clean. While that takes physical access or should never forgett that that's all it takes... You need to tech savy to rip paper out of a printer.

Re:Logging?

[Luke+Marsden]

Yes yes, but can a dot matrix printer keep up with the weblogs from a good slashdotting? :)

Re:Logging?

[Xenographic]

Why would *anyone* even try to erase it when they can flood it? Every printer runs out of paper [or ink...] eventually. Or HD space, for that matter...

Re:Logging?

simple...

/% daemon /usr/sbin/shred /dev/lp0

now you have to read tiny 1/4 inch wide stripes...

Wait... Nevermind.. you probably dont have a level 5 secure printer with automatic shredder built in...

Re:Logging?

[orius_khan]

would be fairly easy... see we have this thing these days.... it's called "fire" i have portable "fire creation device". commonly called a "lighter"

If you're going through all the trouble to get physical access to the room to burn the logs, why bother hacking in the first place? Just pick up the computer and walk out the door with it! wheeee

Re:Logging?

[ddstreet]

i have portable "fire creation device".
commonly called a "lighter"

especially on machines that still have dot matrix printers attached, it would probably be much easier to just use the Halt and Catch Fire instruction!

I figured this out in a much different way

[Binestar]

We were offering a linux-firewall, VPN solution to a hospital and turns out one of the machines we sent out had a bad token ring card, that mixed with an obscure bug in the Token ring driver, (Which has since been fixed) it would cause linux to die quite often. To the point where the computer would accept no keyboard input, would cease logging, and for all intents and purposes was a dead box. Yet the machine continued to route traffic and continued to function as a VPN.

Any listening ports were ignored, but the routing still took place. I never thought of it as a way to make the router more secure, but I guess in that way it makes since. It would really suck to have to completely shutdown everything to have to malke routing changes though, so I'm not sure this is the best solution for high availability router use.

Re:I figured this out in a much different way

[bfree]

Instead of shutting everything down simply have three boxes. At any given time one box is live on the edge of the network which is configured to simply switch all traffic between the two other boxes (thats a static config, it may take a bit of hacking to come up with a switching solution but it should be easy enough). The two other boxes are the real firewalls so you can update and test the new box and when ready signal the outer box to switch, then next change prep the other box. lather, rinse and repeat as neccessary.

Re:I figured this out in a much different way

[Trevelyan]

Yes i seen this, i got an old p1 on my net doing NAT from eth0 to ppp0 w/ simple firewall rules.
(Linux 2.4 IPTables)
what confused me was when it kernel paniced dumped a whole load of stack and register contents to screen and halted, dead
yet still continued nat

so i left and continued to read /. ;-)

but dont all the processes get killed so why did ppp0 stay up if pppd was killed ?

-Trevelyan

Re:I figured this out in a much different way

[Lumpy]

??? reboot for routing changes? all the time..

I rewrite my firewall floppy, change floppy press reboot.

If your users cant stand not having internet access for the 78 seconds it takes for a reboot then they need ritlain and a reality check.

Re:I figured this out in a much different way

[DavidTC]

If you're going to use more than one cmputer, you should just use two, and just quickly swap the cabling out.

NOT a recommended config

[peril]

The most interesting thing I see with this is why?

It can't be managed. It can't be monitored. It can't be logged.

This may be fine as a novelty, but running a network secured with such a hack is silly.

Let's talk about shutting down all userspace processes on a box except syslog and snort and I say you've got an interesting box.

OTW - it seems just like a game.

--Adrian

Re:NOT a recommended config

Yes as it is this is not very useful for general purpose filtering but, If you were to modify the kernel to output the log info to a "logging" machine and provided some known secure hooks to manage the ipchains then you would have a complete solution.

Re:NOT a recommended config

Let's talk about shutting down all userspace processes on a box except syslog and snort and I say you've got an interesting box.

I very much agree with you first point, proper managing and logging make your *network* (not just the firewall) more secure then the init 0 trick, But what if someone finds a bufferoverflow in the snort network packet parsing ;-)

Re:NOT a recommended config

[emmons]

Well, you could always assign the internal interface a local ip that's non-internet routable (eg. 192.168 or something else that the firewall would block). Then you could ssh into a machine on the LAN from anywhere and from that machine into the router. Ta da! Secure remote configuration.

Re:NOT a recommended config

[SilentChris]

Break a Furby apart to learn its internal electronics (and try to reprogram its main chip to speak curse words) = A hacking "experiment" with "great knowledge" learned by the experimenter.

Creating an invulnerable firewall that only needs to be configured once and will forever be secure = A "game".

?

Re:NOT a recommended config

[gaudior]

No, you could not SSH into the machine. sshd is not running, NOTHING is running.

Re:NOT a recommended config

[lw54]

If you had redundant firewalls, the part of not being able to manage it wouldn't be as bad. Compined with some network intrusion detection and you've made a rediculous idea somewhat entertaining.

Re:NOT a recommended config

it's not that true

Well, running snort on a firewall is not a good idea, IDS and Firewall should never be mixed on the same box. Syslog could be great but if you config your IDS correctly you don't really need syslog on your firewall... The best way to do this is to put the IDS on the mirror port of a switch on the outside and the inside interface of the firewall. That way you can identify packet have been blocked or accepted by the firewall and detect attack.

If you add to that, a switch that will do load balancing on 2 firewall (running at level 0) you could shut down 1 of the 2 firewall without affecting the availability and change the config.

So that way with 3 server(1 IDS and 2 Firewall) + some expensive switch you can run a very paranoid firewall and still allow it to be managed, monitored and logged...

No filesystem...

[YKnot]

Where is the log going without filesystems mounted or daemons running? Do you trust a firewall that much that you don't want to see if maybe some "interesting" patterns in traffic occur?

Re:No filesystem...

[anti-snot]

Put a powered up firewall in front of your powered down firewall, of course...

brilliant!

[Mr.+Slippery]

This is a very interesting idea.

It only works with firewalling that's inside the kernel - packet filtering and NAT. But what if kernel modules were added to handle some of the features now run in user space?

Indeed, what if kernel modules were added to handle non-firewalling tasks instead? Could a kernel module provide a useful network service? You start the machine up, it loads the kernel and "halts" but still provides the service. Something goes wrong? Just power cycle; there's no disk access, no way for an attack or malfunction to make a persistant alteration in the machine.

Re:brilliant!

[swb]

Indeed, what if kernel modules were added to handle non-firewalling tasks instead? Could a kernel module provide a useful network service? You start the machine up, it loads the kernel and "halts" but still provides the service. Something goes wrong? Just power cycle; there's no disk access, no way for an attack or malfunction to make a persistant alteration in the machine.

I think you just reinvented the embedded system.

Re:brilliant!

[clmensch]

Hah! That's what I was thinking.

Re:brilliant!

[mekkab]

How is the above message off topic?!

I hate moderators. I can't wait until I'm a moderator.

Not only is the above either A) contradictory or B) a great example of my own self loathing, but ITS OFF TOPIC.

please moderate me as such.

Re:brilliant!

[$0+31337]

If I were a moderator, I'd mod you to off topic ;)

Re:brilliant!

[ADRA]

Hosting services from the kernel is just as insecure as in userspace, but they now have full kernel access. Does ANYONE else see a problem with this??

Re:brilliant!

[bfree]

tell that to Linus, there is a web server in kernel 2.4 unless I'm very much mistaken! So who wants to run their webserver at runlevel 0?

Re:brilliant!

[Tony-A]

I'm still a newbie, but I don't think the stunt is restricted to kernel only. Just shut down everything that is no longer necessary to keep running.
Instead of Microsoft Window's install or change something and reboot, you have to reboot to install or change anything. You just shut down and turn off all the nice unixy tools for yourself and any potential attacker.

Re:brilliant!

[LogicX]

and what if the machine had a massive amount of ram 2GB or > and you created a ramdisk from which the kenerl httpd would read the content -- would the ramdisk die when in runlevel 0? can it be kept up? would this work?

Re:brilliant!

[BlowCat]

Be a metamoderator in the meantime. That post was redundant, but not offtopic. I usually consider most negative moderations unfair. Why don't moderators search for new interesting posts and instead spend their points moderating inane comments from 0 to -1?

I post this from my account because I don't care about my karma. As soon as it reaches 0, I'll switch to kuro5shin.org.

Re:brilliant!

[ADRA]

Tux is in the kernel optionally and under the experimental tag. Yes, it can cause angst in your system. Being what it is, to run it, you have to take the risk of the server being in the kernel to get the massive improvement in static pages that it does.

Mind you, these are only static pages, so there isn't too much to break, but still...

Turn your computer OFF for MAXIMUM security

[DonkeyHote]

This troll brought to you by retard world domination in 2002, Unf Unf.

Ha ha, I chopped up my computer with an axe, now lets see you break into it, Haw Haw!

Fear the Retards.
Don't Drop the Soap.
Enjoy the Ride.

t k socrn iuxhf
pxgt fxa d pcyp
g o con mgyq ycm
iicff kidac bq
mb hprk whr hlb
s kb sb twtsi bt
mc auogn qv cwb
ni pux l ri bifr
dsink kimuf pf
lde iioj ime uv
kuc boh apohn h
kwss pubv yqh m
pj mokix br hu x
ojs ojcsi u uhr
iv r pfki t wuj n
yy bea d mi t air
sj xd afcf rkv p
ix imdl ohx txy
y takpt wlkd pc
yfg vdulo s iil
pb rvo hi eb ylr
cl fl vfpua jpg
wt qukoy dlusl
wqjyn hq bv svc
eo o t klinr m vw
wnu vkjib wrcv
i re twst kcyg v
xo pwv vr pf xyu
ki nm vj mnw waf
owi ejrh jywku
sfc rsgb ehjh y
qns uj sdjbe my
wsa dpf ydt ayd
w v yglvi pr yuo
gu audl seip pe
u v hmqvm wqq io
m m h ppau uvwwl
lyd udh dbln ah
mft sa y e a y edk
n dl y wre jvsno
qis dnlrc n q gh
lut tkod ijps d
xsv iuhv lqv p o
hi fiukj fpjk k
j xpb j yrx ujpm
jiwd yox safnb
f g hw xpo glej c
qvf vi a f royt t
lmuy s rm yrrg g
xrv b qrg gcndt
epf pqky annj l
hbg aaagc aijo
l oabk qnl urip
hia xeoq ryaxv
vqxlf imq mvg r
fcdi netki ce v
na q p esq l fwus
rr livi mbvs hu
hj cs pfohj fil
ho frm ffnpa tc
ha ff qktbo bqo
mw h w yv sjeyo c
gde bdig k fee y
s lq rwee lrptw
yyq hjyf dx ivi
vb oqr m iis lua
r efyk upox r j s
gpao ydyi syym
mydxs eiln xy r
nsdf vnlj m rwp
lixan koeaf wl
c owy c pwhmp gp
n dwrln obia ft
askgg ugy cmc r
ey ju s njwv qtr
m wa e pfgh xobx
dc v clx up gawu
a eokb mi u ysh y
t fxxt a g dd qhc
cf unaam hrv wq
mj git wkre gsr
aq m oijs nujc t
yvk s qhbek wbw
p ar bum y xv sa y
qntp jdmff k f g
vuq ymbjd ol xv
m lh d abkrn c fo
r ctuj ec hrfa e
wyh qsbo kg kv m
xhf e ss uvor dh
xdr glev xrwjv
nvm mp cnynb qf
f g qrgm qjvj oj
r qdxvi ltqw xm
sqp lnn jmx nid
venf gpyd bf kv
an btms lr wndp
nwoch c jd iydr
i qj j rxhgk rg b
j y kjl ol bymu l
kw e v xb fwkoh m
ayt huce ybjwy
hf uj yjdxd nlm
ay ilkqc lfh db
srv tsra yvey j
e osi ibnf puqu
u msw veq e om i w
u eopa c j lc c tw
h g k piw caf cts
ha mjwov yp gc d
iejv m n g wj vcw
g a ehk efl w qwd
n lbg vau rfyb c
avsq yxkee sfw
x eli yix es oks
j kfx vw tyd kwl
vbul c xrck tqr
endv kcoev rwc
yt vcvqh tax px
e v kw fq nbevp d
vu jeem he bt m a
w wqv l p xqi qj j
vf lm vyhu q fou
fo slv a lij esv
e j v cu gc vqbm g
ooci vcf lrg sl
jhmh btdvi dlh
xjy gictd rjkc
s hd ncpq bggn s
uw lto h uahfc h
ycmr fdapd vf o
dmxw u yoa vri r
nrvo fpsou cdx
g l lq eym trlw v
nvqt scgb haco
k i ufjsn dp j uh
y vsfsl p vg nv k
gdcw xj c h temg
w wqg umllm lcd
g buqt dmbup me
ul edn bos bqif
msrw qsbd se qa
ut cud rv bdcr w
blbl smaew qcl
wihom sk alge x
qpso nny rlfvn
jwx ppw okkbw v
fbojn ukqfo wc
mk ltq curtf ct
i qx ue q jrt kv v
bsvu klbh ynwy
m da excm inobq
shsau kl q kjrx
l d w fc iy eb ff r
f eb my tm h m tp i
vj mtbwq nig mc
g kpr iu sab gqr
qy tuw ic wrlb u
ypb rfwf rcx ba
f x qm fx i ia dwt
k qfou oekhe jl
kt xkud taai l a
qyt shv vybc w k
bjx p o irwqu mi
ov byhl ikdj mv
j bs o soo d xv if
ic a nfso vlnu i
fnyyg epxt nu x
gkbe miod i gjr
v lhtw cm kb m ob
fg cwji k mtw rm
vl fuv squp qqx
n ekp qxll ubaq
c iktu wt ejauc
detvo wjhmx un
fmf vkej ijq kp
nae otwj kcv dn
uhj u uq bvo phf
t t ub ccag qybg
d jobhf be jfct
c eaaq dbso naa
i wt doi spjr ed
lo ila vphj bqy
fh er h ocoq aar
lr fq ci nrcse r
qke si ixr et mj
gbt umjcp modx
henq k fh yljuy
mpmw rga ratir
e

No processor running?

[mini+me]

This means runlevel 0; no processes running and no disks mounted, but with packet filtering still on.

When I first read this I thought it said "no processor running". Sure that'll make for great network security but it will be totally useless.

Re:No processor running?

I'm also always very interested in the thoughts of people who can't read.

Even better:

[BlueUnderwear]

...run it unplugged! Now who will succeed to break into that?

Joe Schmoe

Ok, I'm Joe Schmoe - "runlevel 0; no processes running and no disks mounted" sounds like a pretty dormant machine to me.

Re:Joe Schmoe

[$0+31337]

Did you not bother to read the article at all? Did you not catch the line that says "IP FILTERING IS STILL IN EFFECT"? Are you blind? God... Why did you waste your time posting?

Logging?

[eo]

What about logging for the firewall? Any way to write logs to a separate machine over a serial connection (or something) while halted?

Re:Logging? - syslog

[gatekeep]

Just log to a remote machine using syslog. Most people do this anyhow. That way if the firewall is compromised the logs are less likely to be altered and cover that compromise.

What about logging?

[TeamSPAM]

I'm a little bit ignorant around the linux firewall setup, but don't you want your firewall to do some logging? Without logging how would you figure out where a DoS attack was coming from? Someone port scanning you? Wouldn't you want to know if someone tried to access a service you blocked with your firewall? This method seems to be nice armor for your firewall, but you have no idea who just whacked you upside your head.

Re:What about logging?

[ruvreve]

How about putting this kind of setup behind your 'real' firewall. For most personal setups this would be going a step to far but in the slightly more advanced networks it could be a nice added layer. This way you can still log port scans blah blah blah...but if they happen to get by the first one..the second firewall is still a concrete wall and all they have is a hand-made spoon.

Re:What about logging?

[TeamSPAM]

Ok, that is a reasonable setup and use for this idea, but not one that I think that the author was intending for this concept.

Just In case it gets slashdotted

Halted Firewalls
Mike Murray

As systems administrators, it's often funny how new and interesting information ends up in our hands. Sometimes, it's through an intentional course of study; other times, it seems to arrive by accident. That's exactly how the concept of using a halted Linux computer as a firewall occurred to me. I was at work, perusing an internal corporate mailing list and saw a message about something that was once present in Linux. The message referred to a method for shutting down a Linux box while ipchains is still running, and having the box continue to perform firewall tasks. My first response was to stifle a laugh -- a firewall that works while in a halted state? I contacted the author (with a bit too much sarcasm in my letter), and was sent a link to an old discussion thread on the Firewalls list about a rumored feature in the 2.0.x kernels. This feature allowed you to run shutdown -h (halt) on the machine, and the firewall would remain active but with no drives mounted and no processes running. That is, the firewall would be in run level 0, but still be filtering packets. However, the list mentioned that this no longer worked in the 2.2.x series kernels.

I knew that I couldn't leave it alone, however. I set out to make a 2.2.x box perform a similar function, and I hoped that I would be able to do it without having to patch the kernel in any way. It turns out that I can.

Perfect Security?

I realized the security implications of such a possibility. Assuming that the firewall could be cleanly shut down, having removed all process space and file systems, there would be no way for any attacker to gain access to the system. This is because there is a complete lack of process space, and there are no drives mounted. Thus, an attacker could not run code on the system outside of code that he or she could directly introduce into kernel space. This would require writing shell code to produce the desired results, which would not be a trivial task.

Note that this doesn't make the firewall invulnerable to denial of service-type attacks. In fact, with respect to denial of service and resource-exhaustion attacks, this machine is no more secure than any ordinary Linux-based firewall. However, it can also be said that it is not significantly more vulnerable to that type of attacks.

Because this method does ensure that no user will ever gain controlling access to the firewall itself, there is definitely a huge security benefit. It's a step in the direction of the old adage that the only perfectly secure machine is one turned off and locked in a room.

Implementation

My test machine was an x86-based Red Hat 6.2 machine with two Ethernet cards. No special system or kernel modifications were made. To begin, I searched the run control scripts, thinking they would be the most likely place to find a hint of what was to come. Specifically, I focused upon the scripts for rc0 (the script that runs when halting the machine). It turns out that this was all I had to do. I started removing scripts, working entirely by trial-and-error.

After a relatively short period of time, I concluded that for Red Hat Linux 6.2, removing the following scripts will allow this behavior to occur:

/etc/rc.d/rc0.d/S00killall
/etc/rc.d/rc0.d/K90network
/etc/rc.d/rc0.d/K92ipchains
Removing these three scripts keeps the network up, and keeps ipchains running. Note that removal of the killall script is necessary because its task is to recurse through the /etc/rc.d/rc0.d/ directory and run all scripts that start with a K. This script would run the K90 network and K92 ipchains scripts, which would kill the network and ipchains.

Explanation

The design of Linux is as a monolithic kernel. When the machine is halted, the kernel still resides in memory, even when the machine runs through the shutdown process. The usual method to prevent this from being evident is to kill all possible access to the kernel during the shutdown process, which is accomplished by killing all running processes, shutting down all of the machine's network interfaces, and unmounting the filesystems. This prevents the kernel from performing any intentional tasks while the machine is "halted". However, the kernel is still running as a scheduler and memory manager at that point.

Because the kernel is still running, any kernel-based tasks that we can run in normal use can be run while halted. Of course, most tasks require some form of input and output, either through the shell (user input), the file system, or the network (as in this case). Thus, we must force the machine to allow that interface to continue to exist even while the machine is halted. This is the effect of removing the K90network script. It no longer forces the Ethernet cards to be stopped.

Additionally, any kernel-based services that are required (e.g., ipchains) must be kept running. The default behavior of the system is to flush all ipchains rules when the machine is halted. If that happens, the firewall won't be working at this point, so the machine must be forced to leave the ipchains ruleset in place by removing the script that would flush all the rules.

Limitations

Given that only utilities that run in kernel space will be left intact upon halt, the major limitation for this task is that any type of IP addressing that requires a user-space daemon (e.g., PPP, DHCP) to run will be unable to function in this case. This places a limit upon the usefulness of using this on most dynamic connections. Similarly, any sort of user-space proxy server (e.g., Socks5) will be killed on halt. Thus, only packet filtering and NAT are possible with this setup.

The other consideration is that with drives unmounted, all swap space is removed from the machine. This shouldn't be difficult in a machine that is handling even large amounts of traffic, given sufficient amounts of memory. However, in an older machine with fewer resources, it is possible to experience performance issues with extremely large amounts of traffic.

Conclusions

This discovery seems interesting as an exercise, at the very least. It gives us a model for improved security in machines that are dedicated to a specific task. I am curious to see whether this type of experiment is possible in other free Unixes (especially OpenBSD, given kernel space IPSec and pppoe). And, while there is limited application for home use, it seems that this type of firewall could be used in small to mid-size business applications to provide extremely secure packet-filtering ability. Or, perhaps this could be used to create a very secure and very high-bandwidth firewall/router for larger business tasks.

References

Firewalls Discussion thread (archived on SecurityPortal):
http://www.securityportal.com/list-archive/firew al ls/1999/Mar/0116.html

Mike Murray is an expatriot Canadian who works as a Scientific Technologist for nCircle Network Security, where he has performed various tasks in the areas of systems administration, network security, and development. He is a graduate of the University of Toronto with a degree in Philosophy. He can be reached at: mmurray@ncircle.com.

Network?

Would it be possible to log that kind of stuff to another host on the network? Not sure if that's really possible or not...

-1 Redundant, Beat Yah, MOD PARENT DOWN

[DonkeyHote]

Retard Network Security in effect!

-And the retards shall inherit the earth

RWD, 2002

qgekh tcn t kqd
b ah ohy mu bqx m
c dyf uh bmrb l f
sh y maql moro c
d oe mpqvf bmwv
akm td rcjyv hi
lxg xr wy xsn xy
ct tq suq dyhp f
xxuo bdk st wxp
a lx u lklpo xyx
ta s u pss xotgk
sgth xd ufj a xk
rsxry ymbmb d v
ia iqcd eh r c ur
cp tdgpl qugdi
d s xshjt sw xk d
hoedd esq pxe u
v wgn y qssn eyv
v tfd w o jykqs w
yqdg nq ycgci g
u xn hnl h m xxoq
t uh hqgwh vhl q
ncr leo tlq ayi
s xhil bkuox xk
jxal ebyts wll
pxogx uvvi jyo
vg juo po lbqur
w rtwer v vph h g
dagac e asab hl
jci oqtrd ndco
c afxix f jurck
ssqdh u vwnnq t
v rxdkp fni sqv
lqdyp st rcqh f
td r lcn owx qs e
ay tccls dvio o
deh sfgf ja brp
wh oq nbi dpn rf
jl odp n pefxm o
p nulx wifsl sp
g b u vhyi rw vaj
kumn odfwg b lh
pb aom kprj feq
shba ep lf sbjo
j fkbo tuyts cl
oea oub jwgyk w
w qarfb cgl adg
kh y ioqvh qsok
oo cuo gsdki yp
dnemi i jbwhd y
u w crbg lo ls mr
lrmcv po rv ljb
jg cnrx v wy u ug
pk c surrw udvl
hmyy hthhd rpt
brpyu fji bnb u
gltj mhtdn wyw
b wllaa dgdh er
eap nott tw lyk
vr pd ywpor ts t
s mpo tumil t kn
x ccgaj n rwxa x
nwgd o pmgei tp
lgx rw yyljq u h
vy yek la sm rtm
ay wrsbk lpd co
aer hk s yabte k
ppho o k hxxah d
vgut aglg dpeb
t sdncl tdov xt
j onagv ww xtls
e dteh sjxbv bi
msjk cn dj imi v
g whff d xi kctu
l w lje iml ydhr
jpa evm l bviaf
eln n dg weo cb f
bxb ax la n vrui
k dbbbe iq a tvb
br mg bdiu uuaw
n n fqv g ns gqmx
r ihx oanhu abn
b rix ghw rxuvn
ees dc lxmdn g g
jwj dbcln nsws
ak vrgjy x qr x o
gnbg ed xba krd
pelvo j kvlj f x
slq xvf bb xhdr
wv excmq twbmt
oeus cwe ee ggd
k supue xmls fc
kt d ks xgwy a mj
ob pknn ogn ho n
o waon lna mg m s
sce gc m tjvs hb
stw bapnr ijnh
xcatm mgnqe jq
k dxsq nommi tc
q fbs jkwyh cvi
cx q tkfbi q tmr
q upnka juvjb q
nb iw w kaidl rs
npb v vpf ih f q f
v ywiog lvekc w
d ewuea bnfc kb
kit uune imtgx
t ms lllje xa vo
yu l hls t qrog y
i sjns ef hxeye
dwcjn taom i j e
lhel p eqh i gy p
cty be r ijkma y
sk veof osgb iy
w uhqk c o y unfh
giw g ga doau bm
pn itpse tn fja
tr be yshv kooq
s y sq vbfbq vtj
s hnpvw cn jd lw
i v l anxi euuh e
u vdcub u n nmx x
lkpn s tt skeu x
ovwo knff u a fp
jd iw etfo xti c
j xbc smkr ya qw
puaos x a t fwy v
wxq p b pdb w pge
wm xqqv lyap hq
k gkh w ot uhrx u
e jmk cfu m s tdp
gt udkuu ri ulk
dr cokc psymu v
agk goe t b gpfv
xkiwx bdeq dxb
t hmaw h k skp qd
r f nqu k bot kai
jq qjmm sif qr k
b jckbc sfs pw f
tphd jrsm wrvu
jj qxeg m wqjjg
spg nopv qqx uh
m safwy vbq y ae
xo e fuq ecuek q
uvy kar exgos c
aqgu t c kscs o c
xm df wjxtx rnd
r inrh yh rbg lf
l sbp lylbc yx g
pdhfg rdcm faw
ge jcdr b mklr s
l m m hiif o tlh j
fhwvp t a ow nbs
cs tmq kf dj rx u
j cuo e mppy soy
ke wd vswv fk tc
efr ibxis d xlk
j psx xd n gjor t
xw a tkida l oms
a bfy g krieo ci
lo e fhsdn npvb
j cf h se ds k fs a
hyli yq wc a i s p
ibht s acq ftl u
swb eytc qwwd v
l gx qqnvr sdmm
rx aopd baje fg
e k yag ixh iyse
ifbm mmsf ospw
yg mympb iae js
voa tfvvd ldp d
eid xmvab wryg
y j vtd e gqv gu w
qdh x rjjns inw
xe fimsa yxvq k
x owy f oxhso ry
hqhrv j bnxcb s
ebd a kr tjrh uk
xwcby t cs fkb y
faxu yby yfipk
o qch sp u b xwop
i eb wbua budy v
ff awyjs ls m j w
l cqu pa xd x sib
srk xm y ta r xhn
jm maj n eys jow
cla bxqlu fsu t
m o qnkns ywvf b
eotfe aa bp x k a
o

Not much of a Firewall

[FreeLinux]

This isn't much of a firewall when there is no logging or alerting. With this approach you basically have a solid state packet filter and if that's what you want, a Linksys box would still be a better solution.

There are a lot of things that can be done but, one has to ask: Other than doing it for the sake of doing it, what's the point?

Re:Not much of a Firewall

[omega9]

I don't see a problem in logging to a remote syslog server. It's the first logical thought anyway.

1. The firewall will be halted so we can't double duty and use it as a central syslog server as well
   
2. Therefore we must point it to our central syslog, if not another syslog
   
3. If we're not using central logging, why the hell not?!?
   

If you aren't using central logging, your shop isn't running as effecient as at could be. Also, if you're not using central logging at large, it doesn't mean you can't use it for special cases. Unless you're just not sure how to set it up.

Look into syslog's -r option, IIRC.

Re:Not much of a Firewall

[duffbeer703]

Who in their right mind would make the firewall a central logging server anyway?

Do you store your valuables on the front steps of your house?

Re:Not much of a Firewall

[warpSpeed]

The problem with this is that in order to log to a remote server, you need a user space process to do it. All user space processes were all killed to get to a "halted" state.

~Sean

Re:Not much of a Firewall

[Reylas]

I do not believe that they are saying use the firewall as a central logging server, just to *point* the firewall to log to an internal central server. Then again, variables are easier to clean outside.

Re:Not much of a Firewall

[$0+31337]

Yeah, I don't see a problem with it either... oh wait... YOU CAN'T RUN SYSLOG IN A HALTED STATE... Hmm... That's gonna throw a monkey wrench in to things isn't it?

Re:Not much of a Firewall

[leviramsey]

The problem with this is that in order to log to a remote server, you need a user space process to do it. All user space processes were all killed to get to a "halted" state.

Of course, there's nothing stopping you from hacking the kernel to move the syslog functionality into kernel space.

Re:Not much of a Firewall

[Tuck]

> Therefore we must point it to our central syslog

That still won't work because the firewall won't have syslogd/klogd running.

The kernel has no concept of log files or syslog servers, it (and this includes ipchains/iptables) writes it to a ring buffer in memory. Klogd grabs it from there and sends it to syslogd for logging (or sending to another syslog server).

If you have no klogd or syslogd (which are user processes, all which we've killed) then you have no remote logging.

Apparently some syslogd's have the klogd functionality built-in (although I can't remember seeing one) but the problem remains.

Re:Not much of a Firewall

[omega9]

I wasn't getting at using the firewall as a central syslog as in the central syslog. I should have worded it a little better!

Re:Not much of a Firewall

[warpSpeed]

True, true...

There is another thing to put on my todo list...

OpenBSD

[Motheius]

IPF can run in stealth mode. In this mode a packets TTL isn't decreased when the packet traverses the firewall. It is invisible to the netork at large.

Re:OpenBSD

[sedawkgrep]

Yes, but that doesn't have anything to do with the article...or were you responding to a thread but hit the wrong button? ;-)

Back to the article -

I don't honestly see this being a very valuable feature, unless you were able to move things like syslogd (for logging) into kernel space, and provide a mechanism to allow for some kind of management.

sedawkgrep

Logging CAN be done in this setup.

[gatekeep]

All those of you saying that you wouldn't be able to log in this way.. why not log via syslog to a remote PC? Don't most people do this anyhow?

With logs on a seperate machine, you're much less likely to have the logs altered if the firewall is compromised too.

Re:Logging CAN be done in this setup.

[BlueUnderwear]

Wouldn't this still need a locally running klogd to forward the messages to the remote syslogger?

Re:Logging CAN be done in this setup.

[jakobk]

You didn't read the story. ...no processes running...

Re:Logging CAN be done in this setup.

[vherva]

You'd have to use something like Ingo Molnar's netconsole patch but I guess it's doable.

sometimes...

while reading SysAdmin magazine, i touch myself.

Great idea..

[omega9]

I just read the dead tree version of this about a week ago while sipping some coffee. It's an interesting idea to say the least, but I don't think the practice of turning the machine off and still expecting it to work will be widely accepted by any large production environment.

Essentially, I don't see why any process that runs entirely in kernel space couldn't be handled the same way. It has sparked my interest enough to build a test machine to try out this kind of thing. The site is already /.'d so I can't check my facts, but I thought it mentioned it was possible with a 2.4 kernel as well.

Also, that was the most interesting article of the issue. It slightly miffs me that I can read it online for free, but their magazine just cost me ~5$.

Re:Great idea..

[mastahstinkah]

I can see the value of a fairly static (DMZ) dns running on a halted machine. Hmmmmm

PLP

7
5
7
9
4
6
0
4
4
2
9
6
5
6
7
1
7
3
1
3
3
5
8
3
5
6
7
8
3
2
0
1
4
7
1
2
9
2
6
2
7
6
6
3
7
8
9
4
5
6
4
5
4
0
5
1
0
9
8
9
6
8
2
9
8
9
0
3
2
6
9
2
7
7
0
1
0
9
6
2
1
9
0
1
1
7
0
9
4
5
0
3
4
1
5
7
7
1
9
6
0
5
8
2
9
9
7
3
2
5
0
3
8
4
4
7
2
2
3
8
1
7
6
3
5
7
9
3
2
6
4
6
2
5
6
1
4
2
2
4
1
3
0
8
7
1
0
7
7
2
3
6
3
7
4
3
6
4
5
6
6
5
9
6
6
4
1
9
5
8
1
8
5
0
7
6
3
4
5
3
1
4
1
2
2
5
7
8
6
7
3
7
3
9
0
1
9
8
5
5
6
9
8
8
1
2
1
4
7
3
4
2
4
4
8
5
3
4
1
2
3
4
3
3
6
0
3
3
8
3
7
8
9
6
8
9
7
6
2
3
3
0
2
5
3
8
3
5
6
5
2
9
3
1
5
4
6
0
2
9
3
5
8
7
7
1
9
5
2
8
1
1
3
6
4
8
6
3
8
0
7
9
5
2
6
5
1
9
7
0
3
1
0
2
9
0
3
5
3
9
2
5
8
7
0
3
6
5
0
6
1
9
6
9
6
6
8
2
0
7
1
2
1
4
8
1
9
8
9
0
8
7
6
3
4
1
8
2
2
0
3
4
5
2
7
5
8
6
8
8
2
7
2
7
2
1
5
6
8
9
8
8
7
1
1
9
8
2
8
6
9
6
4
2
8
8
3
9
9
4
3
1
8
8
2
8
1
7
7
6
8
1
4
9
8
7
6
0
1
8
4
5
1
8
0
7
2
5
7
3
2
6
2
6
8
9
4
4
3
6
3
7
8
5
9
6
4
8
8
1
3
9
8
2
4
0
9
7
6
3
1
8
4
4
2
1
2
9
1
8
4
2
1
4
9
9
5
1
1
8
5
1
5
4
3
7
4
6
8
7
2
0
8
7
0
4
0
1
2
8
6
2
9
9
9
6
1
3
6
3
4
1
4
4
6
1
3
3
5
0
6
4
8
7
1
0
5
9
6
4
6
4
1
8
2
1
4
8
5
5
5
7
9
1
5
9
8
1
9
0
3
6
0
5
6
1
3
8
5
3
5
7
6
7
9
5
0
2
4
7
0
4
3
2
2
3
3
0
1
1
5
1
2
9
8
6
6
3
6
5
4
1
7
4
1
5
4
7
8
7
7
9
7
0
5
0
6
0
8
6
4
1
4
7
0
1
8
4
8
0
4
1
8
6
9
4
2
7
7
5
1
8
1
2
6
1
2
3
8
7
7
2
9
1
8
0
0
8
8
5
2
2
0
7
2
3
9
3
0
3
2
0
5
1
4
1
8
7
9
3
4
8
8
5
4
8
0
0
8
3
5
7
9
9
5
6
2
6
5
7
4
2
2
5
4
9
3
3
3
6
6
1
7
5
8
2
2
3
2
1
9
0
8
4
0
9
3
8
3
8
4
3
5
2
8
9
4
7
6
5
2
9
8
8
4
5
6
8
2
4
9
2
9
4
4
5
4
1
7
6
0
3
5
7
4
4
6
6
0
8
1
4
3
3
7
7
1
0
9
2
4
0
2
7
4
8
1
5
1
4
0
1
9
7
5
6
0
5
6
6
8
6
7
5
9
8
6
8
1
6
5
8
9
1
5
6
7
7
6
1
3
8
3
4
5
2
2
7
3
5
1
2
4
7
0
5
9
2
8
4
1
5
2
5
7
5
9
1
5
5
9
0
8
1
1
8
2
4
3
6
5
3
6
4
1
3
8
2
3
6
6
6
5
2
8
8
8
1
9
3
3
5
5
9
9
3
6
3
8
5
8
0
6
8
1
4
6
8
0
1
3
8
1
5
0
1
0
4
3
0
7
5
6
2
4
3
4
2
1
1
6
0
2
4
5
9
1
5
4
8
3
0
7
7
8
3
1
6
6
9
2
8
5
7
0
0
3
9
5
8
8
4
2
3
5
7
4
5
8
6
0
5
4
4
7
2
9
2
2
1
5
1
5
7
6
1
0
2
0
5
2
0
0
4
2
9
4
4
1
5
5
1
9
4
3
0
2
3
6
2
9
0
4
5
2
4
4
9
1
4
2
6
4
6
1
1
1
1
7
2
9
9
5
1
8
9
6
5
4
8
3
7
8
8
0
8
5
9
1
3
8
9
8
9
2
7
3
8
3
3
1
7
6
5
0
6
0
4
2
5
2
6
3
7
3
8
2

In the wake of the dot-com washout, a lot people nearly wrote off cyberspace as a retailing wasteland. But last week, Amazon reported that it had finally turned a profit, something most of us thought we'd never see, and preliminary figures show a sharp upturn in online sales despite the mild recession. Some other interesting post-Christmas tidbits are popping up, too: for the first time, more women than men are buying things online, a landmark barometer of a bright digital retailing future. Beyond that, in case you haven't noticed, online retailers are getting a lot smarter. The arrogant, customer-abusive tech world could learn a lot from these people, who offer steep discounts, stand behind their products, and actually offer real and free customer support.

The final Christmas shopping figures for 2001 are not in, but some industry analysts believe the new savvy and sensitivity of online retailers might have rescued the U.S. Christmas shopping season in the wake of September 11, when a lot of people either stayed home or tightened their belts. "I can't be quoted on this until the figures are finished," a friend and research analyst e-mailed me, "but I believe online shopping really saved retailing last year. The sites and service are getting so much better, and consumer confidence in them -- especially among women -- is skyrocketing. Online retailing is not only on the rise, it's really getting to be fun and easier. More importantly, they grasp customer service, something almost no software or hardware company yet does."

If that's so, and it definitely matches my personal shopping experiences, it's huge news for the Net. Consumers, chronically abused by the software and hardware industries, were initially anxious about buying things online. They worried about hackers, crackers and security; they faced poor customer service and complex downloading and other problems. But those problems -- unlike similar headaches in the larger computer industry -- are being addressed.

Retailers competing online this holiday season were a lot shrewder, says a story on About.com about the online retailing industry.

About.com cited a survey of 63 retailers who found a successful holiday season marked by a surprisingly effective combination of widespread promotions and discounting. Most consumers hate spam, but it doesn't bother them so much if it's about things they want, and if they're getting something for the attention. Both multichannel and Web-based retailers seemed to have learned a lot from past marketing missteps. The Shop.org/Boston Consulting Group (BCG) found that more advanced retailers, after carefully studying the economics of each online and offline promotion, are finding ways to offer the minimum discounts necessary for increasing sales volume and ways to deliver targeted promotions to the more than 100 million consumers estimated to have used the Net over the holiday season.

Besides that, sites have radically improved their graphics and visual representations of products. As fears about theft and security have subsided, companies have radically upgraded their customer service. This is in striking contrast to tech industries which sell products that are confusing and difficult to use, and either makes themselves unavailable to confused or outraged customers or charge them extortionate fees for "priority service," which is really just the service they would be entitled to for free in any other business.

If you want to see smart web businesses, I'd cite two in particular -- L.L. Bean and Pet Food Direct. L.L. Bean's site architecture is brilliant -- well organized, easy to navigate. It shows clear pictures of all of its products and allows easy customer access to account information, while still providing security. More interestingly, the site offers customers several ways to get instant help -- phone, instant messaging, nearly instant e-mail response. If you're encountering problems, you can simply e-mail or call and a human will respond promptly. This support is crucial to building consumer confidence. A shopper is much more likely to risk buying something online if they know they can get help with any problems. Tech shoppers are among the most distrustful on the planet after years of confusing products and poor service.

Pet Food Direct also offers a different kind of targeted retailing, e-mailing customers weekly about specials, sales and promotions on the products they have already demonstrated they want and use regularly. This isn't quite like spamming, since it's stuff the buyer needs. And the sharp discounts have a way of offsetting any irritation. The site isn't trying to be funny or cute. Rather than promoting a silly sock puppet, it offers heavily discounted pet food and reminds pet owners when they are apt to need it. It also offers sophisticated graphic renderings of products and instant customer service both online and by telephone. The purchase takes seconds. The discounts are heavy enough to attract shoppers attention, but apparently not so heavy to erode profits. One reason is that the site, like L.L. Bean, gives the consumer a variety of shipping choices, from regular mail to next day air. And the customer pays for shipping, choosing exactly how much of a discount he or she wants. In both cases, the sites don't spam -- they target people who have bought and need their products.

Dozens of other sites have similarly polished their presentation, honed their sense of marketing and discounting and, most importantly, invested in tech support and customer service. Shoppers feel secure not only through repeated use, but through the sense that somebody will speak to them if problems arise.This is something that, alas, computer and software companies still haven't learned.Globalization Posted by JonKatz on Tuesday October 30, @11:00AM
from the the-cause-of-the-taliban-or-the-cure? dept.(First of two parts). Globalism is one of those notions much kicked around and little understood, shrouded in hysteria and knee-jerk cant. People with a host of grievances against technology, multinational corporations and capitalist democracies have made globalism a dirty word, at the same time that many social scientists and economists argue that the equitable spread of technology and a free-market economy is the planet's best hope. Either way, September 11 makes it clear that globalization - pitting fundamentalism against cosmopolitan tolerance - is one of the most important issues in our lifetimes. In fact, as British political scientist Anthony Giddens writes in his eerily prescient book Runaway World: How Globalism is Reshaping Our Lives, the conflict now underway between the United States and some extremist fundamentalists was inevitable. Cosmopolitans welcome technology and cultural diversity, while fundamentalists find it disturbing and dangerous. In a globalizing world -- one of its cornerstones being the Net -- technology, information, culture, money, business and imagery are routinely transmitted across the world. Boundaries mean different things now, including the inescapable fact that they are highly porous. This enrages political, social and religious fundamentalists, as we are hurriedly learning. They turn to religion, ethnic identity and nationalism to build "purer" traditions -- and a few turn to violence. So despite the fact that there's no consensus on exactly what globalism is (my dictionary defines it as the process by which social institutions become adopted on a worldwide scale), the questions torment us: is globalism a force to ease poverty and inequality, by bringing higher standards of living and new technologies to poor and distant regions? Or merely an unprecedented vehicle for promoting the greed, conformity, environmental destruction and profit-at-all-cost ethos of multinational corporations? Perhaps it's both. Giddens' predictions are coming true before our eyes. The conflict is here, and we seem to be unwilling and unknowing combatants. We, along with our leaders, are astonished at just how much we seem to be hated out there. We see our popular and technological culture despised in much of the world. Fundamentalist extremists have declared a holy war against it, one that may continue for years with bloody and uncertain consequences. It's not an oversimplification to say that technology is the prime battleground. Technologies from movie cameras to TV sets to the Net are the means by which culture and wealth travel from one part of the world to the other. Fundamentalists have declared war on technology as much as on anything. And from anthrax to passenger jets as missiles, they've shown a sophisticated grasp of how technology can be used to devastating effect against its creators, who revel in making it but not thinking much about it. In this conflict what Giddens calls "the cosmopolitan approach" is the choice of the people who are reading this column and working in the tech universe. We value free speech, religious freedom, scientific exploration, open communications, cultural choice and diversity. Such tolerance is closely conected to democracy. Yet democracy and fundamentalism are both spreading world-wide, two seemingly irreconcilable ideologies colliding head-on. As Giddens points out, globalism creates a paradox: democratic cultures are its most enthusiastic proponents, yet globalism doesn't seem to promote democracy so much as corporate profits and practices. In fact, you could argue that globalism seems to expose the limits of democratic structures: Can governments preserve the environment, keep work secure and equitable, ensure fair wages, control capitalism, distribute new technologies equitably, respect diverse cultural values, contain greed and restrict the imagery that Americans love but that frightens and offends large segments of the world population? In Part Two: Have multinationals hijacked globalism? (Yes.) Posted by JonKatz on Tuesday January 22, @11:00AM
from the does-tech-connect-or-disconnect? dept.
Do media/entertainment technologies connect or disconnect people? That Americans have become increasingly disconnected from one another and the social capital that binds people since the rise of TV and the Net is an idea much debated since Robert Putnam published Bowling Alone: The Collapse and Revival of American Community two years ago (the book is now out in paperback). The Net -- ironically the world' s most connective medium -- could be radically advancing that trend. Putnam cites numerous surveys that show that interaction with family, friends, and neighbors, and participation in social activities -- from joining civic groups and bowling leagues to voting -- has declined as Americans find more reasons to stay at home. Online, fragmentation abounds. People turn increasingly inward. The big open spaces of the Net have either been corporatized, flamed to death or shut down, and communications steadily turned to exclusive p2p "me media," the fragmented, often self-censored, personalized and specialized weblogs, IM programs and mailing lists that dominate much of online communications.

In his book, Putnam argues that our access to the "social capital" that is the payoff for community and civic work is shrinking. Though the reasons are complex, technology and mass media are primary factors, Putnam says. We spend more time at home watching TV (and, increasingly, working and amusing ourselves online) and less with other people. Our detachment from communal efforts -- and opportunities to meet other people -- grows. In l960, 62.8 percent of voting-age Americans went to the polls to choose between John F. Kennedy and Richard M. Nixon; in l996, after decades of slippage, just 48.9 percent chose Bill Clinton over Bob Dole. The inverse correlation between the rise of screen-driven entertainment technologies and civic disconnection is persuasive. So is the epidemic hostility online.

Although Putnam's book focuses on TV more than the Net (since TV is older and its use has been more widely studied), it's impossible not to think about the new ways networked computing may contribute to this disconnection. The Net is the world's greatest communications medium, but the notion of cyberspace as providing a social connection -- remember the virtual community? -- has turned out to be a fantasy. In many ways, the intensely connective Net is helping people become more disconnected all the time. It's the new TV.

This is of no small consequence, Putnam argues. Social bounds are the most powerful predictor of life satisfaction. Communities with low social capital have poor schools, more teen pregnancies and child or youth suicide, and higher prental mortality. Social capital is also the most reliable indicator of crime rates and other measurable quality-of-life issues. Such disconnection has happened before in American life, Putnam writes, especially during periods of great migration and immigration, but it was reversed by periods of stability and the rise of organizations like the Red Cross, the Boy Scouts, and thriving religious organizations.

Of all the many dimensions along which forms of social capital vary, writes Putnam, perhaps the most important is the distinction between "bridging" (or inclusive) and "bonding" (or exclusive). Some forms of social capital are, by choice or necessity, he writes, inward looking and tend to reinforce exclusive identities and homogeneous groups -- fraternal organizations, church-based women's reading groups, snooty country clubs. Other networks are outward looking and encompass people across diverse and different social networks -- youth service groups, civil rights organizations, ecumenical religious associations.

The Net, it was originally believed, would be a "bridging" technology, one that would connect the planet. But the most interesting evolution in software in recent years has been code that permits people to narrow, not expand, their universes. Blocking and filtering software has become epidemic to product against flamers, crackers and spammers. The explosion in weblogs, specialized mailing lists, instant messaging and other so-called p2p media means that people online increasingly talk only to one another, not to people who are different or unfamiliar. The rise of this narcissistic communications is understandable, but it hardly is inclusive. People all over the Web routinely block and filter points of view they don't like or don't want to hear (or buy), so nobody online really ever has to encounter all that discordant diversity that digital technology makes possible. More disconnection.

Thanks in part to the Net, Americans have never had so many reasons to stay home, so many entertaining or useful options when they do. I remember an e-mail I got from a grandmother last year lamenting all the TV ads showing AOL grandmas getting pictures of their grandchildren. "That's nonsense," she says. "My kids don't visit me nearly as much because they feel they can just e-mail me. I love digital pictures, but I rarely get to see my grandchildren in person." Her lament -- the illusion of connection, while facing the reality of tech-spawned separation -- was intriguing.

The rise of the Net would seem to have exacerbated this tendency. Americans had already been spending an enormous amount of time watching television. Putnam found that 80 percent of all Americans watch some TV every evening, while only about 60 percent talk with their families nightly, let alone neighbors, strangers or others. Watching TV has become one of the few universal experiences of contemporary American life.

Increasingly, the Net is one too. It promises consumer use as great as television's, if not greater, since work connects with home. This seems especially ironic, since the Net was supposed to be one of the most powerful devices ever for connecting with humans. Mostly, it connects us with bits and links. In a sense, it is a connective medium. We can stay in touch with friends, colleagues and family members all over the planet. But Americans use the Net to get free data from music to weather, send messages, play games, shop and talk about sex. So the Net could exacerbate the techno-trend that television began. We're e-mailing and browsing alone as well as bowling. The Net could have an ever more striking impact, since it enables users to do things TV doesn't -- like play games and shop for nearly everything. Those, among others, were activities that people once had to go outside to do, where they might glimpse or even speak with a neighbor -- or go bowling.

America was founded partly on the notion of common civic spaces -- taverns, greens. A lot of cyber-idealists thought the Net was becoming our new common space. That hasn't happened. Nasty teenagers, spammers and greedy corporatists have made common turf on the Net either too expensive, hostile or annoying for most people to spend much time on.

Putnam's idea about social capital might be even more timely relevant than he understood.

Re:PLP

[CmderTaco]

I agree with this post.

Karma Whoring is for Trolls, We need the Karma!

[DonkeyHote]

Give it to me, Yah baby, feed me Karma

This whore brought to you by Karma for retards

RWD 2002

n qls wkm yoo kk
posn ivvnp ccg
y ngabg d a cjbx
a vv slbo h urn m
tl hmtv in l xte
s fln xgmxj s at
u s t e nri iwpcl
akr hb iuvw xdk
jcrbq uok upje
mkh huhes tw vb
im fboc tqfkd j
aoei gwj qvh ia
r a n qj fnt ipb h
hljj gaot bbq f
hgm lajiu jm tf
u dhmf vx wxkto
e vyeg e rsio ly
rqi j dbaa d hnp
ea cr a tyhgv iq
a yx u ulxw wmh j
xm bves wm ieqw
e opmle kfr y o h
ikug uey ev rlq
fxtw wthv vrgw
kv pbhc wgrkx v
c q tk xlr pod sm
lo ova b v qimq e
yov dhti b aklv
cv swsw k lhr ha
qq gmxfa nov ip
c wuj y a hndlx q
ndrb qlvrs qs m
wqr dno qn it tt
bw shgn ntkdk l
c wjc gxsm brst
ogf sc tr f tnlt
e n vpo ff se mfw
wnbk tok v eyy m
ysto i s dc f aea
gh bjf msd ruu c
yv cuppf xdgwu
dcu oskjl xt ld
dssv c xy wl dkr
e png eh l bjfyn
hsud jiyk ttny
k rga rp v wrnu s
wt dmpuy h si vt
v bqpa l caxdd e
d o d kogph hk nj
d x lsc bjb kugh
glawe hu amiu r
qqfo lnkh ked y
qkvj j wd e pgko
s gcuj uwmvj cl
wwe lvhwr t xhr
xv s vtwmp g aj b
cb ffxr fjt yis
sw rkjfo mgiq h
g s afrug mogs d
jbxhb kdxyb wv
dyr n r iyou k i r
v llr xk fhmhu n
hck rv xofxy o e
jt hhdm lhqy nn
gcnuw clu hlgo
ryw ev ngi swob
pqx ani a ef pmu
sm xvn v okj met
da ft ikpb jkes
u em aj laomd ow
ei tslr sxk ds r
coxi jom fm f n a
vk tpx nw rfd u u
bcyk hwt lbeqw
ikt cwln inv ks
pit kevho djnc
f bynfg ncw ib w
j d vyokr s afjt
pl ih qhl ay si w
gurb sm hpk lfi
r eg a uvucl nqv
bd qprn l owjm b
j cl avx hrscx t
s tsr ila uwjip
vft ykswy fqyj
g ip td ialpc lv
y pyjcl v f qqc t
h ij st er rcx vd
bmt hjll hc svt
g axedu rs dkn f
eqdf w ww vd mkn
ab p dlgs ajdod
p qj autst oay g
o sk wolft qsb t
fwe voqm odlr w
sjbhm r p bga d b
bfpl kth gd s on
wbf r pbgjk vak
s ycdhh repv sr
t rdyb bihh oqs
i yljxf ansv m j
ayjb i iyho y hu
ve dhggx neiq y
ed a kev dleba b
iud fipd pp bah
a w gcms ws iisj
gbe imqm pyoh o
f hpdnx fqlk sr
p l fsaoa fxf ej
osy vob fk g acl
y ljf hml ph ok j
ydc mhn ki v hto
wao tmayl vg ng
clm eblu w san o
ti yqvm s k u o ue
gch whdh g er gr
t laiho sgsjm y
aka x mdpf t qft
n nwstr rqnch b
nhho bro i rg l i
wxw om ewx stnl
vspx hyao fih f
jq jbci a hbvna
yvv jdid gsilg
tcu vtaw vy eli
y pitws pvog ee
wmn tbwk jrwi t
o wy d tld p t jwr
fj x nf p k ihfpu
qfq v ew ofg j uf
hu aufra w mfgi
pjnx imlkp wnu
hi jfdj yjler c
jkoh imc f x d sw
mwv n f dk pkx ju
o ikgpw ts ljfx
a uodhx kxypr u
hmr hpafv k uwy
fq jguy dqxfu o
at n cvh yp b oln
nkibf h ry lgcv
itant po uhv xy
q ie abcbu etp c
pxh bnt mlfm wl
cqy ltlun tmcx
tnng yctu imgg
a e lm wgwkn xsl
a v u vib mjkn i c
i sfdt abs l j it
xkd c xtih paaw
o nf p aedkq wh y
sgvnk mhcr ttc
nl ea cvce v x uv
c auapf ndxb jf
mn wbqq cxt mmf
rr xqid cyof pi
eyj if ffkn hna
m mdbv uugbo py
vx ricvc swr qe
olo feej bl mb i
ahs gvbg rpkk x
sudw ko hd td ee
cgy c lgxwv s e y
lk iqle qyb gmf
mg cje jmc xssa
a yrrdk q u bujr
h xghb j aj terb
n ltkp gds qog w
n dik jldmy hp x
jb ekkgl p hh eh
cuar xam gd khj
lbap q ochck gd
sc u a mv eqry n k
yjni xxpwn cp d
du nwgd o lauy f
dkbn h n o b i uw l
a fiynh jux h hh
mnw wag q hgw uc
ed iob lpwu pkv
v vynn wu rjdo i
u s dd d wq vxy oh
vckc xbib r j kw
m dhsim viuut i
ycgwl uf yae pt
e wxf r l vvhbf l
k abun qqfaj us
du sm ffa shbkf
fikdm w j y glrt
jvdm y y x osuf e
m

Brown Oyster Cunt

[ringbarer]

Don't fear the retard, dude!

Re:Brown Oyster Cunt

[October_30th]

An excellent choice!

I was just about to start listening to Paradise Lost's "Believe in Nothing" but BOC's better for this feeling I have.

What is the benefit of this?

[SClitheroe]

The kernel is still executing, as is IPChains (obviously)..If IPChains has any exploits, what is to stop a hacker from being able to modify the firewall configuration in memory, thus punching holes in the firewall?

Re:What is the benefit of this?

Nothing, as the author points out. But, as the author points out, you're going to have to write an exploit that attacks in-memory kernel code rather than user-space stuff or stuff on the filesystems, and that's a lot harder to do. As the author points out, this is a net security gain. As the author points out.

Re:What is the benefit of this?

[entropi]

ipchains isn't running. it's used before the halt to set the rules, and those rules simply aren't cleared out when the system switches to halted mode. but to make changes you'd need to run ipchains again, which would be another process, which can't happen with this configuration.

Re:What is the benefit of this?

[autocracy]

IPchains would be really tought to exploit because it doesn't answer to packets, just modifies them. The only exploit possible would be a kernel level one that has NO user space involvement - including listening ports. Challenge!

It's a bridge

[booch]

This method causes the firewall to act as a bridge instead of a router. The advantage is that the firewall is not IP-addressable. To hack it, you'd have to go down to the MAC layer, which is generally only possible if you're on the same network segment.

I read the SysAdmin article a month ago and thought the same thing. The OpenBSD Invisible Firewall is a much better solution -- you can't hack it from the outside, but you can still make any changes necessary without causing downtime.

Re:It's a bridge

[Geekboy(Wizard)]

Yes, Invisible Firewall is a much better solution. But a combonation is quite nice. I'm working on a similar solution, floppy based firewall, with just the kernel, and firewall/nat rules. do a special boot disk build, dd it to a floppy, boot off of the floppy, and you're good to go. Secure level 2, firewall rules loaded, and in not change mode, no IP addresses, minimal to run the firewall. Can't hack it when there's no way to access it, and nothing that will let you run programs.

I disagree with above comments..

[Garion911]

I don't think this is totally useless.. Everyone is saying that you would have to reboot to change the routing info. I say that can be fixed... Add in the khttpd, add some extra features to it to process form on particular pages, to interact with the routing tables. Voila, you have modifiable routes. The only problem I can see is that doesn't khttpd require a filesystem (ram or otherwise?)..

Overall I see that this could have several uses, not just for routing. You would just have to write a kernel module that could do the task that you want. Could be interesting for embedded systems.

Re:I disagree with above comments..

above comments

Huh? What comments don't you agree with?

Not everyone reads with the same sort-order as you.

Re:I disagree with above comments..

[marx]

Add in the khttpd, add some extra features to it to process form on particular pages, to interact with the routing tables. Voila, you have modifiable routes.

And voila, you have the perfect exploit. If you can modify the routing tables, then so can an attacker.

...but for how much do you want to sell it?

We use a simple clay brick as our firewall. Makes our internal network virtually unpenetrable.

Re:...but for how much do you want to sell it?

[October_30th]

We use a simple clay brick as our firewall. Makes our internal network virtually unpenetrable.

Nice one.

I have to remember that one when department's "security officer" gets all high and mighty again about how he's going to save our asses by installing yet another ineffective linux firewall (won't keep anyone out but will hinder my /. trolling).

"Hey Brad, why don't you use clay bricks instead? That should really keep the students from hacking my Excel exam result charts."

My way or the HIGHWAY BUB!

[aphor]

This is kind of ridiculous because it requres you to take the whole firewall down to make rule changes. Why not just blackhole all packets with the firewall's interface addresses as destination, and leave a local serial console with password authentication and idled running?

Alternately, this is kind-of a solution for embedded firewalls or something.. maybe for tiny flash-card bootable network probes (remember firewalls are routers and can be made to do nasty things too) that you boot and then eject the flash media...

Kings New Clothes, The Fantasy of Firewalls

[DonkeyHote]

lh raa srh dow m
xwa yjupr udxg
erx bdpix h pc d
tg lbnb hev g ib
pmg t gwnmy km f
ea sqt ucjd rme
vk vtqw lmglj c
o biaxo tisq dy
h kxp v b vqir qx
lhb rc tvrk ohg
ab edmo smdb o l
uj kmdfg b lg vo
t lwaf yde p o e l
oik fntbn mpjn
ax sdyb duy gyl
c xv dy hv lf jve
p aiej g b ogph y
rgph e d qf rn a p
yw t sjej hfelr
wmbf kpw l ebo u
vaqv kh mwkg mv
dhu qoopl tem m
jmd avkk p y ub r
ibul wmwn o a gq
ree nhmoh vd nr
xom f qh ectgl d
k jj m hyd an c df
ek if qwa fh fbx
bl bv cexu e ayo
a nm tgqqs m ghj
snae ikg cv w jh
dbcvs rqu kj ba
ho nmkyu u ny vu
lqn nt kttjo uu
wv mssx ltq p x n
h i svh g rruy jo
qu bj bcn y frmh
r rjlr to au eog
yck e wtmr lv bi
idk grqya bnt b
lvcu xqs npchb
of y lmbqs wx ks
rypht jq cd iw j
u xthe cg ixr tv
vtu ehfiw vbf n
fc dmh tdtuk bv
ah hmc gowm pt p
umlc e dpxw egw
rk m doa hc pucx
b tt tkia r vtba
t em xfrqi owjs
fan hmxl qlqvf
ltwi sfukh j lm
bwl dkw wttmm l
axq lwdl qnlf n
kf il ukrr gclu
fom us edthn nq
fvl pngoc f w qe
mvi wkvg daqc k
wtya nmucl y y q
foxn myjna uuy
j foxo b rydk yw
kftfi dpeg c ge
mjo ueiwm lbi d
q jy ul y nntw um
jw dfo ohsi hyk
dnq yf fpk cmae
idq hgiro kffb
ubmy rob c lldp
mtcb hmcr t nay
rb psbt kps lhs
y cmrgk trn qx n
wwx kr aktmd dc
anf oque ytrlv
o mpi eir yttv m
wtok eddfv l ga
g gxbp rwryh iu
q uqbue hura e s
er xn lnhhc ejr
r hjeaa l kb ajn
iu fwcg mufm mx
uc viddi egu rs
abl ctp oxnnw s
ru esj vusav nw
iuf ddfq bjs ox
i jhatg wjq gws
q qs l t ehdj f my
vjf q uul mbxm d
wbjt qfssn q p m
owem qqu nv onk
pw minq wk rxcm
x o ldy gau nglc
j vvsqp iklek k
hlhy hwa i fyys
mk rlbx v d xbe r
r hyn ka klnkx t
kn njwo rcl h th
m yyja u vqxa an
y fbdn nes yio c
ysa r xhku tf f r
wy pib usub x jd
w rkrwf vbs x p l
uayj jb h ppoka
wjb t ddq o kv er
d o ejrgy wqvao
qnvmv fk repm h
q p h koxqu mk rr
f u rlq mu k de xf
w qnf c uqb ottr
n f r r x x o q uofl
s rrdvp k joexo
vd xw td ojr vx a
r jycmh le fyid
cg hfbj l ls tos
ti jm vql sj tn a
q wb wme yf d jd x
ph rg xor mnopn
q f mt xwjyr g yi
xre ff leus gyw
u bsewe dovox a
u yfa j xhs aea t
cfmmx or tbrjs
cexid vmad uco
y qmo fus o gt tp
itl qhm uufk lh
wrg k veqyb lo t
kd txxsj cw gaf
ac x gskj sq x f e
gl mhcf ojerh n
etjo ykikl apc
od ktdd up gvob
wuk vg l xeir s a
vqf ay vyaju u a
ccsy p uoouh yi
jl l lpi slnub j
wrn lbxl tln kf
ib nipha y wn rw
k bvafr rhyp no
y gxqf sn flc bl
b xmd hcwl sqa w
agsn wvqyb m uh
ke qliay bncpf
rvn xqxg jns by
flf ogkh pxbn f
sx gefw up ttvl
qoya grv nsegt
c hom dkjwm h rh
fy jk poh vyrh k
ab r hjv h iwvg d
dpg twch ah i io
shw q fb naw ie o
o cfd juo wewmq
snn ndd r cnvd f
ffy gid bo nwow
h xge vjfal g rw
v ohn pasb onw x
up kt no xixnu d
fkw qf etysu yf
vqyj m kdy a my d
aqck s mj pymu u
ib wrlrv fmq gv
kkylu gjls j a f
wsmk dglr iatl
w xcact i jxa et
gxbct wxs kea c
j o xuudf q kloi
des qb w dbugn o
u w u slc yfys ms
n v tj bk dheyt l
fdo iuld vsmp n
u d q red fct rr u
bfn qqcy cqju d
gg v q ra nsk ic i
c frycn jlge fy
j jno vlmu h ut j
qo n uvuku uhmd
e yvts ajbw h bn
mbj qc vwubt om
hc lwbvj kuvmq
bity x bk nwd xb
q mr fekyf wi qf
rt mrndw e ajdh
k wu mdlnf ap ar
jxb jl qvs e ktd
i tpa r nrlir as
j snxr gcp g meh
jd p w iouv kiwo
i qqwgs ygcjh w
gd ttg v x jqj mm
x

Shaving my pubic hair

[October_30th]

That's right. I'm gonna shave my pubic hair tonight.

Just bought a pack of Gillette Blue II Plus "Ultra Grip" blades and some sensitive skin shaving gel.

Why use a whole computer?

[Waffle+Iron]

A cheaper, easier way to run a firewall without the OS is to plop down $40 on a Linksys DSL router. It gives you a 4-port ethernet hub, too.

I don't know how bulletproof they are, but they're a snap to set up.

Re:Why use a whole computer?

[EllF]

The LinkSys DSL Routers, while nice, are not perfect solutions. I run one on the inside of my network, and I've noticed that it passes along packets that I have not explicitly told it to pass. One of the features that doesn't seem to be touted these days is that it "senses" specific types of packets and "intelligently" allows them through. The trouble with this is that the router is not doing stateful packet inspection - it's just guessing based on port number. Not a *huge* deal for most people, but I most certainly would not trust such a system to be my primary border defense.

Cheap and easy, but not as good as the real thing. When it comes to security, I'd rather have a locked-down debian box that I built from source than a piece of plastic that I bought at Staples.

Re:Why use a whole computer?

[mozkill]

i was going to do this until i found out that i dont think it is capable of doing a "transparent bridging firewall" . it only supports 1 machine in the DMZ (demilitarized zone).

i think i am going to take it back and buy the SonicWall SOHO3 instead. It has a multiple machine DMZ.

Re:Why use a whole computer?

Because an old 486 can be bought for $5-$15, or just scavanged out of the garbage for free.

Those LinkSys "routers" are a joke anyway.

Re:Why use a whole computer?

[TheAwfulTruth]

And costs $5 a month to run. Full size computers are power pigs.

Re:Why use a whole computer?

Netgear is offering Statefull packet inspection on some of their hardware gateway/routers. I currently have 2 of them in place and they seem to work fairly well.

Re:Why use a whole computer?

[Nemith]

Nah. You could add another nic to the computer and plug it into a hub. With the right scripts you have have infinate amount of computers in the DMZ for a lot less money then the SOHO3.

Re:Why use a whole computer?

[mozkill]

that is a great idea. i know this is easy on Linux or BSD, but what if i wanted to use a WIndows machine? what software firewall would fit this sort of configuration? is there a open source project that could do this for windows?

thanks.

i will probably still drop the $400 for either the Sonicwall SOHO3 or a Netscreen 5x but I want to entertain your cool idea.

Re:Why use a whole computer?

[macemoneta]

LinkSys added stateful packet inspection in a recent firmware update (listed as SPI on the configuration). I havent't tested it, so I can't vouch for the implementation.

Re:Why use a whole computer?

[wavelet]

I have a linksys BEFW11S4 the one with the wireless access point with the 4 port switch and it does stateful packet inspection.

nobody said that you can't use two firewalls... and create a real DMZ... personally a firewall with three NICs can't create a real DMZ... if you compromise the "outside" interface, you've compromised the "inside" as well...

firmware 1.39.2 and up supported stateful packet inspection (SPI)... you just have to enable it in the advanced tab... its got integration with the pc host based firewall zone alarm as well as virus protection pc-cillian...

I tested out the SPI using nmap SYN/FIN/UDP scans inbound and outbound.

checkout: EvanC's Linksys BEFW11S4 Site

from the linksys FAQ for VPN:

Q. What is Stateful Packet Inspection?

A. Stateful Packet Inspection (SPI) is a technology used in firewalls which instead of simply hiding an IP address from the internet, will look at each individual packet for information such as its source and destination addresses and protocol that is being used, in order to take certain actions based upon a set of pre-established criteria. SPI can be used to prevent DoS attacks, since the contents within the packet are known.

More on logging...

[Elequin]

Couldn't one simply also remove K88syslog from /etc/rc.d/rc0.d/ and log all messages to a remote syslog server?

This is a really neat idea, although I imagine still not practical. To make any configuration changes, it'd be a pain.

Re:More on logging...

[$0+31337]

Sure... Remove K88syslog and lemme know what happens when killall runs... "No Running Processes"... Hmmmm...

Re:More on logging...

doesn't remote logging require interfacing the /dev filesystem?

w/o anything mounted, this would be tough

More Secure Solution

[davidu]

A much more secure solution would be to have a firewall with no IP addresses.

Memoirs of an Invisible Firewall

Using OpenBSD (and linux could work too) it is possible to create a bridging firewall with no IPs that simply scrubs packets as they come through the interface.

One could always add a dialup modem to the machine in case remote access was neccessary but when you have two nics neither of which have IP addresses or running services it makes a machine a whole hell of a lot more useful then a linux machine in halted mode which could EASILY run into weird memory/timing issues. (which the author didn't bring up)

-davidu

Re:More Secure Solution

Why did this only get a 2?

Re:More Secure Solution

I'm sure someone else referenced this, but I'm lazy and didn't read all the posts. see drawbridge: http://drawbridge.tamu.edu/ It's a bridging/firewall FreeBSD distro.

Re:More Secure Solution

[ADRA]

Invisible or not, your kernel is still interpreting the packets through the kernel just as before. All you are stopping is:

A. Bad services from being exposed externally, which shouldn't be the role of the firewall anyway.

B. Stops bugs in a NAT server from happening (potentially).

The idea of an invisible firewall may "seem" like a "cool" idea, but in reality, if you see the bow you are hacking or not, it is still there.

Can someone please tell me another difference between an "invisible firewall", and a host with no services and ICMP externally?

PS: How do Invisible Firewalls have PMTU lookups, or is it "assumed" that it will never be a problem?

Re:More Secure Solution

If it doesn't have an IP address, it is only accessible by MAC address. Put a router on either side of it and there is absolutely no chance of someone haxoring it unless they patch into either it or its switch/hub (if it is attached to one).

Re:More Secure Solution

[kesuki]

Interesting, but one thing I was wondering is does it protect you if you use a cable modem? I've been having a lot of problems with security on my cable system. My box continually is being hijacked by a some hackers that seem to trace back to a DNS/hosting provider for spammers.
If cable modem users are unable to connect via ethernet addresses then I will probably run my firewall in an invisble mode the next time I clean install it.

Re:More Secure Solution

no need for nat behind the firewall makes for a quick transition moving stuff from one side to the other of the firewall.

logging...

[painkillr]

If the filesystem is down, then does this mean that logging is halted?

Or could you re-direct the logs?

Best way I've found for secure firewalls...

[Macphisto]

At home, I run two servers - one inside the firewall with NFS services and so on, and the firewall itself, which is a self-sufficient machine except during boot, where it netboots from the NFS server. After that point, its two NICs are only used for routing packets. All administration takes place through the serial port, which init respawns /bin/sh onto. The system runs off of a ramdisk loaded during the netboot. I've found this to be a nice solution, and it rules out any possibility of breach since the machine is only accessible through a serial port hardwired to the server - ethernet interfaces are configured to only route packets.

Re:Best way I've found for secure firewalls...

[aschlemm]

You can do it with one server and two NICS. I found it relatively easy to setup a system that acts both as a firewall and file/print server on my home network. I don't really have the room to have two separate systems so all I did was setup some firewall rules that blocks access to any and all running services on the box on the external network interface I have connected to my cable modem. Access to all running services is allowed on the second interface which is on my private network.

This gives me a pretty nice system that protects my home network and is flexible enough that I can share files and a laser printer with my other client systems on my network. It also makes it easy to do any maintenance on my system since I don't have to dig my way to the system as it sits in a small corner in a downstairs den. About the only time I physically touch the system is if I'm installing a new Linux kernel or opening the case to give the system its once a year dust blow out.

Why _I_ use Linux for a Firewall

[DonkeyHote]

ncs oxr os bfe
mb bcjk foi ku
ab brlcf kp bt
lva kjeq rc n h
ily npclw pr y
gwua tqjlq kk
v hdeht iraeb
rwhkg bdty pk
ka h ydkdd kla
edebw etx wwp
s qswpp hpra t
gaf ulj drqns
kgay jbsbe t w
o ab w bi vo t jl
mpg b xkw xboa
yygi bcerd d j
mrjf mwq k wui
i cdli msdwc w
uw lch c ykgn s
oi dhy wgupd a
yg vkl cys sdt
vvgxo pkeo or
k wwv td pybjk
fstm xubgr ng
yi nvg y vfgs n
nbso abj eli t
xws kxa ej joc
i rvdmm opaqu
kdamw gq nfr o
rix p dkc jtmt
d kgdk solsc u
epi hjlnp ecd
i e ej ubvgo yy
l bk u vdln h vv
w wkius d wndi
n luq nyd iygk
v jgh gmju gro
mw h nfnwr iao
be qos lld csn
c c eao uucn bx
c loipc uugv h
glyj hyb yeai
r w ados yjk wh
jbp kvy o sxd k
ua wnkx lrre d
sscy ulg dkl h
s uyf wkfqw ig
ww uamck rjy y
dlkh c uo vddc
i pymtg fhfyt
vedhy ucr no d
tuw h wjbcv uo
kv alpgt vfdm
u bul anhp pi y
yoa jghs mqpb
c et cgi rimy h
nltw fukb je w
gvjd e tmvia t
w k e xmnu enmp
r fmhc jbn udf
i ijd wv aytp u
k ophvp am n lx
uf i bffxp dwa
aq ih hmi ux rg
fi d cm mnv xyt
g iyjpp u vchk
u kapge hfi ui
wdc whaf fkdn
vrfcj afc uju
p nfhv ms r tnq
ib o ly ka fws j
qqt n ubki c js
ew hvs o e e vne
ahc adssb q kd
e slii v dxadq
jk ahl l jj ixj
m lnon wdeq yi
mo alvtj ofjg
o ldvb vcbtd u
yfu gqfg yjof
jderq qv tfn x
os qtbgy qc mt
qi u puoy w tk f
xa ogx sg lev j
lf l qf ybu qsp
lu eqwap abjf
n r px n vgbb uw
xm pmq qxkg ah
qjp ic b fps uj
ru b ifsce de e
sc j o agqnf p u
lko mwj syv po
pq td hub sg bm
fh s uuvy neve
r htj er nitph
qexbe anl gec
x trfc wk whys
mse rn cymv gr
j eqwyv ye kxy
hv ycfg hu rw p
qfl f qsbgg a y
oee jfld deiy
u oml cfpym qc
xw u hr f a k ahv
v ww dhbo sdh h
gpip vqmld qp
j m blm dtue ay
ry vh mcxk n mx
uec mb dacbw f
dsvy xhs tbqi
afuud cy ywvg
afuer ntue np
xf fvhuo jjat
q wtavs xnjm t
e rdil hyb ja f
jqf e qdvi le n
bmc klqmq wgf
v k ke q b nkdeb
ht lib rau mle
d tuqjc xs vb t
wuew cyx o wkj
j menkv b u ibr
epr ieq ksbb t
uqs g t tl n bka
i nhsd qgi vn x
gwp oxmpk yk w
etbc rt lvq ms
ia rljk hab gr
sw d wgtct df f
av gg j et r ttr
h kmsc ppv k uy
m gwpli qqq e w
obh gvv dpqt g
vene gvdqh ru
mq vwsiu m jqa
de h viwcn xvw
bp lh ll weopr
i wunu jaul na
o jjf gdts gxv
uhma xjt l x tb
ycjgx dmpvd r
w q qon tjxl ed
bulp tgy w woi
f y mfwho cjgn
kroip yoet mt
pc jppwb hh wc
n sh ghq tyuwu
uvygk jp psef
ive hhb k t jmo
ywc us aov gwu
g hqmm ixopc p
cmku y r rc ewm
x py kvgk wop k
nc jiid pqai l
c rsccx fkpkh
eeut bkfx lm a
e cs wluyi nxp
o a eee afcmf u
to wati ige vm
ncjks a eyb rm
hyk akyop uyh
su kqwf vaw lj
wp imfr jfhq y
ml fhgl bfqa j
n l qaqy uorxl
hwvb oon ukfq
i ask qfr aacq
d uk virl bmik
i r awwkn jwlx
g sjunl n o l q a
bef hqlvq gvk
m lbko nilfs h
v abf foxaj i k
o pp xg ys ckkx
p d bpdd vftjm
g ymns nklgk q
u v avd mfdq rn
dl vanr ypnc c
uxwwk rkd lk b
ym foi bjp mbm
oija m hsr w vc
nri fhx er bft
g hos jox ye ey
bl erqjl ce rq
rwg yvrcd qbu
qg simr h sbgi
e aimc t scyix
affk y bxlg qm
c m bfqlt bdbm
h

Most Secure OS

[Ironfist_ironmined]

You seem to be ignoring the security you get wiuth Connectiva

[http://securityfocus.com/vulns/stats.shtml]

Re:Most Secure OS

Conectiva is just typical a GNU/Linux distro.

who would use a linux firewall?

[zendeath]

when there are better solutions out there?

Re:Logging? - syslog

There's no syslog running anymore.

Dumbass.

Re:Logging? - syslog

You can't have syslog running in runlevel 0.

Why run an OS at all?

[Mignon]

Now that you've read my provocative title, I'll tone it down a bit:

There have been some great comments to this article (which I haven't read) but I got to wondering: if you're going to run in a sort of comatose state where your only ability to change the system is to reboot it, why bother booting in the first place?

My idea was to use the Linix BIOS or something similar, and run your packet filtering from there. Then you can forget the hard drive and floppy (though you'd probably want that floppy to be able to flash your BIOS with updates and the like.)

Does this make sense to anyone? Or is there something I'm overlooking like maybe that while running as a BIOS, Linux wouldn't be able to talk to the network interfaces, say?

I guess if you're going to go to that kind of trouble, you might as well have an embedded system, or run from flash RAM, as others have mentioned. Still, it's always fun to get hardware and software to do things beyond what they were designed to do.

Re:Why run an OS at all?

LinuxBIOS is a full linux kernel, just loaded from flash ram. You're still running an OS.

Re:Why run an OS at all?

[mmurray]

Makes perfect sense to me... =)

The only thing I'd like to say about this idea is that it's not accessible. The thing I liked best about the ease of doing this on RH is that even a junior SA could perform this task with relative ease.

Flashing BIOS with specialized code is a more difficult task, and probably isn't something that your average admin is going to undertake (especially for a specialized project).

My $0.02 on this one... :)

Re:Why run an OS at all?

[Webmonger]

You have to run the userspace tool ('ipchains'/'iptables') to configure the firewall each time you boot.

Halted firewall vs bridge

[chrysalis]

This is roughly equivalent to a briding firewall with no assigned IP address. No one can ever connect remotely.

A bridging firewall as the advantage of still being administrable from the local console.

Re:Halted firewall vs bridge

[mozkill]

i think the SonicWall SOHO3 can do transparent bridging with multiple DMZ's. does anyone know of a cheaper product that can also do this?

Re:Halted firewall vs bridge

[drodver]

Any OpenBSD installation.

Re:Halted firewall vs bridge

[mozkill]

thanks for your answer. i found that the following two products will do what i need:

SonicWall SOHO3
Netscreen 5x

both cost about $400

Re:Halted firewall vs bridge

[bfree]

It's about choice, you can run your bridging firewall with no assigned IP address halted! It's not about how to do it. I thought about just running the kernel on a firewall device I may be designing (which is basically the same is it not). I pictured (possibly) a device that booted up and grabbed a kernel from a trusted network if it's present and reboots with it if it is, if not it is left with nothing but the kernel running (some oddities I had noticed in audio and networking had left me certain a lot could keep running). Call me mad but I envisioned hard coding the iptables into the kernel (I'm still not sure I'd actually run anything on the box, I would like to just run the kernel but that makes the updating more hackish). Whatever you want to do this is another way to secure the system (if it's appropriate for you).

Re:Halted firewall vs bridge

[mozkill]

well... it turns out that the SonicWall SOHO3 and Netscreen 5XP both cannot do DMZ (which is required to host some credit card processing capable servers) but I think i may get the Netscreen 5XP because it DOES in fact support "transparent bridging" in its full fledged glory.

it seems they added the capability to demonstrate to customers that there is no load difference in using NAT verses straight bridging. I verified that the SonicWall CANNOT to transparent bridging... this is important.

Hmmmmm TUX?

[TrebleJunkie]

Hmmm.

I wonder if you could keep enough of the filesystem up to run, say, firewalling and TUX. (TUX *is* a kernel-resident www server, correct?)

If so, that's a neat possibility. Serve web pages off a machine runlevel 0 machine.

I use LEAF/LRP based routers a lot, I'm going to fiddle with one of them and see if I can't get them to run halted.

Re:Hmmmmm TUX?

[Make]

complex kernel bloat as kernel-based web servers tends to have the security holes you want to move away from when killing all processes...

moving userland code to the kernel does not improve security, worse, the code is now running as root instead of your favorite apache user. killing processes like login, sshd, syslogd etc. does. (ok you can argue about killing syslogd improving security as you can't read any log files anymore)

Re:Hmmmmm TUX?

[stepson]

No, you wouldn't be able to. As init moves through the run levels, it umounts the disks, so I don't know where you'd get the data to serve web pages from ...

Really, all this discussion is insane. Just run OpenBSD, don't do anything stupid, and you'll be just fine ...

Re:Hmmmmm TUX?

[Stochi]

well, technically speaking you could remove the script that umount's the mounted filesystems. i'm not sure how the kernel would see the filesystems in the halted state, but it might be interesting to find out...

Re:Hmmmmm TUX?

[stepson]

You could do that, I suppose. But then you don't have any way to correctly shut down the box, and since the disks are mounted, you run the risk of data corruption ... this whole hack, while interesting, doesn't seem like it would really have much value in the real world.

Re:Hmmmmm TUX?

Well, you could, at the extreme, just
write the pages to be served up into
the kernels source code. Of course, then
to make any changes, you not only have
to take the box down, you'd have to compile and install a new kernel, too.

ahh

[IAgreeWithThisPost]

another cmdertaco-less article

Re:ahh

Yeah, except the 'anti linux' posts are usually manipulative lies and dont really have much to do with reality. Why not go jack off to your fucking revolting picture there on your user info... I was hoping for porn. What a bunch of shit, no pun intended... definitely a loser, you.

Re:ahh

[IAgreeWithThisPost]

i was referring to cmdertaco, the page widening troll. Please check my spelling. Thank you.

But NetCraft confirms: *BSD is dying...

...so what do I do? :-)

Re:But NetCraft confirms: *BSD is dying...

[Duck_Taffy]

Utter hooey. If there are enough users, it won't die, and if you become a developer, it has an even better survival chance. Plus MacOS X is BSD. Since Apple is paying full-time BSD developers, and now you have other Mac fanatics picking up projects to help out, it's not going to die.

I already know this

In fact one time my gateway machine crashed and I didn't notice it until I tried to check my imap box there, it didn't had a squid proxy at this time, so I continued sufring with no problem. The total time since it crashed was about half day.

It was a linux 2.3.x linux box, but I didn't try to reproduce it again.

Just as long as it's not "More" than a "Feeling"

[ringbarer]

Paradise Lost peaked with the Icon album, although some would say their last good one was Gothic.

Discuss.

Did this accidentally once....

[ManualCrank+Angst]

I had my server running the firewall. Needed to format a floppy. dd if=/dev/zero of=/dev/hda.....Oops. Say, honey, you better check your email one last time and then I'll reinstall the server.

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:


What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:


What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

Re:Did this accidentally once....

[Dead+Penis+Bird]

AL GORE DID NOT CREATE THE INTERNET! It's a ridiculous liberal myth.

Everytime I see this fabrication, I want to vomit.

Let me quote Richard Wiggins from the peer-reviewed journal First Monday:

What Gore Said

Although Al Gore never claimed to have invented the Internet, he did discuss his role in Internet development in an interview with Wolf Blitzer of Cable News Network. The interview took place on March 9, 1999 during CNN's "Late Edition" show. Specifically, what Gore said was "I took the initiative in creating the Internet."

A cynic might observe that "creating the Internet" and "inventing the Internet" are tantamount to the same exaggeration. But let's look at the entire quote in the context of the colloquy with Blitzer. Here is Blitzer's entire query to Gore:

BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

Clearly, Blitzer is asking Gore to offer an explanation of how he differs as a politician from other politicians in general, and his rival at the time, Bill Bradley, in particular. Here is Gore's entire response to Blitzer's question:

GORE: Well, I will be offering - I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

During a quarter century of public service, including most of it long before I came into my current job, I have worked to try to improve the quality of life in our country and in our world. And what I've seen during that experience is an emerging future that's very exciting, about which I'm very optimistic, and toward which I want to lead.

Mr. Wiggins observes:

Gore's recent statement that as a member of Congress he had taken the initiative in "creating the Internet" drew hoots of laughter, especially from Republicans. Gore has long been a promoter of the Internet, but he didn't invent it. Trying to keep a straight face, Senate Majority Leader Trent Lott quickly issued a news release claiming that he invented the paper clip. This was not the first time Gore has overreached. A year ago Gore told reporters that he and his wife, Tipper, at the time when they were college sweethearts, were the inspiration for the novel "Love Story." That came as news to the befuddled author, Erich Segal.

The editorialist saw the Internet statement as part of a pattern of hype, of Gore overstating his own accomplishments. Like Lott, other politicians saw Gore's statement as fodder for ridicule. Dan Quayle took up the bait, quoted as saying, "If Gore invented the Internet, then I invented Spell-Check."

So, before you stupid Liberals and Democrats start taking credit for the Internet, just remember, It's not true!

noway! syslogd is a user-space daemon

[vincentchan]

it's not working

better still..

[Hooya]

is the system i have at home. i look at each incoming packet on paper and then pass it on the the lan if it looks legit. the only way to punch a hole in the firewall is with a shotgun at my belly..

Re:better still..

[Jester998]

Hmm... I'm guessing that this isn't a stateful firewall, then? :)

Re:better still..

[gaudior]

Sure it is. He keeps the packets in file drawers and stuck on cork boards. They are organized so that he can compare new packets with old ones, using v-grep.

Re:better still..

Remind me of the pigeon RFC, in that kind of config it could work.

No swap, who cares?

[nerdsv650]

The other consideration is that with drives unmounted, all swap space is removed from the machine. This shouldn't be difficult in a machine that is handling even large amounts of traffic, given sufficient amounts of memory. However, in an older machine with fewer resources, it is possible to experience performance issues with extremely large amounts of traffic.

I'm missing something here, is the linux kernel now pageable? If not, how is lack of swap an issue?

-michael

Re:No swap, who cares?

[Stochi]

the firewall rules and other data structures required for the TCP/IP stack in the kernel all require various amounts of memory. with no swap, it would be possible to completely run out of memory given a sufficient amount of traffic going through the interfaces. that's when things get nasty.

i'm thinking though that it would take quite a bit of traffic for even a modest machine to have problems.

Re:No swap, who cares?

[nerdsv650]

My point though is that all these data structures are in KERNEL space and in Linux KERNEL space is not pageable thus swap is not going to help with high memory pressure situations. Unless I'm mistaken the only UNIXish kernel which IS pageable is AIX.

-michael

Re:No swap, who cares?

[Stochi]

ahh.. ok.

... and i didn't realize that AIX's kernel would page out. interesting ...

Old news

[pHalec]

Bah, I've got an old Pentium with some faulty memory that crashes on a regular basis.

It's been reliably packet-forwarding for me for over a month with a kernel-oops on screen.

Re:Logging? - syslog

[JimR]

As other people have pointed out there will be no
syslog running in runlevel 0.

I guess you could always run the video out into
a VCR... or use a serial console and a line printer.

*** Linux boxes at Runlevel 0 ***

Imagine a Beowolf Cluster of THESE!!!

Re:*** Linux boxes at Runlevel 0 ***

[xnyx]

sorry I can play right now, im too busy trying to figure out how to get a beowolf running at rc0

how does that work?

[ethereal]

Maybe this is a stupid question, but on all of my boxes, after I run shutdown -h and all of the killall scripts are run, it runs S01halt, which then calls either halt or reboot. This either stops the processor (soft power down) or else reboots the thing. The author didn't mention how he avoided this problem in his efforts - if you want the box to run in run level 0, you have to also disable the script that runs at that run level that shuts down the machine. Otherwise your machine really will be halted and there won't be any firewalling going on. Or more precisely, everything will be firewalled :) Did he not mention this problem, or did I just miss it somehow?

Assuming that this works, I don't see a whole lot of advantage to this over just using a firewall that's booted from a read-only floppy firewall distribution. Except that if you could come back from run level 0 (not sure if you can or not) then you could remount the disks, make a change to your firewalling rules, and then return to the halted mode. That might be a minor advantage over floppyfw systems.

Re:how does that work?

[grnbrg]

Maybe this is a stupid question, but on all of my boxes, after I run shutdown -h and all of the killall scripts are run, it runs S01halt, which then calls either halt or reboot. This either stops the processor (soft power down) or else reboots the thing. The author didn't mention how he avoided this problem in his efforts - if you want the box to run in run level 0, you have to also disable the script that runs at that run level that shuts down the machine. Otherwise your machine really will be halted and there won't be any firewalling going on. Or more precisely, everything will be firewalled :) Did he not mention this problem, or did I just miss it somehow?

You mean the part where he mentions the need to edit the rc0.d scripts, to stop killall, network, and ipchains from running? So that the needed services survive the shutdown?

It's not a case of ust configuring your firewall, and running shutdown -now. Some tweaking is definitly required. But it's an interesting idea....

The teklling part is that the target of the article is a 2.2 kernel with IPChains. I'd be much more interested in knowing if this is possible with a 2.4 kernel and IPTables....

Brian Greenberg

Re:how does that work?

[ethereal]

He removes killall, ipchains, and network. However, it is a separate script (S01halt) that does the processor shutdown. So either this is different on his distribution (unlikely but possible), or he just forgot to mention it, or there's something more complicated going on here that I'm not quite understanding.

Re:how does that work?

[autocracy]

Common mistake in kernel compiles: exclusion of certain APM features that are taken for granted - including the one that actually does the power down. Unless you get the power cut, kernel level code still executes. Therefore, it's a slightly tweaked kernel.

So what about the removal of the scripts? That doesn't have anything to do with the box shutting down, but rather turning off the ethnet interfaces. Also in Redhat, the IPchains kill script flushes the chain. So we disable it. I do disagree with his removal of the killall script, but that's another story for another time.

This is all explained 2/3 of the way down the page. Enjoy!

Re:how does that work?

[camelrider]

Many older mobo's (chipsets?) don't shutdown power on OS shutdown. The AT board on which I'm running a k6-233 requires manual power-off.

Re:Just as long as it's not "More" than a "Feeling

[October_30th]

I was a Paradise Lost fan in the early 90s, but then lost my soul to the industrial sound of mixed machine sounds and the good old grind.

I bought Host and Believe in Nothing just out of curiosity. I had never heard the new PL sound. Host wasn't that good (Behind the Gray was perhaps the best track), but I really like the latest CD. They've toned down the "Depeche Mode" sound and the lovely riffs are back.

overkill?

[anthony_dipierro]

If your data needs that much security, you shouldn't have it connected to the internet in the first place.

Those riffs *grin*

[ringbarer]

I DO miss the old Academy Studios sound though. Did you know Academy, as it was, isn't around anymore? It was a lovely studio - with the staircase lined with old vinyl. My own band recorded there a few years back! :)

The studio has been moved to either Mags' or Keith Appleton's house now, and has taken the big step onto digital, which ain't too bad. (Our new album's been done digitally, at another studio, and our battered ears can't tell any difference from a purely analogue setup.)

Metal!

I am somtimes amazed

[thunderbee]

...at the ability of some to (re)discover very mundane things. Even not halted, just booting up the kernel into bash instead of init provides an excellent level of security. It's been standard (at least for some people I know and me) practice for years! We even developed a linux firewall (in beta right now) doing just that.

The kernel itself is not swapable

The other consideration is that with drives unmounted, all swap space is removed from the machine. This shouldn't be difficult in a machine that is handling even large amounts of traffic, given sufficient amounts of memory. However, in an older machine with fewer resources, it is possible to experience performance issues with extremely large amounts of traffic.

This is shit, the kernel itself is not swapable, never ever is going to be any part of a monolithic kernel in swap, at least without it being a little less monolithic.

And by the way you don't need huge amounts of ram to route traffic, with 16Mb you have almost enougth to route a satellite link (high speed pipe, very high latency), and I'm pretty sure you can route with only 4 megs (and a 386sx12), been there, done that.

The rest it's ok, and true, but I managed to know it by watching a crashed kernel route & NAT a network (it was a 2.3.x dev. version).

Performance? Swap space??

[non-poster]

The other consideration is that with drives unmounted, all swap space is removed from the machine. This shouldn't be difficult in a machine that is handling even large amounts of traffic, given sufficient amounts of memory. However, in an older machine with fewer resources, it is possible to experience performance issues with extremely large amounts of traffic.

1. Does the kernel swap out stuff like routing tables or partial packets when it's packet forwarding? I don't think so, so having no swap space should be a non-issue.
1A. If it does use swap space, can't swap space continue to be mounted when the machine is in this state? Swap space is an extension of memory, and if the machine goes down, it doesn't really matter what's in there anyway.
2. An older machine will have performance issues with large amounts of traffic. This doesn't have anything to do with swap, though: it's based on CPU speed, and maybe a little bit on memory bandwidth. Then again, if your connection to the outside world is fast enough to saturate an "older" computer, you must have one hell of a connection. (I think a 486, doing nothing but packet filtering/forwarding, should be able to keep up on a T1, no sweat. Probably even on 10Mbs ethernet.)

*BSD's securelevel combined with chflags ...

[gd]

... can achieve almost the same thing.

man securelevel
man chflags

hm....

This sure brought up an intresting idea
what if one was to combine both methods
(transparent bridging) and halted state
firewall in one device.

Hmmmm.........

AP

SunScreen...

[Psarchasm]

SunScreen has been doing this for quite some time.

Read about it here

2.4 kernel?

[uslinux.net]

So the obvious question: how long before someone attempts this with the 2.4 kernel and IPTables?

er..

[einstein]

I had my firewall's IDE controller go up in smoke, but the Linux kept chuggin' along. I couldn't log in or do anthing to the box, and the display was full of errors, but it still was routing for the rest of the network. now that was security.
---

Re:er..

[SomeOtherGuy]

Yea -- same thing happened to me...the disk fried put the firewall kept routing packets for 2 months -- granted I was running a remote syslog -- if the syslog was local, I am sure it would have halted at some point. The only way I found out about it was when I telneted in to vi a conf file and it would not save!

Re:er..

[jareds]

Yea -- same thing happened to me...the disk fried put the firewall kept routing packets for 2 months -- granted I was running a remote syslog -- if the syslog was local, I am sure it would have halted at some point.

You're mistaken. Even running a local syslog, a disk failure will not prevent the kernel from routing packets. I know this empirically :)

But...

[Klowner]

Then how would I telnet to my firewall from school?

*dodges flying shoes*

;)

Klowner

Re:But...

Why the hell would you use telnet on a firewall? Anyone with a sniffer can see your raw, unencrypted password.

OpenSSH.

It's funny that you got modded as "interesting" despite your blatant disregard for security.

Re:But...

I am pretty sure he was kidding, jackass.

Did you see the ;)???

Solving the rebooting "problem"

[vrmlguy]

There seem to be a lot of comments along the lines of "Yeah, but you have to reboot to change the config, and that takes down your firewall". I see this as an opportunity, not a problem.

As the article points out, the kernel continues to run when halted, so the first part of the solution is to signal the kernel to transition out of run-level 0 in a safe way. There used to be ISA cards for debugging that had a push-button at the end of a cable; when pushed, an interrupt was triggered to invoke the debugger. I can't see any reason why the Linux kernel couldn't be patched to watch for that interrupt while halted and restart the boot process, say from the point where a boot disk is mounted. The second step would be to modify the init.d scripts affecting the IP stack to abort if the NICs are already configured.

The end result would be a firewall with a button that, when pressed, would cause the system to "wake up" and allow configuration changes to be made. When you're all done, just do another "init 0". To guard against forgetful netadmins, you may want a watchdog process that also does an "init 0" fifteen minutes after the system comes up.

I can't see any show stoppers to this idea. What do you think?

Re:Solving the rebooting "problem"

[lkaos]

Or one could use the MagicSys keys built into the kernel and simply use a standard keyboard :)

Re:Solving the rebooting "problem"

[Jon+Howard]

If that's your goal, and you don't mind hacking the kernel a bit to accomplish the trick - why not use the ATX soft power? It wouldn't require a specialized debugging isa card, just an ATX board and power supply.

Re:Solving the rebooting "problem"

[cgleba]

Just kill every process except init and unmount filesystems.

Bind "init 3" to a key-combination in inittab and voila!

I'm pretty sure it will work however I have no interest in testing it.

Re:Solving the rebooting "problem"

[vrmlguy]

Why not? Mostly because I've been around long enough to remember using ISA debug cards. In my dottering old age, the soft power switch (and MagicSys keys) slipped my mind. ;-) Actually, I did realize that there were several ways to acomplish the goal. One that I didn't mention: Since the kernel is (I think) sitting in a spin loop, you could probably have it polling LPTBase+1 watching for someone to short the NOPAPER pin on the parallel port.

How about more security through obscurity?

[nickyj]

Why not lock out all new processes and only allow login at a specific time? Say for 2 minutes at 12 past the hour you can connect to the machine to make your changes, new processes won't be killed, at all other times all new processes (that are not essential) are terminated at the kernel level. That's better than a solid state firewall and loose anytime access firewall.

What a waste...

[IAmSancho]

That's a tremendous waste of a computer. If that's all you're doing, you might as well use a network appliance for a firewall.

Cheap rackmount solutions?

[iamsure]

Okay, so do anyone know of a cheap place to get rackmount 1U's, like, with just a pentium, network card and cdrom?

Take this idea, a cheap rackmount, a readonly boot medium, and you have a very very secure device.

Possibly the ultimate in security? :)

Re:Cheap rackmount solutions?

[Empty+Sands]

No, but that doesn't help you if your rule set is crap and your internal machines get hacked.

Furthermore, that doesn't help you if internal client machines are lacking the latest Microsoft patch and some user downloades an active trojan.

Security is a state of mind, but the state of some hardware. The only ultimate security is no connection.

Re:Logging? - syslog

[gaj]

no need for it. the fw is acting as a *client* for syslog. syslog would be running on the log server.

Rebooting Drawback - simple "revive" kernel patch?

[Laven]

The main drawback of course would be that changing iptables rules would be a painful process of rebooting and maybe 30 seconds of downtime (in an optimally configured setup).

There has to be a simple way to hack the kernel to "revive" from runlevel 0 with certain key presses locally?

If so, this would make another powerful method of running production Linux firewalls. IMPOSSIBLE to root remotely, and you can change iptables rules without downtime locally.

Interesting but...

[arget]

Wow, good comments.

If you wanted to do this, why not go with the bridged firewall solution instead? Any advantage this has over that?

I wonder if a beowolf cluster would be faster

maybe they should try to cluster their firewall. lol.

Correction

[mmurray]

Hi all...

As the author of the article being discussed, I wanted to point out one of my own errors. I discussed the lack of swap-space as a limitation to the setup; however, the linux kernel isn't pageable, so swap space would have no effect on the performance of the firewalling code.

I've had a few people point that out, so I wanted to post that correction publically.

Feel free to email me at mmurray@ncircle.com if you have questions or commments... :)

Mike

Re:Correction

not pageable!?!?! what!!?!?!?!?
what the hell kind of toy os is this?!?!?!?!?!?!?

Use hardware remote access

[ErikTheRed]

Frankly, with all of the discussion centered around administering a machine that's at runlevel 0 or fully stealthed with no IPs, etc., I'm surprised that no one (so far) has mentioned hardware-based remote access products such as Compaq's Remote Insight boards (many other server vendors have similar products).

For ~$500 you get a board that replaces your keyboard, mouse, and video controllers, has its own built-in ethernet adapter (that is invisible to the rest of the computer - it's dedicated to remote access) and an SSL-secured web server. You can completely control the machine via a java applet. You can even cold-boot it if it's in a hung state (and, of course, view any errors on the screen while the machine's in a hung state). Other features include a virtual floppy drive that allows you to copy data to and from the machine (you can even boot off of the virtual floppy). There's plenty of additional coolness; the only downside is that Compaq cards only work in Compaq Proliant servers, HP cards only work in HP servers, etc...

Re:Use hardware remote access

[xdice]

Those are nice cards. We've got 14 ProLiant's with those cards where I work, and they're nice.

The only beef I have with them, is that the remote console is simply a telnet port connection. Kinda kills the point of securing the box, ssh only, etc, when you have this card giving telnet access to the box. There's a toggle in the config to allow you to shut off telnet, but that shuts off console for the Insight card.

Re:Use hardware remote access

[prog-guru]

Check out the PC Weasel

It is an ISA or now a PCI card that does pretty much the same, and you telnet to it. It emulates a video card, has cables to connect the keyboard and to the power button header on your motherboard.

Re:Use hardware remote access

[Tassach]

The only beef I have with them, is that the remote console is simply a telnet port connection. Kinda kills the point of securing the box, ssh only, etc, when you have this card giving telnet access to the box

This is only a problem if you are foolish enough to put the management cards on the same backbone as everything else. The intelligent way to set up a system like this would be to have the management cards on their own, independent network. For the truly paranoid, you could have this network completely isolated from your "real" network. A more practical approach would be to have the administrative network hidden behind a well-secured and monitored gateway machine.

Re:Use hardware remote access

[ErikTheRed]

Actually these new ones work in either text or graphics mode, and use SSL-encrypted HTTP connections. All login & remote access stuff is handled via Java applets, which makes a brute-force attack considerably more difficult.

Re:Use hardware remote access

Yes, but that ethernet adapter can easily be comprimised by hackers if you accidentally connect it to the internet for internet-based remote access. So again, too dangerous and well, the ~500 price tag is also too expensive for my taste.

Re:Logging? - syslog

[funky+womble]

It's quite useful to log both on and off the box (even better if you set it up so the off-box logging is reasonably invisible on the firewall), and compare the logs between the two for differences.

I'm more secure

Cool! I just halted my BlackIce service. If I hadn't read this article, I would never have known that doing that would make me more secure.

Thanks Slashdot :) You rock. I don't have to worry about my hard drive shares being exposed now...

Funny. Mod up.

Funny.

You forgot...

You forgot to call him a dumbass.

why not use a stealth firewall?

...such as sunscreen?

A stealth firewall does not have an IP address -- it's a MAC-layer bridge rather than a router, and like the "halted" Linux box your firewall cannot be compromised from the outside world.

RFM

Eh, slippin' straw man.

[oGMo]

Of course mounting drives read-only, operating out of a ramdisk is still not as secure as this approach if you can afford a very static set of firewall rules.

And in addition, as others have said, you can afford not to log it, and if---just when you think you can "afford a very static set of firewall rules"---you reboot, you can afford network downtime. This sucks.

In this state, the system is incapable of even offering a shell without a full reboot. Once you give it the ability to offer a running process to hijack and potentially have a shell open, the read-only mount only lasts until the equivalent of mount -o remount rw is executed, and then all bets are off.

OK, now this is a kind of straw man and slippery slope. Just because you "offer a shell", doesn't mean anyone can get it. Running a getty off the serial port isn't going to be susceptible to remote attacks. Only stuff you put on the network is a problem. And if they've got physical access, all bets are off anyway. Just because you're running processes doesn't make you vulnerable.

All this being said, if you have a system dedicated to firewalling by itself, and you are worth your salt as a network administrator, setting up a tight firewall is child's play.

It isn't necessarily the case it'll be "child's play," but it will be possible. If you're not experienced, you shouldn't let this novelty solution lull you into thinking you're secure. Ask or hire someone with experience to help.

And if someone untrusted can get into your network and come over the trusted interface into your firewall, well, your network has a lot more problems than a less than perfect firewall.

"And if you're screwed, you're screwed." Duh.

More secure...?

[st0mp]

Aren't we forgetting the most important security feature of a firewall...? There's no logging! This is fly by the seat of your pants security if you ask me. You gonna hang a lucky rabbit's foot over the thing?

Re:More secure...?

[SagSaw]

"There's no logging!"

Not necessarily, you can have a machine running a sniffer/monitor on either side of the halted firewall. On the inside, it would only log anything that made it through the firewall, but would be protected by the firewall. On the outside, it would be able to log any attacks against the firewall, but would itself be unprotected.

Re:More secure...?

[gaudior]

Please read the previous postings. As has been noted, there are several solutions for remote logging, including:

• Hardcopy on a parallel or serial printer
  
• Sending syslog-style data stream out a serial port to another computer
  
• Remote syslog facility
  

and probably others as well.

Re:More secure...?

[st0mp]

er... syslogd is a user space processes, and is exploitable. Holy just defeated the purpose of a halted system, Batman!

Re:More secure...?

LOL! That's so funny! Do you have any idea how useless hardcopy is? Try vgrep'ing (visual grep) through 500 pages of logs to find something. Your eyes will be bleeding before you're done.

Re:More secure...?

[gaudior]

Try vgrep'ing (visual grep) through 500 pages of logs to find something.

I have done just that. Sometimes, that's ALL you've got. If you've been rooted, you CANNOT rely on the rooted system, and you MAY be unable to rely on ANY attached systems.

Next time, think before posting.

Wait a sec...

[timdorr]

Isn't that kind of like Windows firewall?

I mean, they're always freezing to a halted state too

FreeBSD runlevels

[Fzz]

On FreeBSD you can get very similar security by going to runlevel 3. From the man page for init:

The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. The security levels are:

• -1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value.
• 0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.
• 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded.
• 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message ``Time adjustment clamped to +1 second''.
• 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted.

-Fzz

Oracle Announces Unbreakable Halted Database

[IdleMindUI]

Can't Break it.
Can't Break in.

No dead trees solution

Instead of logging to the parallel port of the printer, you could send it to the serial port connected to a second machine through a null modem cable. The second machine could log all the input received from ttySx. The logging machine wouldn't even need to be connected to the network in any way, so it would be secure as well.

Alternative stealth mode

[pimproot]

An untouched TTL is not the core factor which provides stealth; it's the non-creation of ICMP time exceededs, which tend to originate from the router's IP address and thereby expose the hop. If these are silenced, few other clues to the router's identity remain. (well, let's ignore esoteric ICMPs).

WARNING: TTL was meant to be decremented to thwart a particularly nasty problem: infinite routing loops. If you ever notice a ever-wrapping packet count on the loopback interface, or a solid activity light between two of these dementedly configured routers, you might have just fscked yourself.

oops

[emmons]

What am I thinking? It's halted, you wouldn't be able to remotely log in to administer it. D'oh.

See what happens when you post right after getting out of bed?

This would work for an invisible firewall however, which is what I was thinking about when I wrote the above post.

Re:Most OT

somebody mod down this dumbass to -1.

Good idea?

We'll know for sure if the next iteration of Windoze continues to run internet connection sharing after BSOD....

compusa

go hit compusa and pick up a linksys, will ya?

Misguided

I have a weirdo-paranoid firewall/NAT-box running an ultra-stripped-down OpenBSD. I have put weirdo-paranoid security on it. The only open port is ssh, and you have to be inside my home network to reach it.

It would be a lot easier to crack the very few daemons (apache, etc) running on my Linux box on the other side (that the firewall routes) than to crack the firewall itself. I could imagine someone exploiting apache, getting ssh access to the Linux box somehow, and thus ending up behind the firewall.

At that point, the security of the firewall can be as good as it wants to (which IMHO it is), but the network it's supposed to protect has compromised due to the ports it DOES forward. Why would said cracker even bother to try to exploit the firewall (with one port open, mind you) at that point? To open up ports, perhaps, but he can just use existing forwarded services to do his dirty work.

Bottom line? Every sysadmin already knows this, but firewalls do not make your box magically secure. A secure firewall only goes so far.

Swap

[srichman]

The other consideration is that with drives unmounted, all swap space is removed from the machine. This shouldn't be difficult in a machine that is handling even large amounts of traffic, given sufficient amounts of memory. However, in an older machine with fewer resources, it is possible to experience performance issues with extremely large amounts of traffic.

Kernel memory doesn't swap in Linux. So, even if you could have swap space in a halted firewall box, it wouldn't be used at all

Real Secure machine?

[miffo.swe]

A strange but maybe working idea would be memory that you could writeprotect. I dunno if this has been done yet but it would make servers damn hard to hack if you could specify what memory can be written and not by hardware settings. Like a separate chip thats not interfaced to the processor but sits between memory and cpu and has an own interface for settings. A chip that just blatantly says no when anything other than read are passed thru to that memory adress. It should be very hard to brake the apps that was protected. Strange idea, strange and probably silly....

:))) LOL

Thanks for the laugh..

but...

[Syberghost]

It plays hell with your uptime. We all know that's more important to /. users than security, right?

Bonus points to anybody who does this and then submits an nmap fingerprint of it...

NULL Parallel Cable!

[Ominous+the+Forebodi]

Better yet, get a NULL parallel cable and connect it to another PC. Set up the other PC to log anything coming over the cable. Your firewall can then "print" the logs to the other system, without ever mounting a file system!

Can't use it, either.

[mfh]

Just testing my user id #56 really. :)

How can I do remote logging in a halted state

[Captain+Chad]

I've read nearly all of the posts on logging. Most people recommended using the firewall as a syslog client (to a printer, serial port, ethernet port, etc.).

I am unclear, however, exactly how this can be accomplished. Would we need to prevent another process from shutting down (like we did with ipchains and the network)? Also, how can one do remote logging to a serial port or printer when /dev isn't mounted?

I appreciate anyone who can explain the process and/or answer my questions. Thanks.

Shit!

I guess we didn't need those $60k Marconi and Nokia units after all!

BSD kern.securelevel

[nivedita]

If you're interested in this, also see FreeBSD's kern.securelevel facility. From the init(8) manpage:
The kernel runs with four different levels of security. Any super-user
process can raise the security level, but no process can lower it. The
security levels are:

-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.

1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted filesystems, /dev/mem, and
/dev/kmem may not be opened for writing; kernel modules (see
kld(4)) may not be loaded or unloaded.

2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with filesystems by unmounting them,
but also inhibits running newfs(8) while the system is multi-user.

In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message ``Time adjustment clamped to +1 second''.

3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
dummynet(4) configuration cannot be adjusted.

If the security level is initially nonzero, then init leaves it
unchanged. Otherwise, init raises the level to 1 before going multi-user
for the first time. Since the level can not be reduced, it will be at
least 1 for subsequent operation, even on return to single-user. If a
level higher than 1 is desired while running multi-user, it can be set
before going multi-user, e.g., by the startup script rc(8), using
sysctl(8) to set the ``kern.securelevel'' variable to the required secu
rity level.

Re:BSD kern.securelevel

[Vexler]

A few comments:

1) At least from the way he is attempting to shutdown the rest of the system and leave the kernel running in memory, it sounds like he is switching from multiuser to single-user mode.

2) This is slightly different from using sysctl to set kern.securelevel in that, even at the highest level of 3, it doesn't dismount all the drives. With this approach, there simply isn't any drive because he'd already have dismounted/unmounted them all.

I'd be curious whether you can do exactly the same thing (again, not quite setting the sysctl variable) in *BSD.

Vexler

Re:Logging? - syslog

[gatekeep]

You know, this brings up some interesting points. I'm not quite sure anymore whether or not this'd work. I was thinking a serial line, but is /dev mounted at runlevel 0? I might just have to set this up and try it out. If I get a chance to do so soon, I'll reply here and let you all know.

MOD THIS UP!

[schroet]

MOD THIS UP!

Re:Rebooting Drawback - simple "revive" kernel pat

[aed]

If you bring the system down to runlevel 0, is init still running or is it terminated??

Perhaps it is possible to hack the 'magic sysrq key' code to either tell init to go back to another runlevel or to tell the kernel to start loading /bin/init again, thereby causing a 'reboot' of the system without actually reloading the kernel (and therefore no downtime)
Change the config, and then bring it down to runlevel 0 again.

That would be almost as safe as the original idea, because the sysrq function can only be accessed from the system's console, which is ofcourse located in some secured serverroom :)

Re:Performance? Swap space??

[mmurray]

Figure I should toss in some info here: note that I posted a correction below. Given that the kernel isn't pageable, swap space won't ever be an issue.

As far as CPU performance goes, I tested this on a 486DX/66, and I could run full 10Mb ethernet links saturated without any packet loss with a minimal ruleset (but running NAT [masquerading]).

Thought that might be useful info... :)

Re:Logging? - syslog

[Tuck]

No, it's still needed. By itself, the kernel can only log to its ring buffer in memory. To send kernel messages to a remote syslog server, you need klogd to grab them and send them to syslogd, which sends them to the remote server.

It's probably possible to add this functionality to the kernel, but it's not there now.

how

[Suppafly]

How does this work? It would seem like packet filtering would require a process or two.. how can you having it working at a runlevel which has no processes running?

Re:how

[CjKing2k]

well if you knew Linux's packet filtering (iptables(8)) you would know it's all kernel level and doesn't require a running process. the kernel doesn't even use up a PID like kjournald or keventd for the filtering. going into a halted state makes sure your firewall isn't doing anything else (like sshd or ftpd) that would compromise security, but of course you couldn't change anything without rebooting.

Other lame security ideas

[Xenophon+Fenderson,]

Security (especially security by obscurity) must remain useful and not get too much in the way of doing one's job. Using that criteria, running the firewall on a halted OS is pretty stupid. One cannot use the firewall for an IPSEC endpoint (key negotiation happens in user space). One cannot log events (also in user space). One cannot remotely administer the firewall (all in user space). These things are all bad in much the same way that obscure naming conventions are bad---they get in the way of operating and trouble-shooting the network.

While we're on the subject, another tremendously bad idea is using an interior light timer to control a physical connection between two servers (e.g. a bastion host uploading data to an internal server). The only thing this does is limit the window of opportunity to a pre-set (and predictable) time, while increasing the chance of interrupting whatever the connection is there for. Physical security hacks like this should be the last thing one does (after locking down a box, setting up encryption, etc.), not the first.

logging?

[einhverfr]

If you think that freesco has logging that could be more robust, try running syslog on a halted system ;)

Hrm, there is also SPARC

[clump]

Management is one reason I like SPARC so much. IE, connect a serial line to even a decade+ old Sun Pizzabox and manage via OpenPrompt. Even if the operating system is hosed you can still reach the OK prompt and reboot, or perform other tasks. Further, you can use the OK prompt to do network boots out of the box.

The Compaq cards do have an upside, however, in that the way you describe them it seems that you can foobar the 'parent' machine and still use the card. It does use power from the parent machine, so both SPARC's OpenPrompt and this card will be null if the host machine loses power.

I really wish x86 engineers would develop something similar to a server-class BIOS implementation. Don't get me wrong, modern x86 CPUs are great, but the BIOS has got to grow up.

Re:Hrm, there is also SPARC

[ErikTheRed]

Yes, you can continue to use the cards if the machine is 100% fubared (they have their own on-board i960 and RAM to handle remote access functions). They also have a port for an external DC power source (adapter included) (the older ones had on-board NiCad battery packs that had to be replaced every 2-3 years), so yes they do work even if the server is turned off.

On another note, most Compaq servers made in the last 5-6 years have what they call IRC - Integrated Remote Console. Basically, you plug a modem (or LAN-controlled serial device) into COM1 or COM2 and you can remote-control (text-mode only) and cold-boot the server (you have to do some setup from the Compaq System Utility Partition first).

The newest Compaq Servers have the Remote Insight functionality described in my last post integrated on the mobo. The only downside is that you have to purchase a software key to get the graphical remote control (text-mode is included with the base package), but that's still an improvement because you don't lose the slot (important for your 1U pizza-box servers).

Versus an empty "netstat"?

[PhotoGuy]

Why not just avoid starting all services, and verify with "netstat" that there's no processes listening.

If there's not a single process listening on sockets (shown by netstat), then only the kernel is around doing it's masquerading, routing, etc., just as per runlevel 0.

While it's a cute trick, why limit *all* your potential functionality (flipping on ftp for 15 minutes, to let a buddy upload a file).

-me

Thank you!

Than you for this wondeful troll. These are the things that make my life worth living.

pigeon RFC

[Hooya]

i was using that pigeon WAN for a while. but after a bunch of hawks migrated to my area it dropped too many packets. at one point i totally lost all connection. so had to give up that pegion WAN. besides it left a lot of fragmented packets near my network and was a bitch to clean up.

Why all the cards?

[Raetsel]

Or... you could just use one of these:

• D-Link DFE-570tx 4-port 32bit PCI fast Ethernet adapter
  Phobos P430 (same thing)
  Adaptec 6944a Discontinued model, cheaper -- still 4-port, still 10/100

  Or, if you're lucky enough to be playing with 64 bit PCI @ 66 MHz... there's the newer Adaptec stuff.

  Adaptec 64044 4-port 64bit/66MHz PCI fast Ethernet adapter

Not cheap in any case -- but it'll sure open up some PCI slots!

Now, to answer the Rick's "Feasible? Stupid?" question...

• Feasible? Certainly. These cards are basically 4 Ethernet chipsets put on one card. The Phobos one uses an Intel DS21143 setup, and can be addressed with generic Linux drivers (tulip.o) as 4 separate devices.

  Stupid? Possibly. Everything coming in from the internet has to pass through the bridge first, and thus pass its' rules. Nothing can directly address it. Pretty much perfectly invulnerable. The only real vulnerability would be a DoS, but that depends on the rules you've plugged into the firewall. In any case, it's impossible to directly compromise the firewall portion of the machine.

  Having the machine providing other services does mean, however, that if something is somehow compromised that your firewall is compromised too -- it's a risk you have to weigh yourself.

  Imagine you're running a webserver on the machine -- with a vulnerable CGI. Someone discovers this, and takes over what they think is "only" a webserver -- only to find they've taken over your company's firewall, too! Ouch.

Something worth considering though -- it'd make for less hardware, and it's something I find attractive for home use -- a combined worry-free firewall + home file server + seamless internet access... nice idea.

Re:Why all the cards?

[Rick+the+Red]

Or... you could just use one of these:

A clear improvement on my off-the-cuff nuts-in-retrospect idea, but I've found it much easier to mix different brands of network cards on my firewall. When you reboot, how can you be sure what was net0 isn't now net2? With 4 identical interfaces, the combinations are, well, 4! = 24, so you have a 1 in 24 chance that the system will reboot to a functional configuration? Help me out here, as I'm not familiar with these cards: is what I suggest a danger, or will it always come up in the same order?

P.S. I assumed readers could guess I was speaking of the home environment. If I were doing this for a business I could justify the expense of separate boxes; heck, I could justify the expense of new boxes! :-) Silly me, it's dangerous to make assumptions on /.

If the kernel is running...

... the system isn't halted. Basicaly this person just shut down all user-space daemons. >yawn

The same effect could be had using an inittab that only runs the firewall setup script at boot time.

Why not just use a bridge?

OpenBSD, FreeBSD, and even Linux can be run as bridges with full filtering, without having to issue the machine so much as an IP address!

IMHO, this is far preferable to running Linux in a halted state. Just as secure, and

So, let me get this straight

[zrk]

You don't run anything on your firewall that would allow anyone access to it except via the console (for reboots, etc).

Isn't that the whole idea behind a firewall in the first place? A box that doesn't run anything besides what's necessary to allow access through it?

Excuse me, but DUH?

Solution!

That does it! for $35 I can use my Dreamcast as a firewall. Just gotta get a cross compiler, some BSD stuff and I should be in halted mode on a CD-R in no time :P Oops! there goes my NAT. At least I won't get h4x3d cos they can't write to the GDROM

There, I just created one with 4 lines of shell.

[kcurrie]

Can you say "fork bomb"? I can:

coyote# while [ /bin/true ]
> do
> cat /dev/urandom > /dev/null &
> done

Just did this on my coyote box and it's still passing traffic and logging remotely. Here's an entry from my syslog server:
Feb 8 19:14:54 hades kernel: VM: killing process cat
Feb 8 19:15:47 hades kernel: Packet log: input DENY eth1 PROTO=17 10.34.64.1:67 255.255.255.255:68 L=328 S=0x00 I=15781 F=0x0000 T=255 (#22)

One you hit your memory limit, you aren't launching anything else.

:-)

Interface roulette

[Raetsel]

First, let me qualify my experience. I am familiar with OpenBSD -- what I use for my firewall -- not Linux. I have done many boxes with multiple identical cards, and never had them 'come up' in a different configuration than I had originally configured. Ever. I never gave it much thought, and I really have no idea exactly how it's prevented -- MAC address, perhaps? It'd make sense, at least to me...

I don't believe there'd be any danger of cards randomizing on every reboot -- there are far too many people out there using multiple interfaces to not allow that problem -- if there was one -- to be addressed.

Now, as far as this solution being aimed at home use... There are many people who wish to run services from their home network. Mail, file services, a proxy for their websurfing while at work... not all these services are 100% secure. Yes, I know I used business examples, but the same vulnerabilities could happen at home. Heck, when Code Red went around, look at all the home-based servers that were affected! The home/business line is very blurred.

Re:Interface roulette

I really have no idea exactly how it's prevented -- MAC address, perhaps? It'd make sense, at least to me

you have IRQ's and PCI slots on the motherboard. each card is unique based upon where it's plugged in. If you have more than one video card in your system it's the same thing - one will always come up as the primary (even on a dual headed matrox card, one is the primary). If you have two video cards in the motherboard and you switch 'em then your primary video card is switched too. good way to find out which pci slot is #1 and which way they run (the active card will be closer to #1)
If you switch those identical cards around then you will have to switch their ethernet cable too and depending on your setup you may have to spoof-reverse their ip addresses.

The original question is like saying "I only use one hard drive in my system b/c that way i always know the system will boot off the correct drive"

Re:Interface roulette

[Rick+the+Red]

My experience is admittedly limited. Right now I'm running a Coyote Linux firewall, and I'm configuring a new/used OpenBSD firewall to replace it. From the Coyote Linux FAQ:

Q: I'm having problems with running two of the same NICs.
A: It's not suggested to use two of the same brand and make because it makes diagnosing problems rather difficult.

I've heard the same advice from other sources, as well. Specifically the problem was with Plug and Play ISA devices; perhaps PCI isn't a problem, in which case I wasted $3 when I bought one $9 card and one $12 card just so they'd be different :-)

Thanks for all the advice!

MOD THIS DOWN (OFF TOPIC)

WTF does this have to do with running a minimalist firewall on a sub $500 box?

Our new Proliants run about $15k and that's buying 2000+ of them.

Games with init...

[Christopher+B.+Brown]

• First glance... They must be insane. That can't possibly work.
• Second glance... Maybe it can work... If it does, it's certainly immune to buffer exploits in wu-ftpd.
• Third glance... Seems like a slick idea. It sure would entertain portscanners when there are no ports there to get at.
• Fourth glance. Unfortunately, I can't use it on my firewall, as I need pppoe running.

The interesting lesson, though, "kiddies," is that there are some interesting games to be played if you look at init with a view to rearchitecting how it works.

Typically, init is a program that starts some services, starts up some gettys , and then we can log in and do the traditional Unix stuff that we usually don't think much about.

In this case, the system essentially runs init-less.

Another approach would be to build a highly customized init that doesn't run the whole of user space, but rather just runs a few firewall-related programs.

• Mount a filesystem;
• Run an IP-chain loader;
• Perhaps run pppoe ;
• Unmount the filesystem, maybe.

And you have something smaller that doesn't work quite as hard getting things going, but leaves pppoe around to do a little bit of work.

Other approaches could be taken to build quite different things:

• CLienUX (possibly not capitalized quite rightly) is a system where libc does on-the-fly path rewriting to support accessing some standard pathnames (/usr, /usr/bin) on a system with an exceedingly nonstandard set of naming conventions.

  Throw in that shell scripts in Bash are deprecated; it is considered preferable to have your programs written in Forth.

• One might create a Lisp Machine running atop Linux by having init be a master Lisp process that takes over the system. Throw in a helper process or two (X, maybe, and SSH) and you've got something with a userspace just a mite different from what people are accustomed to...

Solving the RAM issue

[Com2Kid]

Some people so far have mentioned that even having anything loaded in RAM creates a danger.

Would it be possible to create a system that uses Static RAM (Smart cards, whatever) and have two sticks of it inserted?

One that you boot from and read the firewall rules and such out of, and another 8 meg or so stick that is used just for proccessing things.

Some types of flash cards now days have read write tabs on them, after your OS has loaded and all and you have got things how you want it, halt it, and then switch the tab on your main memory stick so that it is read only.

The 8 meg stick would have previously been assigned to be used for working with packets and such that the firewalls needs to do.

Even better of course would be if you could get a CPU with a nice sized Cache on it (hmmmm, K6-3s, hehe. External cache up to what, 8 megs? :) :) :) ) and just run almost everything directly out of that after booting. Though that would require some really nifty programming more then likely. :) It would DEFINTLY not be something that any random hacker would suspect, hehe.

Something left out

If you want max security, you also need to look at your eeproms. In other words, the flash bios's that are present in your system. Those can be rewritten by an attacker and have malicious code executed. The hardware way to deal with it would be to replace the eeprom with a prom or eprom. But that's probably too much work for most people. The easy solution is to have a md5 (or maybe something better? I seem to recall an attacker being able to modify an image and still have the generated md5 look the same) of your bios image and whatever else you have in your system. On a read-only floppy (at the hardware level) coupled with that invisible firewall, logging, and maybe some other memory tricks, such as that read-only memory someone else proposed. That would make a really damned secure system.

What benefit is this?

So, you set up a computer as a firewall, and decide to make it as secure as possible. Well, for a simple 2 computer home network, this is just fine, but you've already blown far more money on the computer and 2 NICs than you would on a $100 4-port switch+router+firewall linksys. Also, you can no longer use that computer.

That and your computer sucks up far more electricity.

It's interesting, but I doubt it's worthwhile.

Re:Performance? Swap space??

What packet size you tried? I bet it cannot handle
traffic if a lots of packets are minimum size
(up to 14800 packets per second).

Impossible to root?

I have gotten annoyed by amount of these this configuration is impossible to root remotely posts.
I mean how do you know? Linux kernel is a piece of software too and has contained a major amount of holes. You can never know whether it would be possible to break in to the host using some remote exploitable vulnerability in kernel, the chances are just small.
Even worse, if somebody manages to break in, you have no log information what so ever that would help you to notice what happened.

Why use Remote Access?

[nenolod]

Remote Access is what hackers dream of, and in runlevel 0, they dream of it even more, come on, is manual administration all that much of a pain? Geez, Remote Access kinda takes the point out of securing a system, now doesn't it. If you really need remote admin that much, go buy a server off of eBay and connect a 20' serial cable to it and use a serial console.

Embedded Firewalll

[ya_developer]

Your approach to securing a Linux firewall is an interesting exercise because it highlights the issues of many software firewalls that depend upon the host OS for their own security. 3Com sells an embedded firewall NIC that provides a packet filter which is managed by a management interface that runs off box. Thus, there is not even a management process on the protected host for an attacker to take control of. Even the firewall administrator cannot spawn a process on the firewall NIC. The NIC sends its audit data over the network to the firewall administrator's machine (encrypted of course). This allows the administrator to manage the firewall without being onsite. The embedded firewall on a NIC provides a very secure yet inexpensive firewall for single host. It is cheaper and smaller than dedicating an entire box. It also addresses the remote management and auditing issues others have raised. This makes is very interesting for remote machines that must be protected by an administrator at the central office. It should give you everything your halted firewall does plus remote management.