Slashdot Mirror
Run Your Firewall Halted for Extra Security
n8willis writes: "There's a great article over at the SysAdmin magazine site that presents a unique approach to improving network security: run your firewall in a halted state. This means runlevel 0; no processes running and no disks mounted, but with packet filtering still on. The author heard a rumor of this capability in the 2.0 series kernels, and he's managed to get it working in 2.2 as well."
Though I usually just use the power switch. Can't beat a powered-off firewall for security.
See floppyfw. Does not even *need* a HD to boot. Floppies can be write-protected. Even an old 486 will do that trick.
Amazing what queer pranks people invent in place of a rather obvious solution...
Use The Source, Luke!
This might be fine for a firewall whose rules never change, but if you want to actually do something to it, you can't have it halted, and rebooting will just cause downtime.
Why don't you just run with drives mounted read-only, or have everything copied to a ramdisk? Surely you can verify a rule to allow remote access from only certain locations if this is your problem, or even require serial console access.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I used to run my ipfwadm firewall kind of like this. I replaced INIT with an ipfwadm replacement I wrote that read ipf style rules from a config file and applied them to the kernel chains, then suspended. This was all on a ramdisk. It worked pretty well, although the ramdisk had to be replaced to change rules, which was kind of inconvenient.
In the stone age of firewalling, a firewall was a fairly complicated device that was less-than-trivial to factor into your network. It needed an IP address on it's outside, and another on the inside. This immediately created subnetting problems, forcing wasted IP allocation and overall disquietude amongst the cognoscenti. It also meant that your firewall was very visible to the world, and its function was rather obvious and easy to deduce. There had to be a better way. And now there is...
Dream with me for a moment: A black box, shimmering in the soft LED-green glow of the network cabinet. You take the network cable from your router, which previously went into a switch, and stick it in one of the snappy plugs in the back of the box. There's one more plug on the black box, so you grab another cable and hook the box up to the switch. You step back, and suddenly: everything looks the same. You go to all your computers. As far as you can tell from inside and outside the network, the box doesn't exist. It does nothing. A few minutes later, you have a monitor and keyboard hooked up to the back of the box. You quickly and easily begin to tweak a file that gives you fine grained control over access to your network. You shut off all access to your mailserver from the outside world except on port 25.
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
Interesting article, but I'm wondering what the benefits are of running IPCHAINS (or whatever) at init 0 as opposed to running a stripped down linux distro from read-only media or a RAM disk?
Bit of a shame if you want to log any attacks
on the firewall though.
With no disks mounted where can you log it to?
#exclude <ms/windows.h>
We were offering a linux-firewall, VPN solution to a hospital and turns out one of the machines we sent out had a bad token ring card, that mixed with an obscure bug in the Token ring driver, (Which has since been fixed) it would cause linux to die quite often. To the point where the computer would accept no keyboard input, would cease logging, and for all intents and purposes was a dead box. Yet the machine continued to route traffic and continued to function as a VPN.
Any listening ports were ignored, but the routing still took place. I never thought of it as a way to make the router more secure, but I guess in that way it makes since. It would really suck to have to completely shutdown everything to have to malke routing changes though, so I'm not sure this is the best solution for high availability router use.
Do you Gentoo!?
The most interesting thing I see with this is why?
It can't be managed. It can't be monitored. It can't be logged.
This may be fine as a novelty, but running a network secured with such a hack is silly.
Let's talk about shutting down all userspace processes on a box except syslog and snort and I say you've got an interesting box.
OTW - it seems just like a game.
--Adrian
This is a very interesting idea.
It only works with firewalling that's inside the kernel - packet filtering and NAT. But what if kernel modules were added to handle some of the features now run in user space?
Indeed, what if kernel modules were added to handle non-firewalling tasks instead? Could a kernel module provide a useful network service? You start the machine up, it loads the kernel and "halts" but still provides the service. Something goes wrong? Just power cycle; there's no disk access, no way for an attack or malfunction to make a persistant alteration in the machine.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Or you could try not trolling and read the actual article. The author
talks about whether or not this could be done in OpenBSD as well because
of its good kernel level firewall utilities.
Come play Heroes of Might and Magic Mini online.
I'm a little bit ignorant around the linux firewall setup, but don't you want your firewall to do some logging? Without logging how would you figure out where a DoS attack was coming from? Someone port scanning you? Wouldn't you want to know if someone tried to access a service you blocked with your firewall? This method seems to be nice armor for your firewall, but you have no idea who just whacked you upside your head.
Brought to you by Team SPAM! where we believe: "Information in the noise!"
This isn't much of a firewall when there is no logging or alerting. With this approach you basically have a solid state packet filter and if that's what you want, a Linksys box would still be a better solution.
There are a lot of things that can be done but, one has to ask: Other than doing it for the sake of doing it, what's the point?
IPF can run in stealth mode. In this mode a packets TTL isn't decreased when the packet traverses the firewall. It is invisible to the netork at large.
I just read the dead tree version of this about a week ago while sipping some coffee. It's an interesting idea to say the least, but I don't think the practice of turning the machine off and still expecting it to work will be widely accepted by any large production environment.
/.'d so I can't check my facts, but I thought it mentioned it was possible with a 2.4 kernel as well.
Essentially, I don't see why any process that runs entirely in kernel space couldn't be handled the same way. It has sparked my interest enough to build a test machine to try out this kind of thing. The site is already
Also, that was the most interesting article of the issue. It slightly miffs me that I can read it online for free, but their magazine just cost me ~5$.
I'm against picketing, but I don't know how to show it.
The kernel is still executing, as is IPChains (obviously)..If IPChains has any exploits, what is to stop a hacker from being able to modify the firewall configuration in memory, thus punching holes in the firewall?
Wouldn't this still need a locally running klogd to forward the messages to the remote syslogger?
Say no to software patents.
This method causes the firewall to act as a bridge instead of a router. The advantage is that the firewall is not IP-addressable. To hack it, you'd have to go down to the MAC layer, which is generally only possible if you're on the same network segment.
I read the SysAdmin article a month ago and thought the same thing. The OpenBSD Invisible Firewall is a much better solution -- you can't hack it from the outside, but you can still make any changes necessary without causing downtime.
Software sucks. Open Source sucks less.
This is kind of ridiculous because it requres you to take the whole firewall down to make rule changes. Why not just blackhole all packets with the firewall's interface addresses as destination, and leave a local serial console with password authentication and idled running?
Alternately, this is kind-of a solution for embedded firewalls or something.. maybe for tiny flash-card bootable network probes (remember firewalls are routers and can be made to do nasty things too) that you boot and then eject the flash media...
--- Nothing clever here: move along now...
Couldn't one simply also remove K88syslog from /etc/rc.d/rc0.d/ and log all messages to a remote syslog server?
This is a really neat idea, although I imagine still not practical. To make any configuration changes, it'd be a pain.
-davidu
# Hack the planet, it's important.
If the filesystem is down, then does this mean that logging is halted?
Or could you re-direct the logs?
At home, I run two servers - one inside the firewall with NFS services and so on, and the firewall itself, which is a self-sufficient machine except during boot, where it netboots from the NFS server. After that point, its two NICs are only used for routing packets. All administration takes place through the serial port, which init respawns /bin/sh onto. The system runs off of a ramdisk loaded during the netboot. I've found this to be a nice solution, and it rules out any possibility of breach since the machine is only accessible through a serial port hardwired to the server - ethernet interfaces are configured to only route packets.
The LinkSys DSL Routers, while nice, are not perfect solutions. I run one on the inside of my network, and I've noticed that it passes along packets that I have not explicitly told it to pass. One of the features that doesn't seem to be touted these days is that it "senses" specific types of packets and "intelligently" allows them through. The trouble with this is that the router is not doing stateful packet inspection - it's just guessing based on port number. Not a *huge* deal for most people, but I most certainly would not trust such a system to be my primary border defense.
Cheap and easy, but not as good as the real thing. When it comes to security, I'd rather have a locked-down debian box that I built from source than a piece of plastic that I bought at Staples.
We who were living are now dying
With a little patience
There's no syslog running anymore.
Dumbass.
There have been some great comments to this article (which I haven't read) but I got to wondering: if you're going to run in a sort of comatose state where your only ability to change the system is to reboot it, why bother booting in the first place?
My idea was to use the Linix BIOS or something similar, and run your packet filtering from there. Then you can forget the hard drive and floppy (though you'd probably want that floppy to be able to flash your BIOS with updates and the like.)
Does this make sense to anyone? Or is there something I'm overlooking like maybe that while running as a BIOS, Linux wouldn't be able to talk to the network interfaces, say?
I guess if you're going to go to that kind of trouble, you might as well have an embedded system, or run from flash RAM, as others have mentioned. Still, it's always fun to get hardware and software to do things beyond what they were designed to do.
This is roughly equivalent to a briding firewall with no assigned IP address. No one can ever connect remotely.
A bridging firewall as the advantage of still being administrable from the local console.
{{.sig}}
Hmmm.
I wonder if you could keep enough of the filesystem up to run, say, firewalling and TUX. (TUX *is* a kernel-resident www server, correct?)
If so, that's a neat possibility. Serve web pages off a machine runlevel 0 machine.
I use LEAF/LRP based routers a lot, I'm going to fiddle with one of them and see if I can't get them to run halted.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
is the system i have at home. i look at each incoming packet on paper and then pass it on the the lan if it looks legit. the only way to punch a hole in the firewall is with a shotgun at my belly..
Bah, I've got an old Pentium with some faulty memory that crashes on a regular basis.
It's been reliably packet-forwarding for me for over a month with a kernel-oops on screen.
As other people have pointed out there will be no
syslog running in runlevel 0.
I guess you could always run the video out into
a VCR... or use a serial console and a line printer.
#exclude <ms/windows.h>
Maybe this is a stupid question, but on all of my boxes, after I run shutdown -h and all of the killall scripts are run, it runs S01halt, which then calls either halt or reboot. This either stops the processor (soft power down) or else reboots the thing. The author didn't mention how he avoided this problem in his efforts - if you want the box to run in run level 0, you have to also disable the script that runs at that run level that shuts down the machine. Otherwise your machine really will be halted and there won't be any firewalling going on. Or more precisely, everything will be firewalled :) Did he not mention this problem, or did I just miss it somehow?
Assuming that this works, I don't see a whole lot of advantage to this over just using a firewall that's booted from a read-only floppy firewall distribution. Except that if you could come back from run level 0 (not sure if you can or not) then you could remount the disks, make a change to your firewalling rules, and then return to the halted mode. That might be a minor advantage over floppyfw systems.
Your right to not believe: Americans United for Separation of Church and
If your data needs that much security, you shouldn't have it connected to the internet in the first place.
...at the ability of some to (re)discover very mundane things. Even not halted, just booting up the kernel into bash instead of init provides an excellent level of security. It's been standard (at least for some people I know and me) practice for years! We even developed a linux firewall (in beta right now) doing just that.
In my opinion, Scientology is a cult you should avoid.
... can achieve almost the same thing.
man securelevel
man chflags
gd
SunScreen has been doing this for quite some time.
Read about it here
http://windows.scares.us
So the obvious question: how long before someone attempts this with the 2.4 kernel and IPTables?
I had my firewall's IDE controller go up in smoke, but the Linux kept chuggin' along. I couldn't log in or do anthing to the box, and the display was full of errors, but it still was routing for the rest of the network. now that was security.
---
I post links to stuff here
Then how would I telnet to my firewall from school?
*dodges flying shoes*
;)
Klowner
As the article points out, the kernel continues to run when halted, so the first part of the solution is to signal the kernel to transition out of run-level 0 in a safe way. There used to be ISA cards for debugging that had a push-button at the end of a cable; when pushed, an interrupt was triggered to invoke the debugger. I can't see any reason why the Linux kernel couldn't be patched to watch for that interrupt while halted and restart the boot process, say from the point where a boot disk is mounted. The second step would be to modify the init.d scripts affecting the IP stack to abort if the NICs are already configured.
The end result would be a firewall with a button that, when pressed, would cause the system to "wake up" and allow configuration changes to be made. When you're all done, just do another "init 0". To guard against forgetful netadmins, you may want a watchdog process that also does an "init 0" fifteen minutes after the system comes up.
I can't see any show stoppers to this idea. What do you think?
Nothing for 6-digit uids?
And costs $5 a month to run. Full size computers are power pigs.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
That's a tremendous waste of a computer. If that's all you're doing, you might as well use a network appliance for a firewall.
-------------------------
Stupid people suck.
Okay, so do anyone know of a cheap place to get rackmount 1U's, like, with just a pentium, network card and cdrom?
:)
Take this idea, a cheap rackmount, a readonly boot medium, and you have a very very secure device.
Possibly the ultimate in security?
GPL'd web-based tradewars themed space game
no need for it. the fw is acting as a *client* for syslog. syslog would be running on the log server.
The main drawback of course would be that changing iptables rules would be a painful process of rebooting and maybe 30 seconds of downtime (in an optimally configured setup).
There has to be a simple way to hack the kernel to "revive" from runlevel 0 with certain key presses locally?
If so, this would make another powerful method of running production Linux firewalls. IMPOSSIBLE to root remotely, and you can change iptables rules without downtime locally.
Hi all...
:)
As the author of the article being discussed, I wanted to point out one of my own errors. I discussed the lack of swap-space as a limitation to the setup; however, the linux kernel isn't pageable, so swap space would have no effect on the performance of the firewalling code.
I've had a few people point that out, so I wanted to post that correction publically.
Feel free to email me at mmurray@ncircle.com if you have questions or commments...
Mike
Frankly, with all of the discussion centered around administering a machine that's at runlevel 0 or fully stealthed with no IPs, etc., I'm surprised that no one (so far) has mentioned hardware-based remote access products such as Compaq's Remote Insight boards (many other server vendors have similar products).
For ~$500 you get a board that replaces your keyboard, mouse, and video controllers, has its own built-in ethernet adapter (that is invisible to the rest of the computer - it's dedicated to remote access) and an SSL-secured web server. You can completely control the machine via a java applet. You can even cold-boot it if it's in a hung state (and, of course, view any errors on the screen while the machine's in a hung state). Other features include a virtual floppy drive that allows you to copy data to and from the machine (you can even boot off of the virtual floppy). There's plenty of additional coolness; the only downside is that Compaq cards only work in Compaq Proliant servers, HP cards only work in HP servers, etc...
Help save the critically endangered Blue Iguana
Cool! I just halted my BlackIce service. If I hadn't read this article, I would never have known that doing that would make me more secure.
:) You rock. I don't have to worry about my hard drive shares being exposed now...
Thanks Slashdot
And in addition, as others have said, you can afford not to log it, and if---just when you think you can "afford a very static set of firewall rules"---you reboot, you can afford network downtime. This sucks.
OK, now this is a kind of straw man and slippery slope. Just because you "offer a shell", doesn't mean anyone can get it. Running a getty off the serial port isn't going to be susceptible to remote attacks. Only stuff you put on the network is a problem. And if they've got physical access, all bets are off anyway. Just because you're running processes doesn't make you vulnerable.
It isn't necessarily the case it'll be "child's play," but it will be possible. If you're not experienced, you shouldn't let this novelty solution lull you into thinking you're secure. Ask or hire someone with experience to help.
"And if you're screwed, you're screwed." Duh.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Aren't we forgetting the most important security feature of a firewall...? There's no logging! This is fly by the seat of your pants security if you ask me. You gonna hang a lucky rabbit's foot over the thing?
I have a weirdo-paranoid firewall/NAT-box running an ultra-stripped-down OpenBSD. I have put weirdo-paranoid security on it. The only open port is ssh, and you have to be inside my home network to reach it.
It would be a lot easier to crack the very few daemons (apache, etc) running on my Linux box on the other side (that the firewall routes) than to crack the firewall itself. I could imagine someone exploiting apache, getting ssh access to the Linux box somehow, and thus ending up behind the firewall.
At that point, the security of the firewall can be as good as it wants to (which IMHO it is), but the network it's supposed to protect has compromised due to the ports it DOES forward. Why would said cracker even bother to try to exploit the firewall (with one port open, mind you) at that point? To open up ports, perhaps, but he can just use existing forwarded services to do his dirty work.
Bottom line? Every sysadmin already knows this, but firewalls do not make your box magically secure. A secure firewall only goes so far.
A strange but maybe working idea would be memory that you could writeprotect. I dunno if this has been done yet but it would make servers damn hard to hack if you could specify what memory can be written and not by hardware settings. Like a separate chip thats not interfaced to the processor but sits between memory and cpu and has an own interface for settings. A chip that just blatantly says no when anything other than read are passed thru to that memory adress. It should be very hard to brake the apps that was protected. Strange idea, strange and probably silly....
HTTP/1.1 400
It plays hell with your uptime. We all know that's more important to /. users than security, right?
Bonus points to anybody who does this and then submits an nmap fingerprint of it...
Just testing my user id #56 really. :)
The dangers of knowledge trigger emotional distress in human beings.
If you're interested in this, also see FreeBSD's kern.securelevel facility. From the init(8) manpage:
/dev/mem, and
/dev/kmem may not be opened for writing; kernel modules (see
The kernel runs with four different levels of security. Any super-user
process can raise the security level, but no process can lower it. The
security levels are:
-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted filesystems,
kld(4)) may not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with filesystems by unmounting them,
but also inhibits running newfs(8) while the system is multi-user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message ``Time adjustment clamped to +1 second''.
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
dummynet(4) configuration cannot be adjusted.
If the security level is initially nonzero, then init leaves it
unchanged. Otherwise, init raises the level to 1 before going multi-user
for the first time. Since the level can not be reduced, it will be at
least 1 for subsequent operation, even on return to single-user. If a
level higher than 1 is desired while running multi-user, it can be set
before going multi-user, e.g., by the startup script rc(8), using
sysctl(8) to set the ``kern.securelevel'' variable to the required secu
rity level.
No, it's still needed. By itself, the kernel can only log to its ring buffer in memory. To send kernel messages to a remote syslog server, you need klogd to grab them and send them to syslogd, which sends them to the remote server.
It's probably possible to add this functionality to the kernel, but it's not there now.
$ find
How does this work? It would seem like packet filtering would require a process or two.. how can you having it working at a runlevel which has no processes running?
If you think that freesco has logging that could be more robust, try running syslog on a halted system ;)
LedgerSMB: Open source Accounting/ERP
Management is one reason I like SPARC so much. IE, connect a serial line to even a decade+ old Sun Pizzabox and manage via OpenPrompt. Even if the operating system is hosed you can still reach the OK prompt and reboot, or perform other tasks. Further, you can use the OK prompt to do network boots out of the box.
The Compaq cards do have an upside, however, in that the way you describe them it seems that you can foobar the 'parent' machine and still use the card. It does use power from the parent machine, so both SPARC's OpenPrompt and this card will be null if the host machine loses power.
I really wish x86 engineers would develop something similar to a server-class BIOS implementation. Don't get me wrong, modern x86 CPUs are great, but the BIOS has got to grow up.
Why not just avoid starting all services, and verify with "netstat" that there's no processes listening.
If there's not a single process listening on sockets (shown by netstat), then only the kernel is around doing it's masquerading, routing, etc., just as per runlevel 0.
While it's a cute trick, why limit *all* your potential functionality (flipping on ftp for 15 minutes, to let a buddy upload a file).
-me
Love many, trust a few, do harm to none.
Or... you could just use one of these:
- D-Link DFE-570tx 4-port 32bit PCI fast Ethernet adapter
Not cheap in any case -- but it'll sure open up some PCI slots!Phobos P430 (same thing)
Adaptec 6944a Discontinued model, cheaper -- still 4-port, still 10/100
Or, if you're lucky enough to be playing with 64 bit PCI @ 66 MHz... there's the newer Adaptec stuff.
Adaptec 64044 4-port 64bit/66MHz PCI fast Ethernet adapter
Now, to answer the Rick's "Feasible? Stupid?" question...
- Feasible? Certainly. These cards are basically 4 Ethernet chipsets put on one card. The Phobos one uses an Intel DS21143 setup, and can be addressed with generic Linux drivers (tulip.o) as 4 separate devices.
Something worth considering though -- it'd make for less hardware, and it's something I find attractive for home use -- a combined worry-free firewall + home file server + seamless internet access... nice idea.Stupid? Possibly. Everything coming in from the internet has to pass through the bridge first, and thus pass its' rules. Nothing can directly address it. Pretty much perfectly invulnerable. The only real vulnerability would be a DoS, but that depends on the rules you've plugged into the firewall. In any case, it's impossible to directly compromise the firewall portion of the machine.
Having the machine providing other services does mean, however, that if something is somehow compromised that your firewall is compromised too -- it's a risk you have to weigh yourself.
Imagine you're running a webserver on the machine -- with a vulnerable CGI. Someone discovers this, and takes over what they think is "only" a webserver -- only to find they've taken over your company's firewall, too! Ouch.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
Can you say "fork bomb"? I can:
/bin/true ]
/dev/urandom > /dev/null &
coyote# while [
> do
> cat
> done
Just did this on my coyote box and it's still passing traffic and logging remotely. Here's an entry from my syslog server:
Feb 8 19:14:54 hades kernel: VM: killing process cat
Feb 8 19:15:47 hades kernel: Packet log: input DENY eth1 PROTO=17 10.34.64.1:67 255.255.255.255:68 L=328 S=0x00 I=15781 F=0x0000 T=255 (#22)
One you hit your memory limit, you aren't launching anything else.
:-)
-- I speak only for myself.
First, let me qualify my experience. I am familiar with OpenBSD -- what I use for my firewall -- not Linux. I have done many boxes with multiple identical cards, and never had them 'come up' in a different configuration than I had originally configured. Ever. I never gave it much thought, and I really have no idea exactly how it's prevented -- MAC address, perhaps? It'd make sense, at least to me...
I don't believe there'd be any danger of cards randomizing on every reboot -- there are far too many people out there using multiple interfaces to not allow that problem -- if there was one -- to be addressed.
Now, as far as this solution being aimed at home use... There are many people who wish to run services from their home network. Mail, file services, a proxy for their websurfing while at work... not all these services are 100% secure. Yes, I know I used business examples, but the same vulnerabilities could happen at home. Heck, when Code Red went around, look at all the home-based servers that were affected! The home/business line is very blurred.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
The interesting lesson, though, "kiddies," is that there are some interesting games to be played if you look at init with a view to rearchitecting how it works.
Typically, init is a program that starts some services, starts up some gettys , and then we can log in and do the traditional Unix stuff that we usually don't think much about.
In this case, the system essentially runs init-less.
Another approach would be to build a highly customized init that doesn't run the whole of user space, but rather just runs a few firewall-related programs.
- Mount a filesystem;
- Run an IP-chain loader;
- Perhaps run pppoe ;
- Unmount the filesystem, maybe.
And you have something smaller that doesn't work quite as hard getting things going, but leaves pppoe around to do a little bit of work.Other approaches could be taken to build quite different things:
Throw in that shell scripts in Bash are deprecated; it is considered preferable to have your programs written in Forth.
If you're not part of the solution, you're part of the precipitate.
LinkSys added stateful packet inspection in a recent firmware update (listed as SPI on the configuration). I havent't tested it, so I can't vouch for the implementation.
Can You Say Linux? I Knew That You Could.
Some people so far have mentioned that even having anything loaded in RAM creates a danger.
:) :) :) ) and just run almost everything directly out of that after booting. Though that would require some really nifty programming more then likely. :) It would DEFINTLY not be something that any random hacker would suspect, hehe.
Would it be possible to create a system that uses Static RAM (Smart cards, whatever) and have two sticks of it inserted?
One that you boot from and read the firewall rules and such out of, and another 8 meg or so stick that is used just for proccessing things.
Some types of flash cards now days have read write tabs on them, after your OS has loaded and all and you have got things how you want it, halt it, and then switch the tab on your main memory stick so that it is read only.
The 8 meg stick would have previously been assigned to be used for working with packets and such that the firewalls needs to do.
Even better of course would be if you could get a CPU with a nice sized Cache on it (hmmmm, K6-3s, hehe. External cache up to what, 8 megs?
Need help treating your acne? Come here!