on Sat, Feb 09, 2002 at 09:15:21AM -0000, Jon Schneider wrote:
I'll just mention that this might be a bad state to leave a *BSD system in because it knocks down the intended securelevel. securelevel locks raw device access, immutable files and so on.
That's just a case of commenting out 2 lines of code in sbin/init/init.c:single_user()
The problem I have with the idea of a halted firewall is that there is no way (if it's done properly) to get any logs off the machine. If there is, it's not as secure as it is made out to be. Additionally, you cannot monitor the machine. If someone breaks into the machine, you can't know, unless you sniff some "odd" traffic.
A neat thing you can do quite easily under *BSD is this: http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html
You can probably do this now with Linux, but for quite a while bridging support under Linux was wobbly. 2.0 supported it, but finding the userland tool to configure it was not easy. 2.2 didn't support it until someone wrote patches, and running a firewall with 2.4.x (x < 10) is a bad, bad idea. http://bridge.sf.net has the relevent patches and docs.