Here is an interesting article of running firewalls with the machine "halted" (runlevel 0) for extra security
<*tilt*> is a first reaction. But it _is_ an intriguing concept...
Article here: http://www.samag.com/print/documentID=20294
Slashdot thread here: http://slashdot.org/articles/02/02/08/1624217.shtml?tid=172
Anyone have any personal experiences of such trickery to relate?
--James
Get the terminology right. Runlevel 0 is known as single user mode and it is not in anyway halted. The idea is that init, a shell and not a lot else runs. So that's fair enough. But why did you (in the general sense) install Redhat and not disable all those insecure daemons you didn't need running in the first place ?
I'll just mention that this might be a bad state to leave a *BSD system in because it knocks down the intended securelevel. securelevel locks raw device access, immutable files and so on.
Jon
on Sat, Feb 09, 2002 at 09:15:21AM -0000, Jon Schneider wrote:
I'll just mention that this might be a bad state to leave a *BSD system in because it knocks down the intended securelevel. securelevel locks raw device access, immutable files and so on.
That's just a case of commenting out 2 lines of code in sbin/init/init.c:single_user()
The problem I have with the idea of a halted firewall is that there is no way (if it's done properly) to get any logs off the machine. If there is, it's not as secure as it is made out to be. Additionally, you cannot monitor the machine. If someone breaks into the machine, you can't know, unless you sniff some "odd" traffic.
A neat thing you can do quite easily under *BSD is this: http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html
You can probably do this now with Linux, but for quite a while bridging support under Linux was wobbly. 2.0 supported it, but finding the userland tool to configure it was not easy. 2.2 didn't support it until someone wrote patches, and running a firewall with 2.4.x (x < 10) is a bad, bad idea. http://bridge.sf.net has the relevent patches and docs.
-------- Original Message -------- Subject: Re: clug Secure Firewalling, Runlevel 0 (?!) Date: Sat, 9 Feb 2002 09:15:21 -0000 From: "Jon Schneider" jon@axismilton.ltd.uk
Jon Schneider wrote:
Get the terminology right. Runlevel 0 is known as single user mode and it is not in anyway halted. The idea is that init, a shell and not a lot else runs. So that's fair enough. But why did you (in the general sense) install Redhat and not disable all those insecure daemons you didn't need running in the first place ?
Understood. But try to convey that in a very precise and unambiguous form in just a few words in a message title. Yours would be < >?
I'll just mention that this might be a bad state to leave a *BSD system in because it knocks down the intended securelevel. securelevel locks raw device access, immutable files and so on.
Indeed. Please remember that the focus of the article was on a Linux system, and a RedHat one at that. I for one would only run a dedicated firewall or proxy / Gateway on OpenBSD, anyway, just now, given the current state of GPL OS play.
But it is always good to have it put in a broader perspective.
--James
on Sat, Feb 09, 2002 at 01:18:49PM +0000, James wrote:
Understood. But try to convey that in a very precise and unambiguous form in just a few words in a message title. Yours would be < >?
"'Secure' Halted Firewalls"? For slackware, runlevel 0 was correct:
# These are the default runlevels in Slackware: # 0 = halt # 1 = single user mode
I for one would only run a dedicated firewall or proxy / Gateway on OpenBSD, anyway, just now, given the current state of GPL OS play.
May I ask why?
The author's original motivation for setting up the bridge code was to enable routine from outside the LAN to the inside.
I do this by having my firewall publish the MAC addresses of the inside machines to the outside world. Everything still goes though my filter rules, they are unaffected, but I do not need any fancy patches in my kernel.
# 225 is the ADSL gateway, 239 is broadcast. for i in 226 227 229 231 233 234 235 236 237 238 do /sbin/arp -i $WANDEV -Ds xx.xx.xx.$i $LANDEV pub done /sbin/arp -i $LANDEV -Ds adslgate $WANDEV pub
On 09-Feb-02 xs@kittenz.org wrote:
on Sat, Feb 09, 2002 at 01:18:49PM +0000, James wrote:
Understood. But try to convey that in a very precise and unambiguous form in just a few words in a message title. Yours would be < >?
"'Secure' Halted Firewalls"? For slackware, runlevel 0 was correct:
# These are the default runlevels in Slackware: # 0 = halt # 1 = single user mode
I for one would only run a dedicated firewall or proxy / Gateway on OpenBSD, anyway, just now, given the current state of GPL OS play.
May I ask why?
main@lists.alug.org.uk http://www.anglian.lug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!