Results 1 to 10 of 10

Thread: Running Your Firewall in runlevel 0

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Running Your Firewall in runlevel 0

    I read this article today and found it way over interesting and instantly new ideas was growing in my head. How about a floppy DSL/Cable firewall running at runlevel 0 .

    Please read the article and come with comments and ideas about if its possible to do anything useful with this "feature" and about what is possible to do.

    Halted Firewalls by Mike Murray

    As systems administrators, it’s often funny how new and interesting information ends up in our hands. Sometimes, it’s through an intentional course of study; other times, it seems to arrive by accident. That’s exactly how the concept of using a halted Linux computer as a firewall occurred to me. I was at work, perusing an internal corporate mailing list and saw a message about something that was once present in Linux. The message referred to a method for shutting down a Linux box while ipchains is still running, and having the box continue to perform firewall tasks. My first response was to stifle a laugh — a firewall that works while in a halted state? I contacted the author (with a bit too much sarcasm in my letter), and was sent a link to an old discussion thread on the Firewalls list about a rumored feature in the 2.0.x kernels. This feature allowed you to run shutdown -h (halt) on the machine, and the firewall would remain active but with no drives mounted and no processes running. That is, the firewall would be in run level 0, but still be filtering packets. However, the list mentioned that this no longer worked in the 2.2.x series kernels.

    I knew that I couldn’t leave it alone, however. I set out to make a 2.2.x box perform a similar function, and I hoped that I would be able to do it without having to patch the kernel in any way. It turns out that I can. You can read the ful article here.

    Source: www.samag.com

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    a very interesting idea!


    J.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Well, he certainly takes stripping down an OS to a new level! I suppose this can be useful if you want a firewall that's hard to break into. By removing all unnessecary processes there certainly is no back-door into the system, as far as I understand. The aritcle-guy says "run shutdown.....and the firewall would remain active.....and no processes running". Well, the kernel must be running, and he says there also must be and address space in memeory for the ipchains tables.

    This "feature" could be useful, it's always a point to strip down a box that is dedicated to only one task. What I wonder about is the stability of this hack, and would it be possible to create logs. At least you had to keep the diskcontrollers alive, and have some processes that can write to disk.

    But I'm not much of a hardware guy, so there's possibly other workarounds that I can't think of.
    ---
    proactive

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    You could probably use syslog onto a remote machine for logging.
    /me shrugs



    J.

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    I wonder about that. I'd like to try it but I don't have any spare hardware. If one of you guys gets it going let us know.
    Trappedagainbyperfectlogic.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Sounds like a great idea, but you basically have to pull down your network if you want to change the rules. Personally, I think just a kernel running ipchains/netfilter with maybe a couple of things installed (bash, OpenSSH, DHCPD) is securable and easier to admin.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted by proactive
    Well, he certainly takes stripping down an OS to a new level! I suppose this can be useful if you want a firewall that's hard to break into. By removing all unnessecary processes there certainly is no back-door into the system, as far as I understand. The aritcle-guy says "run shutdown.....and the firewall would remain active.....and no processes running". Well, the kernel must be running, and he says there also must be and address space in memeory for the ipchains tables.

    This "feature" could be useful, it's always a point to strip down a box that is dedicated to only one task. What I wonder about is the stability of this hack, and would it be possible to create logs. At least you had to keep the diskcontrollers alive, and have some processes that can write to disk.

    But I'm not much of a hardware guy, so there's possibly other workarounds that I can't think of.
    It did however say that the disks would not be mounted. For a totally secure firewall there needs to be no way to get to the file system.

    Nice idea but I can see some serious limitations.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by KorpDeath


    It did however say that the disks would not be mounted. For a totally secure firewall there needs to be no way to get to the file system.

    Nice idea but I can see some serious limitations.
    KorpDeath> you could also have your firewall based on read-only media, and this would achieve the same effect. You could keep your rules on a floppy with the tab flipped to read-only, and then if you actually had to make a change to the rules, you just pop the floppy out, change the tab, make your change, then pop it back in. That way, you've got minimal downtime (the OS could be CD-based), and you still are able to modify your firewall rules when you want and how you want.

    IMO, Read-only access to your disks is way better than having a f/w running at runlevel 0.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  9. #9
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    good post micael. What about not just a firewall running at this level but other apps as well...
    Trappedagainbyperfectlogic.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    gold eagle, what other apps are you thinkin of? At this point, even swap space is shut off, and the drives are unmounted. I wonder if that's even pheasible... It likely is, I'm just curious of what you could run at that level that would be useful...
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •