Running Your Firewall in runlevel 0

[micael]

I read this article today and found it way over interesting and instantly new ideas was growing in my head. How about a floppy DSL/Cable firewall running at runlevel 0 .

Please read the article and come with comments and ideas about if its possible to do anything useful with this "feature" and about what is possible to do.

Halted Firewalls by Mike Murray

As systems administrators, it’s often funny how new and interesting information ends up in our hands. Sometimes, it’s through an intentional course of study; other times, it seems to arrive by accident. That’s exactly how the concept of using a halted Linux computer as a firewall occurred to me. I was at work, perusing an internal corporate mailing list and saw a message about something that was once present in Linux. The message referred to a method for shutting down a Linux box while ipchains is still running, and having the box continue to perform firewall tasks. My first response was to stifle a laugh — a firewall that works while in a halted state? I contacted the author (with a bit too much sarcasm in my letter), and was sent a link to an old discussion thread on the Firewalls list about a rumored feature in the 2.0.x kernels. This feature allowed you to run shutdown -h (halt) on the machine, and the firewall would remain active but with no drives mounted and no processes running. That is, the firewall would be in run level 0, but still be filtering packets. However, the list mentioned that this no longer worked in the 2.2.x series kernels.

I knew that I couldn’t leave it alone, however. I set out to make a 2.2.x box perform a similar function, and I hoped that I would be able to do it without having to patch the kernel in any way. It turns out that I can. You can read the ful article here.

Source: www.samag.com

[jcdux]

a very interesting idea!


J.

[proactive]

Well, he certainly takes stripping down an OS to a new level! I suppose this can be useful if you want a firewall that's hard to break into. By removing all unnessecary processes there certainly is no back-door into the system, as far as I understand. The aritcle-guy says "run shutdown.....and the firewall would remain active.....and no processes running". Well, the kernel must be running, and he says there also must be and address space in memeory for the ipchains tables.

This "feature" could be useful, it's always a point to strip down a box that is dedicated to only one task. What I wonder about is the stability of this hack, and would it be possible to create logs. At least you had to keep the diskcontrollers alive, and have some processes that can write to disk.

But I'm not much of a hardware guy, so there's possibly other workarounds that I can't think of.

[jcdux]

You could probably use syslog onto a remote machine for logging.
/me shrugs



J.

[gold eagle]

I wonder about that. I'd like to try it but I don't have any spare hardware. If one of you guys gets it going let us know.

[chsh]

Sounds like a great idea, but you basically have to pull down your network if you want to change the rules. Personally, I think just a kernel running ipchains/netfilter with maybe a couple of things installed (bash, OpenSSH, DHCPD) is securable and easier to admin.

[KorpDeath]

Originally posted by proactive
Well, he certainly takes stripping down an OS to a new level! I suppose this can be useful if you want a firewall that's hard to break into. By removing all unnessecary processes there certainly is no back-door into the system, as far as I understand. The aritcle-guy says "run shutdown.....and the firewall would remain active.....and no processes running". Well, the kernel must be running, and he says there also must be and address space in memeory for the ipchains tables.

This "feature" could be useful, it's always a point to strip down a box that is dedicated to only one task. What I wonder about is the stability of this hack, and would it be possible to create logs. At least you had to keep the diskcontrollers alive, and have some processes that can write to disk.

But I'm not much of a hardware guy, so there's possibly other workarounds that I can't think of.

It did however say that the disks would not be mounted. For a totally secure firewall there needs to be no way to get to the file system.

Nice idea but I can see some serious limitations.

[chsh]

Originally posted here by KorpDeath


It did however say that the disks would not be mounted. For a totally secure firewall there needs to be no way to get to the file system.

Nice idea but I can see some serious limitations.

KorpDeath> you could also have your firewall based on read-only media, and this would achieve the same effect. You could keep your rules on a floppy with the tab flipped to read-only, and then if you actually had to make a change to the rules, you just pop the floppy out, change the tab, make your change, then pop it back in. That way, you've got minimal downtime (the OS could be CD-based), and you still are able to modify your firewall rules when you want and how you want.

IMO, Read-only access to your disks is way better than having a f/w running at runlevel 0.

[gold eagle]

good post micael. What about not just a firewall running at this level but other apps as well...

[chsh]

gold eagle, what other apps are you thinkin of? At this point, even swap space is shut off, and the drives are unmounted. I wonder if that's even pheasible... It likely is, I'm just curious of what you could run at that level that would be useful...