I really have to thank you for pointing this out. This is _very_
interesting. I am working with a few very serious Unix/Linux hacks
here and they had no idea.
With a well-designed set of firewall rules, it seems like this can give
you a _very_ secure firewall. Do you suppose this was an oversight on
the part of the folks who do linux distributions on which this works?
If not, it seems like it should be official. Maybe do a 'shutdown -f
now' to indicate that you want to shut down everything except the part
of the kernel that does the packet filtering/forwarding.
Or better yet, get the whole kernel onto a floppy disk, boot off that,
do the shutdown, then remove the floppy. Everything is in RAM.
Everytime you boot again w/ the floppy, you get a guaranteed unhacked
system.
Interesting.
allen
David Lang wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> With the 2.0 series kernels (you should _really_ be using 2.0.36 for
> security, 2.0.37 is due out in the near future) all you need to do is
> let
> the system boot, have your setup scripts run the ipfwadm commands to
> setup
> the filtering/masquerading rules and then run shutdown -h now. your
> system
> shuts down but the kernel is still running. I have done this with
> Slackware, with other distributions you will need to double check the
> shutdown scripts to make sure they do not disable int interfaces. The
> easy
> way to tell this is to start a ping on another machine, shutdown a
> test
> machine and if the ping continues you should be set. I know that
> Redhat
> specificly disables packet forwarding during shutdown and so I suspect
> that it shuts down the interfaces as well.
>
> David Lang
>
> On Thu, 11 Mar 1999, Allen Jantzen wrote:
>
> > Date: Thu, 11 Mar 1999 16:40:42 -0500
> > From: Allen Jantzen <[EMAIL PROTECTED]>
> > To: David Lang <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
> > Subject: Re: Linux Firewall solutions
> >
> > David Lang wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > I have several firewalls in use running on Linux for the following
> > > reasons
> > > (in no particular order)
> >
> > ...snip...
> >
> > > 4. with the 2.0 kernel series if you don't need proxys you can
> setup a
> > > firewall that configures itself and then halts the system. The
> kernel
> > > will
> > > continue to run and move your packets, but there is no userspace
> > > running
> > > for someone to crack into, with the 2.2. kernels that is not
> possible
> > > now,
> > > but people are working to re-enable it (the 2.2 kernel decides
> that if
> > > init dies the system needs to reboot and does so immediatly)
> >
> > This is very interesting. I have not heard of it. How do you
> enable
> > it?
> >
> > allen
> >
>
> "If users are made to understand that the system administrator's job
> is to
> make computers run, and not to make them happy, they can, in fact, be
> made
> happy most of the time. If users are allowed to believe that the
> system
> administrator's job is to make them happy, they can, in fact, never be
> made
> happy."
> - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff",
> LISA '97)
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNuhF0j7msCGEppcbAQEaygf9FrSVHX2Wg/UeMxUhKaWESz2LR3Y1cXgN
> crH6JzjlMjfKBMPqYh5gRlt0LJJJLWb6GN2dgqe7aAPVGuIiWMdtPedFVRL8HHH/
> XHglLThJvylyLgaTdIUOiGKZZxH3uhDiawo3xVt+WQ8bcbdofAnsGLPquu2ry56H
> muOYmtJ67ptIRdD62JjNQyIqZoKgvR9tXKysmpxR+UX74AmsJs5dw1sISLCREyxZ
> nu3tOMpYm3PVWEBvS7Tkpgs/yxuYrs2so3wSzoLKu5aEQ6QkfqOjlVIAhjL3LbI4
> tK+Rb4PKpJBPBrTm8t7qz8ANQa/HwR+xVxFUivbDxvC5Kb5v0KDHNA==
> =mH7m
> -----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
