For those of you who don't subscribe to Sys Admin, there are a couple of interesting articles in the latest issue (Jan 2002) that are somewhat applicable to LEAF.
In "Halted Firewalls", Mike Murray discusses the interesting fact that you can shut-down the linux kernel (ie "halt"), but kernel processes will keep running. Having the kernel running without any user processes is not generally very useful, but if you don't explicitly bring down ethernet interfaces and flush the ipchains rules, your system will still route, firewall, and forward packets. Without any user processes running, there's no swap space (LEAF systems don't typically have any swap anyhow), and dynamic connections using dhclient, PPPoE, and similar won't work, but it's still kind of a neat concept. It's pretty hard to hack into (or remote administer) a system with no running processes. Even more interesting is "Redundant Internet Connections Using Linux" by Seann Herdejurgen. He describes a simple method for bandwidth sharing between two interfaces, a topic that surfaces occasionally on this list. While not quite a complete solution, the equal weight default routing looks like it would work for masqueraded firewalls. I'll have to test the masquerading code on 2.2 and see if it properly divides reqests between multiple external interfaces, and correctly mangles the source IP for both interfaces. Anyone try this already and know if it works? If the masquerading works properly with multiple external NIC's, it's a (fairly) straight-forward matter to integrate this support into the firewall scripts, duplicating the public rules for more than one interface. The hard part is making some scripts to properly route traffic if one of the links goes down...since typically the ethernet link between the firewall and the cable/DSL modem is always up, periodic pings or some other link test needs to happen to swap routing tables around if a link fails. Anyone know if SeaWall or any of the other firewall scripts will handle multiple external interfaces? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
