Further adventures in Firewall upgrades
Lucas Peet
lpeet at eccod.com
Mon Apr 8 18:02:40 CDT 2002
Here's an idea:
Configure your firewall - all your rules setup,etc...
Now, remove the K**ipchains and K**network scripts from all your rc*
folders, and halt the machine. The machine will be halted - 0 process
space, 0 user space, and NO processes are running except the kernel, the
network, and your firewall, filtering packets like a good firewall should.
The only way anything else can run, is if by some magick someone is able to
insert code directly into the kernel space.
Try it, it's cool, it's 99.9999999% secure. Only downside - you have to
reboot it to update the firewall rules. But if you have it setup the way
you want it, that's a non-issue.
-Lucas
----- Original Message -----
From: "Dustin Decker" <dustind at moon-lite.com>
To: <kclug at kclug.org>
Sent: Monday, April 08, 2002 11:44 AM
Subject: Re: Further adventures in Firewall upgrades
> I'm gonna add my own touch of a rant here as well, but it's bound to be
> a short one.
>
> In quickly browsing a list of the various packages and such that the
> Mandrake SNF post contained, I see someone breaking some serious "rules"
> in the firewall vein. Firewalls are generally meant to be bastion
> hosts, with little or no services running on them. Those that are
> present obviously need to be hardened. In the event that you actually
> get this host up and running, I'm not all that sure I would trust it to
> provide signifigant security improvements.
>
> Dustin
>
>
> --
> He who knows not and knows that he knows not is ignorant. Teach him.
> He who knows not and knows not that he knows not is a fool. Shun him.
> He who knows and knows not that he knows is asleep. Wake him.
>
>
>
>
>
More information about the Kclug
mailing list