Further adventures in Firewall upgrades

[Charles Steinkuehler]

> > > Don't you loose logging if you do that?
> >
> > Yes, unless you also remove K**syslogd...
>
> Doesn't shutdown -h umount all of the mounted partitions?  Unless you had
> all your logs going to another machine, logging would not be possible,
that
> I know of.  I reserve my right to be wrong, however!

Unless I'm grossly mistaken (happens all too frequently :), the whole
concept of a "halted firewall" is to shut down *EVERYTHING* running in user
mode...even init exits!  At this point, only pre-configured kernel processes
can continue to run, which happens to include IP routing and
ipchains/iptables rules.  The price for making your firewall "impervious" in
this way is forgoing *ALL* user-mode functionality, including logging.  It's
a double-edged sword...it's not possible to launch user-mode processes that
could compromise your system, but it's also not possible to launch user-mode
processes to do useful things like logging, ssh access, re-configuring your
firewall rules, &c...

If you just want a thin linux distribution to use as a firewall, there are
many available, including...

<shameless plug>
My CD-ROM based Dachstein firewall/VPN Gateway:
http://leaf.sourceforge.net/devel/cstein/DiskImages/Dachstein-CD.htm

Boots off a CD-ROM, with configuration data on a floppy, or you can burn a
pre-configured CD once you get everything configured.  You can also run off
HDD, flash-disk, floppy, or whatever (minimum usable boot image is about
1.25 Meg).  You can even squeeze a FreeS/WAN based IPSec VPN gateway on a
single 1680K floppy.
</shameless plug>

...along with many others. :)

Charles Steinkuehler
charles at steinkuehler.net