Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Implement firewall function on a closed Linux machine     - Browser caching mechanism on the analysis (Linux)

- Linux log management tools Logrotate (Linux)

- JDK comes with tools jinfo (Linux)

- C ++ two second pointer memory model (two-dimensional array) (Programming)

- Oracle to create an external table (Database)

- Linux permissions Detailed (Linux)

- Depth Java Singleton (Programming)

- Several Methods of SSH Auto - login (Linux)

- Linux Mint 17 set up the Ruby environment (Linux)

- History and Statistics tuptime use tools to view Linux server system boot time (Server)

- Change the kernel boot sequence after CentOS 7 kernel upgrade (Linux)

- PostgreSQL Source Customization: Online global read only (Database)

- Analysis RabbitMQ cluster (Server)

- Java concurrent programming using the synchronized keyword ReentrantLock alternative primitive (Programming)

- File sharing and fork function (Programming)

- Encrypted with GnuPG signature to verify the authenticity and integrity of downloaded file (Linux)

- STL in the list of erase () method (Programming)

- Install Firefox 28 on Ubuntu, Linux Mint (Linux)

- Python common data type summary (Programming)

- Efficient running Linux virtual machine Six Tips (Linux)

  Implement firewall function on a closed Linux machine
  Add Date : 2017-04-13      
  Time wandering the Internet, suddenly see the forum there is a message saying there is a method that allows the machine has been shut down Linux continues to run ipchains, and let the machine continue to implement firewall functionality. My first reaction was dismissive, a firewall can also do work in the off state?

Time wandering the Internet, suddenly see the forum there is a message saying there is a method that allows the machine has been shut down Linux continues to run ipchains, and let the machine continue to implement firewall functionality. My first reaction was dismissive, a firewall can also do work in the off state? Follow the links for the forum referred to, I found a post, it says in the 2.0.x kernel, use Shutdown? H (shutdown) command to enable the firewall is still active, but this time did not mount the drive, there is no process running. This means that the firewall will run at Level 0, but still can be packet filtering. However, the post said in the kernel 2.2.x system no longer in place.

See here, I have some sit still, I decided to also achieve similar functionality in kernel 2.2.x on the machine, and I hope that does not add any kernel patches. It turns out that I did.

Secure Firewall

I think that the security means such a possibility, it is the assumption that the firewall has been completely shut down, and the space has been cleared of all processes and file system, so that no hacker can access to the system. Because on this machine it does not have the process space, nor to mount the drive. Therefore, hackers will not be able to make the code running in kernel space outside the system. Because it explained the need to write code to produce the desired result, which is a very hard work.

But it needs to be recalled that the firewall does not prevent "denial of service" attacks. In fact, for the "denial of service" attacks and other specialized resource exhaustion attacks, the firewall is not more effective than any other firewall. Of course, in reality, in general, the system is not vulnerable to this attack.

Because this method can ensure that no one user can control the machine, it can greatly improve security. This is precisely the field of security should the IT industry often say, to get a machine absolutely safe, you should put it off, and then locked in a room.


My test is an x86-based Red Hat 6.2 machine, it installed two network cards. The whole process requires no special system or the kernel additions and changes. At first, I tried to search in the control run scripts, hoping to find that the relevant clues. Finally, I put the focus fixed on rc0 (The script runs when the machine is turned off) script. This proved to be exactly what I was looking for the place. So I started to remove some of the script, and conducted a series of tests.

After a relatively short period of time, I concluded that for Red Hat Linux 6.2, delete the following script can achieve the above functions:




After the removal of these three scripts, we can make the network still work, and the ipchains still running. Remember, we want to killall script deleted because it /etc/rc.d/rc0.d/ task is to find all of the directory, and run all in K at the beginning of the script. This means that the script will run K90 Network and K92ipchains script, and this script will delete two networks and ipchains.

Some explanation

In fact, we are set to become a Linux kernel subset. When the machine is halted, or even a machine running Shutdown After this part of the kernel is still resident in memory. This approach avoids the shutdown process, the machine will suspend all processes, network cards, and uninstall all close all file systems. Moreover, this method makes the machine after shutdown, www.britepic.org can no longer perform any internal tasks. However, the kernel is still running, the memory manager is also still running.

Because the kernel is still running, so after the shutdown, all of our running kernel-based tasks can be run. Of course, since most of the tasks require some I / O operations (as this was the same). Therefore, we must let the machine after the close, still make these ports exist. This is achieved by K90network. It makes the card after the shutdown will not stop working.

In addition, any need to use the kernel-based services must be running (such as ipchains). By default, when the system is shut down, will all ipchains rules are suspended. If so, in this case, the firewall will not work, you must make clear script ipchains rules deleted. In this case, that you want to delete K92ipchains script.


After shutting down the system so that only part of the program is running, which is obviously there will be some limitations. In this case, the most obvious limitation is that if the client's IP address is obtained by daemon (such as PPP, DHCP) such as access, then will not be able to achieve this functionality. This limits the use of those users use dynamic connections. In addition, since relations system process, all user agent space (such as Socks5) will be closed, so the set of this example, the package can only be achieved misplaced and NAT functions.

Also to be considered is that since all drives are unloaded, all swap space are removed from the machine, so if the machine's memory is large enough, then a large amount of information processing is no problem . However, if you are using an older machine relatively poor performance, then there will be some problems in the transmission of information overload.

to sum up

As a Linux enthusiast, I find this very interesting little discovery. In addition, when we complete a specific security tasks, it also gives us a specific solution model. At present, I most want to know whether other free Unix (eg OpenBSD) can do a similar experiment successfully. In addition, while I was at home to do the experiment, but if it is the case for small and medium companies, I think we can provide high security for the company's packet filtering. It is also possible to provide a very secure, high-bandwidth firewall or router for a number of large commercial tasks.
- Oracle 12C with multi-column index (Database)
- When Vim create Python scripts, vim autocomplete interpreter and encoding method (Programming)
- VNC configuration detailed analysis under Linux (Linux)
- How to determine whether the Linux server was hacked (Linux)
- Programmers Do not neglect debugging techniques (Programming)
- How to install Hadoop on CentOS7 (Server)
- Ubuntu 14.04 install PostgreSQL 9.2 (Database)
- Intel Graphics Installer 1.0.3 released, support for Ubuntu (Linux)
- MySQL and MariaDB new master from the cluster configuration GTID (Database)
- The PostgreSQL database pg_dump command line does not enter a password method (Database)
- Linux netstat command to get started (Linux)
- Atheros AR8161 / AR8162 network card driver problem solving in CentOS 6.4 (Linux)
- SaltStack installation and testing (Server)
- Debian SSD ext4 4K aligned (Linux)
- Use LKM change the default linux security level (Linux)
- Go performed using iOS and Android programming (Programming)
- Ubuntu arm-none-eabi-gcc compiler treated with STM32F10x (Linux)
- JavaScript function closures Quick Start (Programming)
- Linux vi command list (Linux)
- Ubuntu and Derivatives users install the latest KKEdit 0.0.31 (Linux)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.