| |
Time wandering the Internet, suddenly see the forum there is a message saying there is a method that allows the machine has been shut down Linux continues to run ipchains, and let the machine continue to implement firewall functionality. My first reaction was dismissive, a firewall can also do work in the off state?
Time wandering the Internet, suddenly see the forum there is a message saying there is a method that allows the machine has been shut down Linux continues to run ipchains, and let the machine continue to implement firewall functionality. My first reaction was dismissive, a firewall can also do work in the off state? Follow the links for the forum referred to, I found a post, it says in the 2.0.x kernel, use Shutdown? H (shutdown) command to enable the firewall is still active, but this time did not mount the drive, there is no process running. This means that the firewall will run at Level 0, but still can be packet filtering. However, the post said in the kernel 2.2.x system no longer in place.
See here, I have some sit still, I decided to also achieve similar functionality in kernel 2.2.x on the machine, and I hope that does not add any kernel patches. It turns out that I did.
Secure Firewall
I think that the security means such a possibility, it is the assumption that the firewall has been completely shut down, and the space has been cleared of all processes and file system, so that no hacker can access to the system. Because on this machine it does not have the process space, nor to mount the drive. Therefore, hackers will not be able to make the code running in kernel space outside the system. Because it explained the need to write code to produce the desired result, which is a very hard work.
But it needs to be recalled that the firewall does not prevent "denial of service" attacks. In fact, for the "denial of service" attacks and other specialized resource exhaustion attacks, the firewall is not more effective than any other firewall. Of course, in reality, in general, the system is not vulnerable to this attack.
Because this method can ensure that no one user can control the machine, it can greatly improve security. This is precisely the field of security should the IT industry often say, to get a machine absolutely safe, you should put it off, and then locked in a room.
Started
My test is an x86-based Red Hat 6.2 machine, it installed two network cards. The whole process requires no special system or the kernel additions and changes. At first, I tried to search in the control run scripts, hoping to find that the relevant clues. Finally, I put the focus fixed on rc0 (The script runs when the machine is turned off) script. This proved to be exactly what I was looking for the place. So I started to remove some of the script, and conducted a series of tests.
After a relatively short period of time, I concluded that for Red Hat Linux 6.2, delete the following script can achieve the above functions:
/etc/rc.d/rc0.d/S00killall
/etc/rc.d/rc0.d/K90network
/etc/rc.d/rc0.d/K92ipchains
After the removal of these three scripts, we can make the network still work, and the ipchains still running. Remember, we want to killall script deleted because it /etc/rc.d/rc0.d/ task is to find all of the directory, and run all in K at the beginning of the script. This means that the script will run K90 Network and K92ipchains script, and this script will delete two networks and ipchains.
Some explanation
In fact, we are set to become a Linux kernel subset. When the machine is halted, or even a machine running Shutdown After this part of the kernel is still resident in memory. This approach avoids the shutdown process, the machine will suspend all processes, network cards, and uninstall all close all file systems. Moreover, this method makes the machine after shutdown, www.britepic.org can no longer perform any internal tasks. However, the kernel is still running, the memory manager is also still running.
Because the kernel is still running, so after the shutdown, all of our running kernel-based tasks can be run. Of course, since most of the tasks require some I / O operations (as this was the same). Therefore, we must let the machine after the close, still make these ports exist. This is achieved by K90network. It makes the card after the shutdown will not stop working.
In addition, any need to use the kernel-based services must be running (such as ipchains). By default, when the system is shut down, will all ipchains rules are suspended. If so, in this case, the firewall will not work, you must make clear script ipchains rules deleted. In this case, that you want to delete K92ipchains script.
Limitation
After shutting down the system so that only part of the program is running, which is obviously there will be some limitations. In this case, the most obvious limitation is that if the client's IP address is obtained by daemon (such as PPP, DHCP) such as access, then will not be able to achieve this functionality. This limits the use of those users use dynamic connections. In addition, since relations system process, all user agent space (such as Socks5) will be closed, so the set of this example, the package can only be achieved misplaced and NAT functions.
Also to be considered is that since all drives are unloaded, all swap space are removed from the machine, so if the machine's memory is large enough, then a large amount of information processing is no problem . However, if you are using an older machine relatively poor performance, then there will be some problems in the transmission of information overload.
to sum up
As a Linux enthusiast, I find this very interesting little discovery. In addition, when we complete a specific security tasks, it also gives us a specific solution model. At present, I most want to know whether other free Unix (eg OpenBSD) can do a similar experiment successfully. In addition, while I was at home to do the experiment, but if it is the case for small and medium companies, I think we can provide high security for the company's packet filtering. It is also possible to provide a very secure, high-bandwidth firewall or router for a number of large commercial tasks. |
|
|
|