## On Friday, May 24, 2002 12:52 AM -0400 ## Valdis.Kletnieks@vt.edu wrote:
I've heard tell that a good way to secure a Linux box that's doing this is to have it boot, set up the interfaces, set up iptables, and then do a quick /sbin/halt - if you fail to 'ifconfig down' the interfaces on the way down, the kernel will happily forward the packets while being immune to exploits (since there's no processes running anymore). I haven't tried it, so I dont know if it works. Maybe there ARE cases where setting the default runlevel to 0 or 6 make sense. ;)
This seems to be a rather dumb idea for at least a couple reasons. The increase in security is nothing compared to the headache you've created. a) How do you log? b) How do you update your rulesets? c) How do you figure out what went wrong when something DOES go wrong? A system with an out-of-band interface (dialup, serial, ethernet, IrDA, etc) can offer the same level of security without the trouble of a pseudo-halted system. It can log, it can update rulesets, the device can be configured to only allow management from that interface, etc... [as if you didn't know this] As to being immune to exploits I fail to see how. An exploit is an exploit -- it doesn't need to give you a root shell to accomplish a goal of crashing the packet filter. I'm more than happy to be proven wrong though, when is there a time when a pseudo-halted system is "more secure"? -davidu