Routers vs. PC's for routing - was list problems?

David Ulevitch davidu at everydns.net
Fri May 24 06:35:32 UTC 2002




## On Friday, May 24, 2002 12:52 AM -0400
## Valdis.Kletnieks at vt.edu wrote:

> I've heard tell that a good way to secure a Linux box that's doing this is
> to have it boot, set up the interfaces, set up iptables, and then do
> a quick /sbin/halt - if you fail to 'ifconfig down' the interfaces on the
> way down, the kernel will happily forward the packets while being immune
> to exploits (since there's no processes running anymore).  I haven't
> tried it, so I dont know if it works.  Maybe there ARE cases where
> setting the default runlevel to 0 or 6 make sense. ;)

This seems to be a rather dumb idea for at least a couple reasons.

The increase in security is nothing compared to the headache you've created.

a) How do you log?
b) How do you update your rulesets?
c) How do you figure out what went wrong when something DOES go wrong?

A system with an out-of-band interface (dialup, serial, ethernet, IrDA, 
etc) can offer the same level of security without the trouble of a 
pseudo-halted system.  It can log, it can update rulesets, the device can 
be configured to only allow management from that interface, etc... [as if 
you didn't know this]

As to being immune to exploits I fail to see how.  An exploit is an exploit 
-- it doesn't need to give you a root shell to accomplish a goal of 
crashing the packet filter.

I'm more than happy to be proven wrong though, when is there a time when a 
pseudo-halted system is "more secure"?

-davidu




More information about the NANOG mailing list