Implement firewall functionality on a closed Linux machine

Hang out on the internet and suddenly see a forum there is a message that there is a way to get the Linux machine that has been shut down to run the ipchains, and let the machine continue to implement the function of the firewall. At that time my first reflection is dismissive, is a firewall can also work in the state of shutdown? According to the link in the forum, I found a post that says in the 2.0.x kernel, using the shutdown? h (Shutdown) command allows the firewall to remain active without mounting the drive or the process running. That means the firewall will run at level 0, but it can still be packet filtered. However, the post says the feature is not available in the kernel of the 2.2.x system.

Seeing here, I'm a bit lost, and I decided to do something similar on the kernel 2.2.x machine, and I want to not add any patches to the kernel. It turns out that I did it.

Secure firewall

I think security means the possibility that the firewall has been completely shut down and that all of the process space and file systems have been cleared so that no hacker can access the system. Because there is no process space on the machine, there is no mount drive at all. As a result, hackers cannot make code run outside the system in kernel space. This is a very hard work because it requires writing an interpretation code to produce the desired results.

However, it should be noted that the firewall does not avoid "denial-of-service" attacks. In fact, the firewall is no more effective than any other firewall for denial of service attacks and other attacks dedicated to exhausting resources. Of course, in reality, the system is generally not susceptible to such attacks.

Because this method ensures that no one can control the machine, the security can be greatly improved. This is precisely the IT industry in the field of security often said a word, in order to make a machine absolutely safe, it should be shut down, and then locked in a room.

Start implementation

I am testing a red Hat 6.2 machine based on x86, which has two network adapters installed. The whole process does not require a special system or a modification of the kernel. In the beginning, I try to search in the script that controls the running, hoping to find a clue to the relevant point. Finally, I fixed the focus on the script for the RC0 (which runs when the machine shuts down). It turns out that this is exactly the place I'm looking for. So I started removing some of the scripts from it and conducted a series of tests.

Over a relatively short period of time, I have come to the conclusion that for Red Hat Linux 6.2, the following scripts can be removed to achieve these functions:

/etc/rc.d/rc0.d/S00killall
/etc/rc.d/rc0.d/K90network
/etc/rc.d/rc0.d/K92ipchains

After you delete these three scripts, we can make the network still work and keep IPChains still running. Remember, be sure to remove the Killall script because its task is to find all the directories in/etc/rc.d/rc0.d/and run all scripts that start with K. That is, the script runs the K90 network and the K92ipchains script, which deletes both the network and the IPChains.

Some explanations

In fact, we are setting Linux as a subset of the kernel. This part of the kernel still resides in memory when the machine is paused, even when the machine is running shutdown. This approach avoids shutting down all processes, shutting down all network adapters, and uninstalling all the file systems during the shutdown process. In addition, this method allows the machine to no longer perform any internal tasks after it has been closed. However, the kernel is still running and the memory manager is still running.

Since the kernel is still running, all of the kernel-based tasks that we run can be run after the shutdown. Of course, because most tasks require some I/O operations (as in this example). Therefore, we have to shut down the machine and still make these ports exist. This is accomplished by k90network. It makes the NIC not stop working after the shutdown.

In addition, any kernel-based services that need to be used must be in a running state (such as IPChains). By default, all IPChains rules are aborted when the system shuts down. If so, in this case, the firewall will not work, so you must remove the script that clears the IPChains rule. In this case, you delete the K92ipchains script.

Limitations

After shutting down the system, only part of the program will run, which obviously has some limitations. In this case, the most obvious limitation is that if the IP address of the client is obtained through a daemon (such as PPP, DHCP), it will not be able to implement the feature. This limits the use of users who use dynamic connections. In addition, because all user agent space (such as SOCKS5) is closed during a relational system, only packet filtering and NAT functionality can be implemented in the settings of this example.

The other thing to consider is that since all the drives have been uninstalled, all the swap space has been removed from the machine, so if the machine's memory is large enough, there will be no problem with the amount of information being processed. However, if you are using a poor performance of the old machine, then there will be some problems when the amount of information transmitted is too large.

Summarize

As a Linux enthusiast, I think this little discovery is interesting. In addition, this gives us a specific solution pattern when we are done with certain security tasks. For the moment, I'd like to know whether other free Unix (like OpenBSD) can do similar experiments with success. In addition, although I do experiments at home, but if it is used for small and medium-sized companies, I would like to provide the company with very high security packet filtering capabilities. In addition, you can provide a very secure, high-bandwidth firewall or router for some large business tasks.