why must linux for halted firewall?

why must linux for halted firewall?

[Chua Boon Ping]

dear all,
   I am newbie in open source and recently i am busy on some assignment 
concerning "why opts for Linux(netfilter/iptables) rather than OpenBSD to 
implement a Halted Firewall". actually, can OpenBSD be halted just like 
Linux kernel do? As i mentioned, i am newbie and would like have some 
guidance from you guys. Thanks.

Chua

_________________________________________________________________
Using a handphone prepaid card? Reload your credit online! 
http://www.msn.com.my/reloadredir/default.asp

Re: why must linux for halted firewall?

[Jim Carter]

On Mon, 15 Sep 2003, Chua Boon Ping wrote:
> concerning "why opts for Linux(netfilter/iptables) rather than OpenBSD to
> implement a Halted Firewall". actually, can OpenBSD be halted just like
> Linux kernel do?

I'm not sure what you mean by a "halted firewall".  Do you mean that the
kernel uses the "halt" instruction when there is no work to do?  Actually,
if you have APM or ACPI BIOS (all recent machines do), the kernel will use
them to conserve power if the machine has been halted for a while, and if
the BIOS has that capability.

I like Linux iptables because it's flexible and semi-comprehensible, and it
can do (almost) everything I want to, and it uses relatively little CPU per
packet.  But what you really need is a reply from someone who knows both
NetBSD and Linux, and can say what's good about NetBSD firewall code.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: why must linux for halted firewall?

[Cedric Blancher]

Le mar 16/09/2003 à 19:46, Jim Carter a écrit :
> I'm not sure what you mean by a "halted firewall".  Do you mean that the
> kernel uses the "halt" instruction when there is no work to do?

Nope.
An halted firewall is a firewall that is halted, i.e. you have executed
"halt" command. Box is configured not to send halt signal to ATX supply
so it is still powered and network stuff is not killed (interfaces up,
ruleset not flushed, etc.). As kernel is still alive, your box can
continue it's routing/filtering tasks as they're handled within kernel.

But, you won't have the ability to log onto the firewall to update rules
or have applications running (no logs).

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: why must linux for halted firewall?

[Jeffrey Laramie]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

Cedric Blancher wrote:

>Le mar 16/09/2003 à 19:46, Jim Carter a écrit :
>  
>
>>I'm not sure what you mean by a "halted firewall".  Do you mean that the
>>kernel uses the "halt" instruction when there is no work to do?
>>    
>>
>
>Nope.
>An halted firewall is a firewall that is halted, i.e. you have executed
>"halt" command. Box is configured not to send halt signal to ATX supply
>so it is still powered and network stuff is not killed (interfaces up,
>ruleset not flushed, etc.). As kernel is still alive, your box can
>continue it's routing/filtering tasks as they're handled within kernel.
>
>But, you won't have the ability to log onto the firewall to update rules
>or have applications running (no logs).
>
>  
>

What would be the benefit in configuring a system like this? It seems to 
run contrary to the evolution of IT appliances where you can configure 
and manage everything usually without restarting (firewalls, switches, 
print servers, even ups units). I don't get it ;-)

[-- Attachment #2: Type: text/html, Size: 1474 bytes --]

Re[2]: why must linux for halted firewall?

[Peteris Krumins]

Tuesday, September 16, 2003, 9:55:28 PM, you wrote:

JL> Cedric Blancher wrote:

JL> What would be the benefit in configuring a system like this? It seems to 
JL> run contrary to the evolution of IT appliances where you can configure 
JL> and manage everything usually without restarting (firewalls, switches, 
JL> print servers, even ups units). I don't get it ;-)

The benefit is that the system can never be exposed, no userspace
task can run, its only the kernel with its power of networking.


P.Krumins

Re: why must linux for halted firewall?

[Cedric Blancher]

Le mar 16/09/2003 à 20:55, Jeffrey Laramie a écrit :
> What would be the benefit in configuring a system like this? It seems
> to run contrary to the evolution of IT appliances where you can
> configure and manage everything usually without restarting (firewalls,
> switches, print servers, even ups units). I don't get it ;-)

Just fun, which always runs against IT appliance evolution that want
things boring easy ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: why must linux for halted firewall?

[Nox]

For us,
We have a runlevel 0 firewall, from Debian
it was developed in house, fine tuned by this article:

http://www.samag.com/documents/s=1824/sam0201d/0201d.htm

For us, this FW protects a Bioinformatics cluster,
which rarely changes on the rules side of things,
the benefit form our standpoint is the non-access into the machine,
(No user priv escalation due to no logon)
the drawback is we currently have no logging enabled.
(We are working on it.

Hope that helps

Nox
GenMicro systems
Bioinformatics applications and devices
(Website in development)

On Sun, 2003-09-14 at 23:16, Chua Boon Ping wrote:
> dear all,
>    I am newbie in open source and recently i am busy on some assignment 
> concerning "why opts for Linux(netfilter/iptables) rather than OpenBSD to 
> implement a Halted Firewall". actually, can OpenBSD be halted just like 
> Linux kernel do? As i mentioned, i am newbie and would like have some 
> guidance from you guys. Thanks.
> 
> Chua
> 
> _________________________________________________________________
> Using a handphone prepaid card? Reload your credit online! 
> http://www.msn.com.my/reloadredir/default.asp
> 
> 

Re: why must linux for halted firewall?

[Cedric Blancher]

Le mar 16/09/2003 à 21:33, Nox a écrit :
> the drawback is we currently have no logging enabled.
> (We are working on it.

LIDS guys have developped a kernel side SMTP client so their system can
send alerts without interaction with userland. I don't think they have
kernel side syslog.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: why must linux for halted firewall?

[Daniel Chemko]

[-- Attachment #1: Type: text/plain, Size: 1092 bytes --]

 

The ideal of a halted firewall is that the only possible exploit that
could compromise a box is the kernel and the network core itself, and
not depend on having userspace programs to cause possible security
concerns.
 
As for the concern that you can't log, I believe you can send syslogs to
another machine from the kernel, no?
 
I personally don't really care for halted firewalls myself. I constantly
tweak the firewall to my environment (basically daily) so a halted
firewall wouldn't make any sense to me. If you have an ultra static
firewall configuration and physical access to the machine, I can see
that there can be benefit of having it, but you would also need a
read-only storage medium since if the kernel is compromised, they could
still dump garbage to physical disks.
 
 
  


>What would be the benefit in configuring a system like this? It seems
to run contrary to the evolution of IT appliances where you can
configure and manage >everything usually without restarting (firewalls,
switches, print servers, even ups units). I don't get it ;-)


[-- Attachment #2: Type: text/html, Size: 3727 bytes --]

Re: why must linux for halted firewall?

[Jeffrey Laramie]

[-- Attachment #1: Type: text/plain, Size: 1102 bytes --]

Daniel Chemko wrote:

>  
>
>The ideal of a halted firewall is that the only possible exploit that could compromise a box is the kernel and the network core itself, and not depend on having userspace programs to cause possible security concerns.
>
> 
>
>As for the concern that you can't log, I believe you can send syslogs to another machine from the kernel, no?
>
> 
>
>I personally don't really care for halted firewalls myself. I constantly tweak the firewall to my environment (basically daily) so a halted firewall wouldn't make any sense to me. If you have an ultra static firewall configuration and physical access to the machine, I can see that there can be benefit of having it, but you would also need a read-only storage medium since if the kernel is compromised, they could still dump garbage to physical disks.
>
> 
>
> 
>
I figured it had to be something like that. I can see where it would be 
useful it certain cases, but the inability to change rules dynamically 
is cuts both ways. Kinda like fighting with one hand tied behind your 
back . . . but holding a .357 in the other hand.

[-- Attachment #2: Type: text/html, Size: 3574 bytes --]

Re: why must linux for halted firewall?

[Chua Boon Ping]

well... i am currently doing a research paper on Halted Firewall on Linux 
platform. I would like to know can OpenBSD implement such a firewall? can 
OpenBSD halted just like Linux kernel does?

i had read the article. thanks.


>From: Nox <pheusion@snet.net>
>To: Chua Boon Ping <nitb@hotmail.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: why must linux for halted firewall?
>Date: Tue, 16 Sep 2003 15:33:36 -0400
>
>For us,
>We have a runlevel 0 firewall, from Debian
>it was developed in house, fine tuned by this article:
>
>http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
>
>For us, this FW protects a Bioinformatics cluster,
>which rarely changes on the rules side of things,
>the benefit form our standpoint is the non-access into the machine,
>(No user priv escalation due to no logon)
>the drawback is we currently have no logging enabled.
>(We are working on it.
>
>Hope that helps
>
>Nox
>GenMicro systems
>Bioinformatics applications and devices
>(Website in development)
>
>On Sun, 2003-09-14 at 23:16, Chua Boon Ping wrote:
> > dear all,
> >    I am newbie in open source and recently i am busy on some assignment
> > concerning "why opts for Linux(netfilter/iptables) rather than OpenBSD 
>to
> > implement a Halted Firewall". actually, can OpenBSD be halted just like
> > Linux kernel do? As i mentioned, i am newbie and would like have some
> > guidance from you guys. Thanks.
> >
> > Chua
> >
> > _________________________________________________________________
> > Using a handphone prepaid card? Reload your credit online!
> > http://www.msn.com.my/reloadredir/default.asp
> >
> >
>

_________________________________________________________________
Are you in love? Find a date on MSN Personals http://match.msn.com.my/

Re: why must linux for halted firewall?

[Nox]

From personal experience, I couldnt tell you that OpenBSD will support
it, as we have yet to try it.

But I see no reason as to why it couldnt be "Figured out"
It would just be a matter of fiddling with files, like the article said,
alot of trial and error.



>Le mar 16/09/2003 à 21:33, Nox a écrit :
> the drawback is we currently have no logging enabled.
> (We are working on it.

>LIDS guys have developped a kernel side SMTP client so their system
>can >send alerts without interaction with userland. I don't think they
have kernel side syslog.

Using an MTA was what was suggested to me, and that is what we are
currently investigating..
Thanks for the heads up


Nox
GenMicro systems
Bioinformatics applications and devices
(Website in development)

On Tue, 2003-09-16 at 15:43, Chua Boon Ping wrote:
> well... i am currently doing a research paper on Halted Firewall on Linux 
> platform. I would like to know can OpenBSD implement such a firewall? can 
> OpenBSD halted just like Linux kernel does?
> 
> i had read the article. thanks.
> 
> 
> >From: Nox <pheusion@snet.net>
> >To: Chua Boon Ping <nitb@hotmail.com>
> >CC: netfilter@lists.netfilter.org
> >Subject: Re: why must linux for halted firewall?
> >Date: Tue, 16 Sep 2003 15:33:36 -0400
> >
> >For us,
> >We have a runlevel 0 firewall, from Debian
> >it was developed in house, fine tuned by this article:
> >
> >http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
> >
> >For us, this FW protects a Bioinformatics cluster,
> >which rarely changes on the rules side of things,
> >the benefit form our standpoint is the non-access into the machine,
> >(No user priv escalation due to no logon)
> >the drawback is we currently have no logging enabled.
> >(We are working on it.
> >
> >Hope that helps
> >
> >Nox
> >GenMicro systems
> >Bioinformatics applications and devices
> >(Website in development)
> >
> >On Sun, 2003-09-14 at 23:16, Chua Boon Ping wrote:
> > > dear all,
> > >    I am newbie in open source and recently i am busy on some assignment
> > > concerning "why opts for Linux(netfilter/iptables) rather than OpenBSD 
> >to
> > > implement a Halted Firewall". actually, can OpenBSD be halted just like
> > > Linux kernel do? As i mentioned, i am newbie and would like have some
> > > guidance from you guys. Thanks.
> > >
> > > Chua
> > >
> > > _________________________________________________________________
> > > Using a handphone prepaid card? Reload your credit online!
> > > http://www.msn.com.my/reloadredir/default.asp
> > >
> > >
> >
> 
> _________________________________________________________________
> Are you in love? Find a date on MSN Personals http://match.msn.com.my/
> 
>