From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
To: Daniel Chemko <dchemko@smgtec.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: why must linux for halted firewall?
Date: Tue, 16 Sep 2003 16:12:09 -0400 [thread overview]
Message-ID: <3F676E99.6070202@Loudoun-Fairfax.com> (raw)
In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF5122E3A@alderaan.smgtec.com>
[-- Attachment #1: Type: text/plain, Size: 1102 bytes --]
Daniel Chemko wrote:
>
>
>The ideal of a halted firewall is that the only possible exploit that could compromise a box is the kernel and the network core itself, and not depend on having userspace programs to cause possible security concerns.
>
>
>
>As for the concern that you can't log, I believe you can send syslogs to another machine from the kernel, no?
>
>
>
>I personally don't really care for halted firewalls myself. I constantly tweak the firewall to my environment (basically daily) so a halted firewall wouldn't make any sense to me. If you have an ultra static firewall configuration and physical access to the machine, I can see that there can be benefit of having it, but you would also need a read-only storage medium since if the kernel is compromised, they could still dump garbage to physical disks.
>
>
>
>
>
I figured it had to be something like that. I can see where it would be
useful it certain cases, but the inability to change rules dynamically
is cuts both ways. Kinda like fighting with one hand tied behind your
back . . . but holding a .357 in the other hand.
[-- Attachment #2: Type: text/html, Size: 3574 bytes --]
next prev parent reply other threads:[~2003-09-16 20:12 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-16 19:16 why must linux for halted firewall? Daniel Chemko
2003-09-16 20:12 ` Jeffrey Laramie [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-09-16 19:43 Chua Boon Ping
2003-09-16 21:58 ` Nox
2003-09-15 3:16 Chua Boon Ping
2003-09-16 17:46 ` Jim Carter
2003-09-16 18:26 ` Cedric Blancher
2003-09-16 18:55 ` Jeffrey Laramie
2003-09-16 19:11 ` Cedric Blancher
2003-09-16 19:33 ` Nox
2003-09-16 20:15 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F676E99.6070202@Loudoun-Fairfax.com \
--to=jalaramie@loudoun-fairfax.com \
--cc=dchemko@smgtec.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox