Omer Zak wrote:
> I have the following idea for a Linux based firewall, which will hopefully
> make it safer to connect a LAN to the Internet.
Not a bad shot at all, but here are two suggestion for improvements:
The first is to disable CD-ROM and HD completely and use the LRP(*1)
distribution which offers a complete Linux router/bridge/firewall on a
floppy (it opens itself from compressed images into a RAM disk). Very
good and very trustworthy.
The second is to NOT configure your firewall as a router, but rather as
a layer 2 bridge with IP firwalling rules(*2) and not give it an IP at
all (bridges don't need to have an IP to function). Not having an IP
makes overtaking the machine, hm... difficult ;-)
As for the logs, pump them out the serial port and to another machine.
Yes, if you need to change configuration you'll have to physically be
there, then again, so is your attacker ;-)
Other methods of configuration could be very well added. How about
attaching an GSM phone to the machine and accepting instruction only
from SMS messages coming from a certain phone number. Or attach a
regular phone and open a PPP session for configuration using dial back?
This is not the perfect firewall, as like an honest politician, there's
ust no such thing, but I do think that it poses a challenge different
from most "orthodox" firewall installations.
(1*) The Linux router project:
http://www.linuxrouter.org/
(2*) Backport of the 2.4.x bridging code to 2.2.x, including ipchains
integration: ftp://www.openrock.net/bridge/
--
Gilad Ben-Yossef <[EMAIL PROTECTED]>
http://benyossef.com :: +972(54)756701
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
