[48246] in North American Network Operators' Group
Re: Routers vs. PC's for routing - was list problems?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat May 25 02:59:28 2002
To: "Steven J. Sobol" <sjsobol@JustThe.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 23 May 2002 18:01:03 EDT."
<Pine.LNX.4.41.0205231758300.1721-100000@amethyst.nstc.com>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 24 May 2002 00:52:14 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_361631126P
Content-Type: text/plain; charset=us-ascii
On Thu, 23 May 2002 18:01:03 EDT, "Steven J. Sobol" said:
> The box I want to build is passing packets between the rest of my network
> (and the public Internet) and one server that will hold sensitive data.
> It'll be a Linux box with the TCP/IP stack running in bridged mode, with
> two ethernet adapters installed. The box just needs to boot up and run. It
> doesn't need to log anything.
I've heard tell that a good way to secure a Linux box that's doing this is
to have it boot, set up the interfaces, set up iptables, and then do
a quick /sbin/halt - if you fail to 'ifconfig down' the interfaces on the
way down, the kernel will happily forward the packets while being immune to
exploits (since there's no processes running anymore). I haven't tried it,
so I dont know if it works. Maybe there ARE cases where setting the default
runlevel to 0 or 6 make sense. ;)
--==_Exmh_361631126P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE87cb+cC3lWbTT17ARApDJAJ0ZPAXGJdOW1fJy1hAbJfyC/3o77gCgp1t8
1Wp7pOPp2ZhIxUzzFfQzjaE=
=66Kv
-----END PGP SIGNATURE-----
--==_Exmh_361631126P--
