Re: Linux Firewalls

From: Mike Murray (mmurrayat_private)
Date: Thu Dec 20 2001 - 23:30:18 PST

Next message: Michel Arboi: "Hotmail antivirus still does not clean recursive archives"

Previous message: Wall, Kevin: "RE: yet another fake exploit making rounds"
In reply to: McKee, Charles: "Linux Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles,

As the author of that article, I figure I'm probably a good person to answer 
your question.  ;)

The fact is, most monolithic kernels stay resident in memory until the power 
is removed.  As somebody pointed out, this is usually hidden by the fact that 
all interfaces are usually shut down as a matter of practice.  However, 
there's no necessity for this to be the case.

This is entirely theoretically possible on the BSDs, as well as a 2.4 kernel; 
the fact is, I never did the research to prove it possible, as I was 
interested in the concept more than the implementation.  (And I had a 6.2 box 
around when I wrote the article originally).

> Also if this is true, can your firewall be exploited or even the NatD
> daemon.

If there were to be an exploit for the NAT or firewall code, it would be 
exploitable.  However, what "exploitable" means in that case is a difficult 
question.  It wouldn't be able to access /bin/sh or /etc/shadow, as all the 
disks are unmounted.  No logins are possible, as all ttys are closed, and 
there exists *no* userspace to be able to interface with.

The exploit *could* remount the filesystems, and then perform the normal 
exploit stuff, but given that most access-type exploitable conditions exist 
in services in userspace, and not in kernel space, this seems unlikely.

> Has anyone ever actually tried this type of configurations and does it
> work well.

In testing, I ran my home RH 6.2 box as a masquerading firewall for more than 
24 hours with a normal ruleset; it worked wonderfully.  :)

Glad that the article provoked some discussion... I haven't even managed to 
see a copy in print yet.  Hard finding a copy of Sys Admin in SF right now, I 
guess.  ;)

		Mike

- -- 
| Mike Murray                    <mmurrayat_private>
| Scientific Technologist       http://www.nCircle.com
| nCircle Network Security                  415-625-5968
| cell - 415.305.0859
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8IuULSZ6Dtue7Vb4RAs0EAJ46UkqyA7mdFoOq5mWCfG3rpTXCHQCfZ0EW
uQLoCbyv+PeO+V626+NNN/k=
=z56G
-----END PGP SIGNATURE-----

Next message: Michel Arboi: "Hotmail antivirus still does not clean recursive archives"
Previous message: Wall, Kevin: "RE: yet another fake exploit making rounds"
In reply to: McKee, Charles: "Linux Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 09:02:39 PST