halted firewalls

To: debian-security@lists.debian.org
Subject: halted firewalls
From: Ludo <ludo.aelbrecht@gmail.com>
Date: Sat, 24 Feb 2007 17:26:43 +0100
Message-id: <[🔎] 657943990702240826n4e44a0a5v824afbb0a8a4575d@mail.gmail.com>

Hi all,

I'm trying to run a halted Debian firewall, as described in
http://www.samag.com/documents/s=1824/sam0201d/0201d.htm .
This article describes how a Red Hat system can be shut down and still function
as a firewall. The article has been brought up on this list a couple years back
too, but no specifics were given as to how this could be implemented on Debian.
I would like to do this with a Debian (testing) system, so that NAT forwarding
would still work after my home gateway is shut down.

According to the article, these init scripts should be removed for it to work:

/etc/rc.d/rc0.d/S00killall
/etc/rc.d/rc0.d/K90network
/etc/rc.d/rc0.d/K92ipchains

As this is Debian, the scripts' names are different obviously. I believe these
are the Debian equivalents:

/etc/rc.d/rc0.d/S20sendsigs (Short-Description: Kill all remaining processes.)
/etc/rc.d/rc0.d/S35networking (Short-Description: Raise network interfaces.)
/etc/rc.d/rc0.d/S36ifupdown (Short-Description: Prepare the system for taking up
interfaces.)

The "sendsigs" script seems to be the alternative for Red Hat's killalll, and
"networking" for its "network". I assume that "ifupdown" shouldn't be run,
either.
My firewall is a shell script which is ran by /etc/rc.local (yes, I'm aware
that's theoretically a security concern as it gets run too late).

My problem, of course, is that it doesn't work. The system behind my gateway
can't access the Internet anymore after I stop the gateway. I use static IPs for
my LAN, so DHCP getting shut down isn't a problem. My gateway does get its IP
through DHCP from my ISP however, could this be a problem? I thought maybe that
IP address could be freed and given back to the ISP, but I don't where this
would happen - AFAIK I removed the needed init scripts, and nothing dhcp-related
seems to get run in if-down or whatever:

$ find /etc/network/ -type f
/etc/network/interfaces
/etc/network/if-pre-up.d/uml-utilities
/etc/network/if-up.d/uml-utilities
/etc/network/if-up.d/ntpdate
/etc/network/if-up.d/ntp
/etc/network/if-up.d/clamav-freshclam-ifupdown
/etc/network/if-down.d/clamav-freshclam-ifupdown
/etc/network/options
/etc/network/run/ifstate

Any ideas as to what I'm missing?

Thanks a lot,
Ludo

P.S.: Please Cc as I'm not subscribed.

Reply to:

Follow-Ups:
- Re: halted firewalls
  - From: Alexander Klauer <Graf.Zahl@gmx.net>

Prev by Date: Primo sesso nellav ita qui
Next by Date: Re: halted firewalls
Previous by thread: Primo sesso nellav ita qui
Next by thread: Re: halted firewalls
Index(es):
- Date
- Thread