What is the modern "Floppy-Based" router based on?

[sirsky]

On 3/4/06, Leo Mauler <webgiant at yahoo.com> wrote:
> The main problem with the CF card solution is that the
> CF card has no "write-protect" feature.  The original
> reason this topic was brought up in the first place
> was that floppy-based routers have easily switched
> write-protect tabs, allowing one to easily edit the
> floppy if necessary, then switch it back to
> write-protect mode for normal operation.
>
> Now, someone else has pointed out that there are a few
> USB memory keys which have write-protect tabs, which
> would make them an ideal substitute for the
> floppy-based router.

Another possible solution is to simply run the firewall in a 'halted' state.

I'll explain.  Basically when you halt the machine, everything shuts
down, all userspace programs are killed, all filesystems are unmounted
(and unmountable), modules unloaded, etc… and you're left with a
machine that's dead to the world, and a message that tells you that
you can turn off the PC.

BUT in fact, the machine is alive and well - the kernel itself is
still loaded, in memory, and fully functioning with full access to
everything the kernel gets access to: all hardware, memory, etc.

The trick is (and you can try this at home folks!) to remove the
networking and iptables stop scripts from /etc/init.d (or wherever
yours are located).  This keeps the interfaces up, networking alive,
and ipchains loaded and continuing to operate when you do 'shutdown -h
now'.  Try it - move the stop scripts to /root/ and halt the machine,
you'll see it still responds to ping, etc...

Because everything in userspace is killed, there is no way to run any
hacks or attacks against the firewall (with the exception of kernel
vulnerabilities... but those still would require an active userspace
to feasibly exploit and make use of), since there are no services
running - only networking and ipchains. Also, all of your disks are
UNMOUNTED, no chance of writing to any files, adding users, or making
any other sneaky changes.

Of course, you'll still need to take great care when building your
kernel - i.e. no 'kernel automounter', etc… and make sure you build a
monolithic kernel - no modules.  At the same time, build it to the
very bare minimum absolutely necessary to operate, no extras.

When you want to edit or change the configuration of iptables, you
will of course need to reboot - by physically hitting the reset or
power button - log in as normal to make your changes, and then halt
the system again by rebooting (explanation is to follow).  On older
machines, this will not be as fast as simply  flipping the
write-protect tab on the floppy, making your changes, and reloading
iptables, BUT, it is damn secure, with no funny hardware business.

You'll want to set up two kernels to choose to boot from, with the
default being the kernel built for the halted machine.  Set up a
runlevel with only networking and iptables to start, then immediately
halt the machine.  Another runlevel should be set up as normal. Have
each kernel boot to its respective runlevels (the minimal monolithic
boots to the halted state runlevel, while the full kernel boots to a
fully running system).  Now, if the power should fail, you're not
stuck with a fully running vulnerable system and you can still get to
it when you need to make any configuration changes.

As for logs, you can also choose to keep the logging daemon running,
configured to dump the logs to an internal logging server, or simply
not have logs (who would want that?!).  And if you're hardcore, SNMP
is OK too.

I think I've covered most all of the bases there, let me know if
you've any questions – I've been running my firewall like this for
years.

Thanks,

-Lucas