My firewall

My firewall is comparatively elaborate as these things go. It used to be an ordinary NATting iptables filter, but it grew more elaborate over time.

Presently, it is a user-mode-linux-based firewall, based on a pair of virtual machines; a future plan, partially implemented, sees it moving to a ReVirt reversible virtual machine, should that project ever come back to life again and get ported to UML, or should I ever have enough time to do it myself.

A quick description of it is here; I've since compiled everything with ProPolice and started using the DigSig binary cryptographic signature validator.

Kernel patches

I also wrote some small patches to help, notably this patch (source) to remove CAP_SYS_RAWIO from the capability bounding set, preventing attackers from loading modules via direct writes to /dev/mem or /dev/kmem; this /proc/modules disabling patch (source) so that attackers can't tell that digsig is loaded, and this module-sealing patch (source) to allow a modular kernel to be 'sealed', precluding the loading of any more modules, so that a modular kernel can be built for digsig without leaving ourselves open to rootkits loading kernel code.


Nix
Last modified: Mon Jul 25 12:47:11 BST 2005