Re: Debian Full Distro v Debian 'Stripped Down' for firewall?
-----BEGIN PGP SIGNED MESSAGE-----
Dave Ewart wrote:
| I'm planning on building a firewall for three or four subnets. I'd like
| to use Debian because I 'know' it, but am curious to know other people's
| opinions on the following:
| In this situation, would you use a largely-unaltered stock Debian
| installation (e.g. Woody) or would you make drastic changes to it? At
| the moment, my plan is:
| 1. Install Debian (probably Woody);
| 2. 'apt-get remove' anything which is installed by default that I know I
| don't need;
| 3. Check for all externally-listening services and remove them, with the
| exception of SSH;
| 4. Configure the firewall as a 'forwarding' firewall, so that it doesn't
| actually listen for any services of its own, with the exception of SSH
| from a single IP on the 'GREEN' interface.
| Possible additional measures:
| 5. Fine-tune kernel for routing and firewall behaviour;
| 6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a
| host on the GREEN network for logging.
| Comments/suggestions? In particular, would you do something other than
| Step 1? (Use another Debian-based distro?)
I use Debian woody firewalls built via this kind of process.
It's usually pretty sweet.
I have had the most trouble with things like ipsec/pptp/ppp. Stuff where
kernel and userland want matching versions of things. The woody versions are
frequently too old to be useful (to me). In some cases I've used backports,
but in other cases I've had to get empirical. I suppose this is my own
fault, because I try to run the newest kernel I can.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----