Henry Hollenberg <speed@barney.iamerica.net> writes:
> Has anyone written up a howto for stripping down a Debian system for
> service as a bastion host?
A firewall out of the box - great!!!!
> I have been fiddeling with this for awhile and have developed a list of
> packages that I think are needed.
Why don't you mount the files needed for maintaince temporarly from a
machine that can be destroyed or is normally not connected to the net.
IMHO there's no need for programs to build packages on the
bastion. That can be done elswhere.
> Firewall Architecture = screened subnet:
>
> -inet
>
> -outer router (pipeline 50 running secure access software for flexible IP
> filters)
>
> -perimeter net with bastion host as above (I guess I'll need to subnet my
> class C in half to make the IP filter rules work for the three networks.
>
> - inner router (another stripped down bastion host Debian linux machine)
>
> - inner network - my hosts and internal mail hub/DNS.
You mean something like that:
bastion
|
|
internet - paket filter A ----------- paket filter B - LAN
paket filter A - outer router
paket filter B - inner router
> Plan on allowing these services to start with: DNS, mail, news, outgoing
> ftp and telnet and http, No incoming telnet or ftp for now.
Why don't you put a ftp only machine befor the outer router or
parallel to the bastion!? Use the same machine for WWW.
> HTTP: APACHE http server and cache server running on the bastion host.
IMHO squid is the better proxy for HTTP ...
> That's it!!!
sounds good.
I'm missing ssh to be able to login to the machines safely. rlogin and
telnet should be disabled.
The most difficult part is to make the setting of the filtering rules
foolproof. This configuration should be made with the framework COAS
provides.
Thanks
Christian
--
Christian Leutloff, Aachen, Germany leutloff@sundancer.oche.de
http://www.oche.de/~leutloff/ leutloff@debian.org
Debian GNU/Linux - http://www.de.debian.org/
Attachment:
pgpEPupG_429k.pgp
Description: PGP signature