Re: Building Debian firewall

["Rajkumar S." <voidmain@myrealbox.com>]

On Mon, 28 May 2001, Arne P. Boettger wrote:

> I'd like this idea, it would make useing such a minimal system
> interesting for me too...

I have been thinking about this for some time. I was not exactly
interested in having a firewall, but to have a system that can be used to
host a web, ftp, dns, mail servers. This will also include a firewall and
an IDS (snort). Some of the design points that I had was

* Mounting as many partitions RO, including /etc, /usr etc.. and thus
* Having two modes of boot,
        maintenance mode - which lets you edit the files
        production mode - which is used for actual run
* Setting Append only attribute for /var/log
* Having ssh xinetd syslog-ng etc configured instead of insecure
  alternatives
* Fully locking down the ports
* Configured firewall and snort by default
* Automatic log analysis and reporting on a secure web page. (so that any
one with the username and password can look at the summary and details of
the logs by visiting a page on the machine)
* Removal (non installation) of all but very essential programs.
* Use of encrypted protocols instead of plain text ones ie the daemons
used should use encryption if the clients support them


Some these may not be feasible and even absurd.

But I want to mount bare minimum of file systems RW. The /var/log can be
made append only so that the logs can be appended only. The distribution
should have only minimum of utilities that are required for the work in
hand. The box is designed to work with minimal intervention.

What I am planning is to hack the debian installation script to make
package selections which satisfy these requirement, and then to have a
hardening script like bastille linux.

I would love to hear what you have to say about this.

with warm regards,

raj