[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building Debian firewall

On Tue, May 29, 2001 at 01:54:05AM +0530, Rajkumar S. wrote:
> I have been thinking about this for some time. I was not exactly
> interested in having a firewall, but to have a system that can be used to
> host a web, ftp, dns, mail servers. This will also include a firewall and
> an IDS (snort). Some of the design points that I had was
> * Mounting as many partitions RO, including /etc, /usr etc.. and thus
> * Having two modes of boot,
>         maintenance mode - which lets you edit the files
>         production mode - which is used for actual run
> * Setting Append only attribute for /var/log
> * Having ssh xinetd syslog-ng etc configured instead of insecure
>   alternatives
> * Fully locking down the ports
> * Configured firewall and snort by default
> * Automatic log analysis and reporting on a secure web page. (so that any
> one with the username and password can look at the summary and details of
> the logs by visiting a page on the machine)
> * Removal (non installation) of all but very essential programs.
> * Use of encrypted protocols instead of plain text ones ie the daemons
> used should use encryption if the clients support them
> Some these may not be feasible and even absurd.
> But I want to mount bare minimum of file systems RW. The /var/log can be
> made append only so that the logs can be appended only. The distribution
> should have only minimum of utilities that are required for the work in
> hand. The box is designed to work with minimal intervention.
> What I am planning is to hack the debian installation script to make
> package selections which satisfy these requirement, and then to have a
> hardening script like bastille linux.
> I would love to hear what you have to say about this.
> with warm regards,
> raj

I think it would be a great idea. I have been looking for a Debian
based secure by default distribution. It would be great to have a script
that would allow many options so that the user could choose a very
secure install with no services, if it is a firewall only box. And to
have the ability to install more services on it if one needs to run web
servers, DNS etc. I know it is more risky to run services on a firewall
but, if you or a home user or a small business and cannot afford to run
dedicated servers it would be nice to know it could be secure as
possible. I have checked into http://www.gibraltar but it looks like
they are going to sale a commercial version that has a web based interface.
I am looking for a totally open source version that uses open source
tools so that I don't get locked into a proprietary version.

Just some of my random thoughts,
Kirk Schroeder

Reply to: