Re: Building Debian firewall

To: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re: Building Debian firewall
From: Kirk Schroeder <kirkschr@pacbell.net>
Date: Mon, 28 May 2001 16:00:31 -0700
Message-id: <[🔎] 20010528160030.C6238@pacbell.net>
Mail-followup-to: Debian Firewall <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] Pine.LNX.4.33.0105290129270.3020-100000@swathi.lanscape.firm.in>; from voidmain@myrealbox.com on Tue, May 29, 2001 at 01:54:05AM +0530
References: <[🔎] 20010528151554.J16446@wohnheim.fh-wedel.de> <[🔎] Pine.LNX.4.33.0105290129270.3020-100000@swathi.lanscape.firm.in>

On Tue, May 29, 2001 at 01:54:05AM +0530, Rajkumar S. wrote:
> 
> I have been thinking about this for some time. I was not exactly
> interested in having a firewall, but to have a system that can be used to
> host a web, ftp, dns, mail servers. This will also include a firewall and
> an IDS (snort). Some of the design points that I had was
> 
> * Mounting as many partitions RO, including /etc, /usr etc.. and thus
> * Having two modes of boot,
>         maintenance mode - which lets you edit the files
>         production mode - which is used for actual run
> * Setting Append only attribute for /var/log
> * Having ssh xinetd syslog-ng etc configured instead of insecure
>   alternatives
> * Fully locking down the ports
> * Configured firewall and snort by default
> * Automatic log analysis and reporting on a secure web page. (so that any
> one with the username and password can look at the summary and details of
> the logs by visiting a page on the machine)
> * Removal (non installation) of all but very essential programs.
> * Use of encrypted protocols instead of plain text ones ie the daemons
> used should use encryption if the clients support them
> 
> 
> Some these may not be feasible and even absurd.
> 
> But I want to mount bare minimum of file systems RW. The /var/log can be
> made append only so that the logs can be appended only. The distribution
> should have only minimum of utilities that are required for the work in
> hand. The box is designed to work with minimal intervention.
> 
> What I am planning is to hack the debian installation script to make
> package selections which satisfy these requirement, and then to have a
> hardening script like bastille linux.
> 
> I would love to hear what you have to say about this.
> 
> with warm regards,
> 
> raj

I think it would be a great idea. I have been looking for a Debian
based secure by default distribution. It would be great to have a script
that would allow many options so that the user could choose a very
secure install with no services, if it is a firewall only box. And to
have the ability to install more services on it if one needs to run web
servers, DNS etc. I know it is more risky to run services on a firewall
but, if you or a home user or a small business and cannot afford to run
dedicated servers it would be nice to know it could be secure as
possible. I have checked into http://www.gibraltar but it looks like
they are going to sale a commercial version that has a web based interface.
I am looking for a totally open source version that uses open source
tools so that I don't get locked into a proprietary version.

Just some of my random thoughts,
Kirk Schroeder

Reply to:

References:
- Re: Building Debian firewall
  - From: "Arne P. Boettger" <apb@wohnheim.fh-wedel.de>
- Re: Building Debian firewall
  - From: "Rajkumar S." <voidmain@myrealbox.com>

Prev by Date: Re: Building Debian firewall
Next by Date: Re: Building Debian firewall
Previous by thread: Re: Building Debian firewall
Next by thread: Re: Building Debian firewall
Index(es):
- Date
- Thread