Re: My first firewall

[nishan <nishan@t3.com>]

you might also consider locking down things in the kernel:
http://www.grsecurity.net/

some intrusion detection:
http://www.lids.org/
http://www.cs.tut.fi/~rammer/aide.html
http://www.tripwire.org/
http://imsafe.sourceforge.net/

file sytems could be mount read only where possible and premissions could be 
made more restrictive. 

strip away as much as you can from the base install. keep the kernel lean, 
build as much in module format as you can and don't keep modules that you 
don't need.

run a port scanner up against your machine to make sure ports are shutdown 
tight:
http://www.insecure.org/

watch your logs, keep abreast of exploits.

here's a hint on DNS if you want to run it on your firewal:
http://www.psionic.com/papers/whitep01.html

-nishan

On Tuesday 21 May 2002 09:26 pm, James wrote:
> > In addition to plain ole iptables masquerade, I'd personally
> > install squid, ntp, and bind.  You may as well use squid to
> > get some benefit out of the 8 gig hard drive.  "Obviously"
> > you want to dpkg --purge telnetd, etc.
>
> BIND has been statistically one of the largest *nix exploits.  I would
> not recommend installing it on a firewall.
>
> While things have gotten better and there are useful security measures
> (chroot jails), it is not really worth putting on a firewall (which
> should be dedicated, hardened and standalone, imo).
>
> Squid I agree with, if you want/need a caching proxy.  If you have a
> fast connect or very few users, I'd say "Why bother?"  Most places I
> know that use them, besides for legal and policy reasons, get most use
> out of them because users access the same content all the time
> (www.aol.com, www.yahoo.com, organization webpages).
>
> - James


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org