Re: down to the core
On 24 Jul 2004, Steve Melo wrote:
> I'm looking to build a system that will be a dedicated firewall machine.
> I would like this installation to be secure from the ground up and was
> hoping that someone could recommend a customized kernel package
> built specifically for firewalling.
You may find that the `kernel-package' package, together with a Debian
or kernel.org source tree, is the best fit for your needs here.
> The reason I'm asking is because just recently I tried using the ulog
> feature only to find that it is not supported by my kernel. So I
> figured if I'm going to build a new kernel, what other enhancements
> can I make?
IIRC, the stock Debian kernels turn on pretty much all of the firewall
type features, so you can't add much there. Have a look through the
kernel config, though, and see if anything leaps out. :)
For me, the main advantage of building a custom kernel is that I can
build in the drivers needed to boot, eliminating the need for an initrd,
at the cost of a little flexibility.
> I don't know much about kernel patches either so excuse me if this is a
> dumb question: Are there any patches that would give me additional
> functionality related to firewalling?
Well, there are a bunch of things in the netfilter patch queue that are
not in the kernel yet. OTOH, they may or may not break things, and if
they do you get to keep both pieces.
In theory, running something like SELinux on the system will allow you
to increase security. Doing so is not trivial, though, and probably not
a good return on investment.
Most of the other "security" patches don't seem worth the time to me,
Should I abide by the rules until they're changed,
or help speed the change by breaking them?
-- Ashleigh Brilliant