Re: Debian Full Distro v Debian 'Stripped Down' for firewall?
On Mon, 17 Jan 2005 14:05:47 +0000 (GMT), Robert wrote in message
<20050117134727.X17695@nirmala.opentrend.net>:
> On Mon, 17 Jan 2005, Dave Ewart wrote:
>
> > I'm planning on building a firewall for three or four subnets. I'd
> > like to use Debian because I 'know' it, but am curious to know other
> > people's opinions on the following:
>
> I use Debian for firewalls all the time.
..I use ipcop-1.4.2, (ipcop.org). One problem is it is limited to 4
arms RED for internet, BLUE for wifi lan, GREEN for wired lan,
and ORANGE for the DMZ. I'd like to see those as classes, with
RED0, RED1, BLUE2 etc, and with wifi nic's too, now it needs AP's.
Another problem with it is, it's LFS based, and LFS looks like a
dying project, so given time etc, I'd debianise ipcop.
> > In this situation, would you use a largely-unaltered stock Debian
> > installation (e.g. Woody) or would you make drastic changes to it?
> > At the moment, my plan is:
>
> Nothing you suggest below counts as varying from stock Debian IMHO but
> let me make a suggestion...
>
> > 1. Install Debian (probably Woody);
>
> When I install anything except a very full featured box I avoid
> tasksel and dselect during the install and only apt-get those
> components I want when the system is up. I know others do the same.
>
> > 2. 'apt-get remove' anything which is installed by default that I
> > know I don't need;
>
> If you've avoid tasksel & dselect as suggested above there is not need
> to apt-get remove anything. Just apt-get install those components
> you want.
>
> The system ends up very lean. The use of "deborphan -a" periodically
..an ipcop can be "mapped" to .debs this way, no? (As in ssh in and ls
-aRlF to buils a list of files and dpkg -S or deborphan -a that?)
> is good also. Evaluate each of those packages and determine if it is
> needed.
>
> > 3. Check for all externally-listening services and remove them, with
> > the exception of SSH;
>
> Or don't install them in the first place :) Review inetd.conf and
> comment out any unneeded services, including echo, chargen, discard,
> daytime and time unless you know you need them (for testng or
> whatever).
>
> > 4. Configure the firewall as a 'forwarding' firewall, so that it
> > doesn't actually listen for any services of its own, with the
> > exception of SSH from a single IP on the 'GREEN' interface.
>
> Best practice has it that no services are run on the firewall (except
> ssh) to avoid someone being able to get in behind the firewall and
> bring it down. Do compare this though to the security of letting
> someone _through_ the firewall. If you are letting people into your
> internal network it is just asd bad unfortunately. A DMZ is needed
> for decent security but that may not be viable in a home setup.
> Security is about assessing risk vs the effort you want to go to (or
> can afford).
>
> > Possible additional measures:
> >
> > 5. Fine-tune kernel for routing and firewall behaviour;
>
> You're unlikely to stress the box enough to warrant it IMHO.
> Firewalling is packet evaluation and passing. If you are loading the
> box so much that you need to fine-tune it then getting a bigger box
> is a good plan.
>
> This is of course different from fine-tuning a box with interactive
> users. They may notice performance differences long before the box is
> maxed out.
>
> There are compile time options that effect routing and the use of
> those is good if you know the box will be mostly routing. Also, I
> recommend compiling in advanced routing features even if you don't
> intend to use them. You'll thank yourself one day if you decide to
> start using those features.
>
> > 6. Allow firewall to use UDP on port 514 outgoing, to send syslogs
> > to a host on the GREEN network for logging.
>
> I wouldn't send syslog information outside the network unencrypted if
> I had a choice. There are ways to encrypt the data once it leaves
> the network.
>
> Rob
>
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Reply to: