[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My own Firewall ??

On 11 Mar 2005, JM wrote:
>> On 10 Mar 2005, Jean-Michel Hiver wrote:


>>>> Oh, and I recommend using 'firehol', which is in /testing and
>>>> /unstable, and is a wrapper around iptables. It takes a lot of the
>>>> hard work out of building a firewall, without stopping you doing
>>>> anything that iptables can do.


> I guess is a matter of preference regarding aptitude, and there is a good
> support site for firehol at http://firehol.sourceforge.net/

That would be the site of the upstream author.  The mailing list is
pretty reasonable, but not actually very busy.  Must say something about
the product. ;)

> Then, he will need to harden the kernel, no? Enabling SElinux, etc in
> the security section. Or even adding other security patches to the
> kernel.

Er, no.  SElinux is nice enough, but really non-trivial to get working
with Debian at present[1], and is probably not worth the trade-off in
terms of time to implement for most people _at the moment_.

I can't identify a single other "kernel security patch" set that I would
recommend to people.  None of them seem to have sufficient additional
value that they improve security more than they cost in implementation
time and inconvenience.

Also, many of the security patches that I have looked at, or seen
others -- especially the core kernel team -- review, have not had what
you would call good results from the attention.  Their security is often
less effective, in my opinion, than is claimed, and often targets the
wrong problems.

Removing unused network services from the system is probably helpful,
but as long as you stay up to date with Debian patches, even that isn't
/that/ great a risk.


[1]  To the best of my knowledge, at least.  Last time I checked you had
     to replace many core tools with SELinux versions, which are not
     officially part of Debian yet.
Fortune rarely accompanies anyone to the door.
        -- Balthasar Gracian

Reply to: