JM wrote:
Then, he will need to harden the kernel, no? Enabling SElinux, etc in thesecurity section. Or even adding other security patches to the kernel. For those things the kernel source needs to be downloaded as well.
You might want to consider this hardened _distribution_ (including RSBAC, PaX, etc.pp.) - definitely worth a look:
http://www.trusteddebian.org/It builds upon a debian woody and I'm happily running half a dozen productive servers and 4 firewalls with it.
Lacks a few odds and ends of X-support (VNC works perfectly) but hey, who needs that on a firewall :-)
regards Martin