On 29 Jul 2004, James LeClair wrote: > On July 28, 2004 04:54 am, Harald Gr�ne wrote: > >> You never now potential security holes. So it's a good idea to keep a >> firewall system as simple as possible: >> >> no modules, not initrd, no editor, no shell, just iptables and a firewall >> startup programm, period. >> >> In a non perfect world you need isdn, pppoe, syslog too. >> >> The whole system gets small enough to fit on a flash disk. >> >> Currently I'm searching for cheap hardware to build fanless firewall >> systems. > > Could you provide some decent documentation/walkthrough on slimming down a > Debian based router/firewall concistent with your recomendations?
If you are really looking for an embedded firewall solution, I strongly recommend that you do not go out and build your own. I have worked with Coyote Linux before (http://www.coyotelinux.com/), and found it ... irritating as all heck, but it was an embedded system. I have also used a few others, most of which have died at some point in the last decade or so. Getting this sort of thing right is a hard task, and not something that you should be giving a shot to unless you can take the time to learn to get it right, or already know it. Now, I use a standard Debian system[1] for my firewalls, for two main reasons: The key reason is that any embedded system is going to be very limited, in terms of functionality and especially in terms of being able to debug on it. This translates into higher incremental costs when your requirements change, and slower delivery of new features when a business need is identified. This is especially true when you start dealing with topics such as VPN support or the need to install and use packet level debugging tools on the firewall. The second, and less important, reason is that these little distributions often don't have the active support base and development stream of something like Debian. If you don't mind doing your own security, maintenance and development, or you have a *very* targeted system, they are fine. Otherwise, you carry the liability of longer delays to security patches and the risk of the distribution folding under you. Now, none of this says that they are a *bad* thing, just that I don't like them myself. You need to make your own call. :) Daniel Footnotes: [1] Admittedly, with a fairly small set of packages installed, but still a full blown Debian install. -- A good engineer gets stale very fast if he doesn't keep his hands dirty. -- Wernher von Braun
