on 7/27/00 7:16 AM, [EMAIL PROTECTED] at
[EMAIL PROTECTED] wrote:
> If anyone here were able to start, from scratch, their own firewall,
> specifically designed on a Linux platform, what would you select as the
> flavour, taking into consideration the following requirements:
I've built a couple really sweet firewalls lately using Mandrake - they're
quick, as tight as I can make them and we've had no problems at all.
> 1) Security, something stripped-down and tight
Almost any distro could make this cut - just install the bare minimum and
weed out any extra stuff you don't explicitly need. Don't install the games,
X, network daemons you don't need or want - just the basics. Add to flavor
and let simmer.
After you've got it installed, run the Bastille linux hardening script on it
to clean up any other issues you may not already be aware of:
<http://www.bastille-linux.org/>
Take a look through the LASG:
<http://www.securityportal.com/lasg/>
and this:
<http://www.openna.com/books/Securing-Optimizing-Linux-RH-Edition-1_3.pdf>
Here's a good and very customizable firewall script:
<http://www.jsmoriss.dyndns.org/linux/rc.firewall-3.3>
> 2) Performance, as that is always an issue
You don't need a super powerful box to run a firewall - there are firewalls
that run off of a single floppy disk that run just fine performance wise.
This would of course change with the size of the installation you're trying
to firewall.
> 3) Popularity, a flavor everyone likes
If you want a popular, supported flavor of Linux you'll probably want to
restrict your searches to i386 Linux. The others (PPC, Alpha, MIPS) just
don't come close to working as well as i386. I've fought with PPC linux for
the last couple years, it's getting better, but there are more people/kernel
developers using i386 so it seems to be better supported.
Debian, RedHat, Mandrake, insert-your-favorite-distro-here should all be
fine.
> 4) Future scope, something everyone will like for a long time to come
It doesn't have to be liked - it just has to work. You may never have to
touch the firewall again after it's installed depending on your needs as an
installation - and as long as it doesn't get compromized.
> 5) Flexibility and Ease, something easy to use and without limitations
Well, if you wanted flexibility you came to the right place - but building a
secure firewall isn't what I would call "easy". Any limitations should be
able to be worked around.
The after-install-care is just as important as the installation - keep a
close eye on it so that you know what's normal and what's not. Keep watching
the security mailing lists for vulnerabilities - hopefully, if you've got a
small list of installed packages and are vigilant you should be OK.
Also, get some software like LogCheck or Swatch to help to weed out the
normal logs and send you only the ones you *need* and *want* to see - that
way you don't ignore the logs because there's too many of them to go
through. I've also got a modified version of LogCheck that sends me more
information (mailq, free, raid stats, disk space) so that I can see trends
and spot problems before they become critical.
<http://www.psionic.com/abacus/logcheck/>
<http://www.stanford.edu/~atkins/swatch/>
Hope that helped at all.
--
Darron
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
