Firewall Wizards mailing list archives

Re: Securing a Linux Firewall

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 23 Jul 2002 12:16:13 -0400 (EDT)


Rebuilt your kernel to turnoff all the little gizmos and addons you do not
require.  This is where nfs can be turned off.  It will be under;

# Filesystems
...
CONFIG_NFS_FS=n
...

You will perhaps have to manually edit /etc/rc.d/rc.inet2 to clean up the
nfs and portmapper stuffs.  comment out what's not needed, or make a
backup of the file and hard edit out what is not required for your setup.

Become familiar with the kernel buid options, try mane menuconfig and seek
the help button on each param under the kernel build.  Additionally, get
to know the rc. files well, especially the rc.inet<1,2> files, not to
mention the firewall rules loading rc.    There are ways to block
portmapper on linux systems, but, it requires a lot of work getting to
know where and to which ports this flexable little beatie is going to load
on successive boots.  If one's not going to use it, and a firewall should
not require it be used, you are better off turning it off as you are
seeking to do.  

You might wish to hardcode into the kernel those bits  you require and
avoind the loadable modules stuffs, it makes for a bigger kernel, but,
eliminates the ablity of anyone that might hack your box from being able
to load malicious modules into the system.  I believe I've seen this
described as building a "monolithic" kernel...

Thanks,

Ron DuFresne


On Tue, 23 Jul 2002, Marc DVer wrote:

I have a computer set up for the exclusive use as a gateway/firewall running
IPChains.  I would like to know if I can safely shut down the rpc.statd
service.  According to the man page, " It is used by the NFS file locking
service, rpc.lockd, to implement lock recovery when the NFS  server machine
crashes and reboots."  Since I am not using NFS (or at least I believe I am
not; the firewall is the only *nix computer on the network, and isn't used
for file sharing) can I safely turn this off?  I have read that turning off
unneeded services is needed to secure a linux box, which is doubly a concern
with a firewall.

Sincerely,
Marc DVer
White Eagle Laboratories, Inc.

:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Securing a Linux Firewall Marc DVer (Jul 23)
- Re: Securing a Linux Firewall Brian Hatch (Jul 23)
- Re: Securing a Linux Firewall R. DuFresne (Jul 23)
- Re: Securing a Linux Firewall Frederick M Avolio (Jul 23)
  - Re: Securing a Linux Firewall Carson Gaspar (Jul 23)
    - Re: Securing a Linux Firewall Paul Robertson (Jul 23)
    - Re: Securing a Linux Firewall Mordechai T. Abzug (Jul 23)
    - Re: Securing a Linux Firewall Frank Knobbe (Jul 23)
    - Re: Securing a Linux Firewall Ng Pheng Siong (Jul 24)
    - Re: Securing a Linux Firewall Brian Hatch (Jul 23)
    - Re: Securing a Linux Firewall Frederick M Avolio (Jul 23)
- Re: Securing a Linux Firewall Kevin Steves (Jul 26)
- <Possible follow-ups>
- RE: Securing a Linux Firewall Bruce Platt (Jul 23)

(Thread continues...)