Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing a Linux Firewall

From: Brian Hatch <firewall-wizards () ifokr org>
Date: Tue, 23 Jul 2002 16:26:26 -0700


BTW, Marcus once wrote about an idea of creating a firewall by starting
with a kernel and just a few basic utilities and then *adding* only the
necessary software (as opposed to removing the unnecessary).  While I
have yet to try this, it sounds difficult but probably more secure to me.


This is always what I do.  Why delete unneeded things when you can
add only the stuff you need as it comes up.  That's certainly the
BSD ports way.  My procedure for Linux boxes is:

        1) boot Debian install floppy
        2) install base
        3) exit when it starts up the package selection tools,
                before it even suggests adding more things.

You now have the absolute base stuff you could need to boot.
At that point, install what you need manually:

        4) apt-get install ssh
        5) ...

Of all the paraniod systems I run, the one with the most packages
is www.hackinglinuxexposed.com because it needs to run Apache,
and it only has 40 debs installed.  (That's including the
libraries and wierd dependencies like 'ssh depends on adduser'.)


And Debian is pretty good about being minimalistic in what it
packages together.  A typical install will be more like 300
debs.

--
Brian Hatch                  Smith & Wesson:
   Systems and                The original
   Security Engineer          Point and Click
http://www.ifokr.org/bri/     device.

Every message PGP signed

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: