Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 23 Jul 2002 12:16:13 -0400 (EDT)
Rebuilt your kernel to turnoff all the little gizmos and addons you do not require. This is where nfs can be turned off. It will be under; # Filesystems ... CONFIG_NFS_FS=n ... You will perhaps have to manually edit /etc/rc.d/rc.inet2 to clean up the nfs and portmapper stuffs. comment out what's not needed, or make a backup of the file and hard edit out what is not required for your setup. Become familiar with the kernel buid options, try mane menuconfig and seek the help button on each param under the kernel build. Additionally, get to know the rc. files well, especially the rc.inet<1,2> files, not to mention the firewall rules loading rc. There are ways to block portmapper on linux systems, but, it requires a lot of work getting to know where and to which ports this flexable little beatie is going to load on successive boots. If one's not going to use it, and a firewall should not require it be used, you are better off turning it off as you are seeking to do. You might wish to hardcode into the kernel those bits you require and avoind the loadable modules stuffs, it makes for a bigger kernel, but, eliminates the ablity of anyone that might hack your box from being able to load malicious modules into the system. I believe I've seen this described as building a "monolithic" kernel... Thanks, Ron DuFresne On Tue, 23 Jul 2002, Marc DVer wrote:
I have a computer set up for the exclusive use as a gateway/firewall running IPChains. I would like to know if I can safely shut down the rpc.statd service. According to the man page, " It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots." Since I am not using NFS (or at least I believe I am not; the firewall is the only *nix computer on the network, and isn't used for file sharing) can I safely turn this off? I have read that turning off unneeded services is needed to secure a linux box, which is doubly a concern with a firewall. Sincerely, Marc DVer White Eagle Laboratories, Inc. : _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing a Linux Firewall Marc DVer (Jul 23)
- Re: Securing a Linux Firewall Brian Hatch (Jul 23)
- Re: Securing a Linux Firewall R. DuFresne (Jul 23)
- Re: Securing a Linux Firewall Frederick M Avolio (Jul 23)
- Re: Securing a Linux Firewall Carson Gaspar (Jul 23)
- Re: Securing a Linux Firewall Paul Robertson (Jul 23)
- Re: Securing a Linux Firewall Mordechai T. Abzug (Jul 23)
- Re: Securing a Linux Firewall Frank Knobbe (Jul 23)
- Re: Securing a Linux Firewall Ng Pheng Siong (Jul 24)
- Re: Securing a Linux Firewall Carson Gaspar (Jul 23)
- Re: Securing a Linux Firewall Brian Hatch (Jul 23)
- Re: Securing a Linux Firewall Frederick M Avolio (Jul 23)
- <Possible follow-ups>
- RE: Securing a Linux Firewall Bruce Platt (Jul 23)