Re: [fw-wiz] Securing a Linux Firewall

From: Brian Hatch (firewall-wizards@ifokr.org)
Date: 07/23/02 

From: Brian Hatch <firewall-wizards@ifokr.org>
To: John McDermott <jjm@jkintl.com>
Date: Tue Jul 23 19:55:07 2002

> BTW, Marcus once wrote about an idea of creating a firewall by starting
> with a kernel and just a few basic utilities and then *adding* only the
> necessary software (as opposed to removing the unnecessary). While I
> have yet to try this, it sounds difficult but probably more secure to me.

This is always what I do. Why delete unneeded things when you can
add only the stuff you need as it comes up. That's certainly the
BSD ports way. My procedure for Linux boxes is:

        1) boot Debian install floppy
        2) install base
        3) exit when it starts up the package selection tools,
                before it even suggests adding more things.

You now have the absolute base stuff you could need to boot.
At that point, install what you need manually:

        4) apt-get install ssh
        5) ...

Of all the paraniod systems I run, the one with the most packages
is www.hackinglinuxexposed.com because it needs to run Apache,
and it only has 40 debs installed. (That's including the
libraries and wierd dependencies like 'ssh depends on adduser'.)

And Debian is pretty good about being minimalistic in what it
packages together. A typical install will be more like 300
debs. 

--
Brian Hatch                  Smith & Wesson:
   Systems and                The original
   Security Engineer          Point and Click
http://www.ifokr.org/bri/     device.
Every message PGP signed

Relevant Pages

  • unsubscribe
    ... > Subject: debian newbie... ... If I need to recompile the kernel, ... Also, what other additional packages, ... >> The package you're trying to install presumably ...
    (Debian-User)
  • SUSE Security Announcement: Linux Kernel (SuSE-SA:2004:001)
    ... installable through rpm, because of a bug in RPM (update of ... the kernel source is not ... sources that the binary kernel rpm packages are made from. ... are being offered to install from the maintenance web. ...
    (Bugtraq)
  • [Full-Disclosure] SUSE Security Announcement: Linux Kernel (SuSE-SA:2004:001)
    ... installable through rpm, because of a bug in RPM (update of ... the kernel source is not ... sources that the binary kernel rpm packages are made from. ... are being offered to install from the maintenance web. ...
    (Full-Disclosure)
  • [Full-Disclosure] SUSE Security Announcement: kernel (SuSE-SA:2004:010)
    ... The update packages for the SuSE Linux Enterprise Server 7 ... contain any binary kernel in bootable form. ... sources that the binary kernel rpm packages are made from. ... are being offered to install from the maintenance web. ...
    (Full-Disclosure)
  • Re: [poll] Is the megafreeze development model broken?
    ... that problems with distribution packaged software should be reported ... Assuming your "stable base systems" contains the Linux kernel, ... The Debian kernel packages ... Ion, they just go ahead and install it from the distro, because there's ...
    (Linux-Kernel)