The way I've done it on a debian firewall is to have a cron job run an apt-get update and then an apt-get -d -y upgrade each morning (about 2am).
That way I just log in each day (ssh) and check what it's gonna do and then let it get on with it. I got pissed off after seeing 2 complete installations go down the tube with reiserfs on the early 2.4 kernels (mine fell fould of dying when you create a file with a very long file name (ripping CDs)). As a result I'll not touch reiserfs for some months. However, in terms of firewall, the iptables and the new IP/TCP stack is so much better in 2.4 kernels that iptables is a dream to use and quite justifies using a 2.4 kernel in a production server (IMO). Also, I find that you don't have to be too worried about what gets installed on the gateway. I know that sounds daft, but if your firewall drops all new incoming connections AND all invalid incoming packets then you're pretty much safe. All I do is the following: iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE and then just make sure that /etc/interfaces/options has the forwarding option at 1 and you're sorted - I can't personally see how this can be easily hacked on eth0. Nothing can get in apart from ssh and your clients are safely protected and masqueraded. HTH, Matthew On Mon, May 28, 2001 at 02:48:08PM +0100, Robert Davies wrote: > > I think you should be careful about automatic apt-get anyway, > > because someone might be able to alter the sources.list or the dns > > reolve for your server, and inject manipulated files for this... > > This is a very good point, that I wanted to put to the minimalist who argued > for using apt-get. debs have to be extended with signing, but your security > is only as good as the ftp server you use at present, which is not ideal for > a firewall. > > Using automatic apt-get update && apt-get upgrade, would not be wise for a > critical machine. It's great for home use, but a corporate firewall... > that's real balls to the wall stuff. > > Rob > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- Matthew Sackman Nottingham, ENGLAND Using Debian/GNU Linux Enjoying computing
