On 11 Mar 2005, JM wrote: >> On 10 Mar 2005, Jean-Michel Hiver wrote:
[...] >>>> Oh, and I recommend using 'firehol', which is in /testing and >>>> /unstable, and is a wrapper around iptables. It takes a lot of the >>>> hard work out of building a firewall, without stopping you doing >>>> anything that iptables can do. [...] > I guess is a matter of preference regarding aptitude, and there is a good > support site for firehol at http://firehol.sourceforge.net/ That would be the site of the upstream author. The mailing list is pretty reasonable, but not actually very busy. Must say something about the product. ;) > Then, he will need to harden the kernel, no? Enabling SElinux, etc in > the security section. Or even adding other security patches to the > kernel. Er, no. SElinux is nice enough, but really non-trivial to get working with Debian at present[1], and is probably not worth the trade-off in terms of time to implement for most people _at the moment_. I can't identify a single other "kernel security patch" set that I would recommend to people. None of them seem to have sufficient additional value that they improve security more than they cost in implementation time and inconvenience. Also, many of the security patches that I have looked at, or seen others -- especially the core kernel team -- review, have not had what you would call good results from the attention. Their security is often less effective, in my opinion, than is claimed, and often targets the wrong problems. Removing unused network services from the system is probably helpful, but as long as you stay up to date with Debian patches, even that isn't /that/ great a risk. Regards, Daniel Footnotes: [1] To the best of my knowledge, at least. Last time I checked you had to replace many core tools with SELinux versions, which are not officially part of Debian yet. -- Fortune rarely accompanies anyone to the door. -- Balthasar Gracian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
