On Sun, 2002-05-19 at 22:32, Nicole Zimmerman wrote: I did something similar in building firewalls. > What I did was: > > 1. Install potato out of the "box" (we have a local mirror)
I did the same, except that I used woody. After doing a base install, you could use apt's dependency-fixing capability to install only the end-item packages you wish (e.g. from a base install, apt-get install iptables). > 2. Thin potato out (remove unnecessary packages, compilers, etc) > 3. Make a custom 2.4 kernel with NO loadable modules (because we know the > hardware, we can do this) and with iptables I build a custom kernel as well. > 4. Install back-compiled packages for SSH, postgres, anything else (system > requirements, plus SSH2 security advantages) > 5. Switch partitions over to ext3 (if I ship the box and the box goes down > and fails an fsck, we either give them root or send a tech, expensive > either way) > 6. Configure some of the packages to be "more" secure (e.g. > exim configuration) > 7. Configure an iptables firewall to further restrict access to > illegitamite ports (anything but 80 and our 3 proprietary ports) > (8: Install our software, test, etc) The other thing I do is to maintain a package list of machines I build. It for instance, I have selection of workstation packagelists, laptop, mailserver, firewall and the like. In essence, I do a dpkg --get-selections > packagelist This gives me the option of doing a base install, then doing dpkg --set-selections < packagelist apt-get dselect-upgrade in lieu of FAI. Putting the packagelist, drive partitioning information, and copies of tweaked datafiles onto a CD (like the woody minicd), would allow you to replicate machines relatively quickly. -- --Brad ============================================================================ Bradley M. Alexander | storm [at] debian.org Debian Developer, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | Visit the 99th VFS website at: MCO, 99th VFS 'Tuskegee Airmen' | server2048.virtualave.net/onyx23 ============================================================================ Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 ============================================================================ You don't shoot to kill; You shoot to stay alive. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
