-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Darren
Sent: Wednesday, January 01, 2003 11:49 AM
To: fbsd-questions
Subject: opinions on my plan


I am building a firewall/NAT box for my father.  This is the first
firewall that I've built.  And, I'm trying to put only the minimum
software on it that will help me remote administer it (ie. ssh) and keep
it up to date (ie. portupgrade).

I figured I'd need a few programs installed for convenience.  But, I
didn't want to sacrafice security.  I thought I might get the advice of
those who have gone before me.


At 15:16 01/01/2003 -0600, Craig M. Luchtefeld wrote:
For mine I did the following:

- Minimal install
- kern_securelevel_enable="YES" in rc.conf
- recompiled kernel for ipf and take out extra crap
- disabled inetd
- disabled sendmail
- used ipf and ipmon for firewall/nat

My firewall is running on minimal hardware and it's a firewall.. I only
want to mess with it once and be done with it.

Why not look at picobsd (in ports). It's a script that you run on your FreeBSD box which produces a minimal system on small media (single floppy, bootable CD, CF disc etc), and is ideally suited for running routers, firewalls, etc. You customise it for your exact requirements. It boots up and runs from RAMdisc - no hard disc required. Problems? Reboot and it's clean again..

Obviously the less you have on any externally exposed machine, the less security risk it poses. Since you can use pretty much any crap hardware to run as a router/firewall, find an old P1 (or worse) somewhere, and hide the decent machine you would need for squid internally, and put that, cvsup, etc on that, where it's safer. To upgrade the router, you just re-run the script to create a new floppy, disc image, etc.

[any technical questions on picobsd best addressed to freebsd-small mailing list].

Regards

Rob



--
APH Computers Ltd.
Tel: 0161-442 2603
Fax: 0161-443 1162


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to