On Thu, 6 Jul 2000, Adam Wendt wrote:
> Right now I only have a 85meg hard drive so I was hoping you guys could
> give me some suggestions on what distro/OS (FreeBSD, NetBSD OpenBSD etc..)
> might work for this purpose (and fit on 85megs).
I would recommend either Linux or OpenBSD.
Linux has advantages in pretty good security, wide support, more drivers, and
a bunch of people here on the list willing and able to help.
OpenBSD has the advantage of outstanding security. They claim it's the most
secure OS around, and I'm inclined to agree. Their policy is security first,
last, and always. In part because of this rigorous security audit policy, new
features are slower to appear then in Linux, but that's life.
> I'm on a dialup so I'll need PPP and some form of ipmasq/nat plus support
> for whatever network card I put in there (probably some old ISA card).
You get a fair amount of protection just being on a transient dialup. Your
average cracker simply isn't interested in what is basically the VW beetle of
the Internet. Oh, you can and will still get attacked, but the more popular
targets are the people on high-speed, dedicated connections. The slow
connection also limits your vulnerabilities to denial-of-service attacks.
[mention of a floppy-based Linux system]
> That might work if I had a floppy drive (which I don't) ;)
How were you planning on getting the system installed?
On Thu, 6 Jul 2000, Adam Wendt wrote:
> I might try putting FreeBSD on this drive because the FreeBSD FAQ says you
> can install a minimal system on 60megs of hard drive space.
You can do a minimal install of Linux in 1.44 MB of hard drive space. ;-)
In other words, any Linux system that fits on a floppy will also fit on your
85 MB HDD.
On Thu, 6 Jul 2000, Karl J. Runge wrote:
>> And yes, I know I should have a dedicated firewall ...
>
> One doesn't really need a dedicated firewall.
The basic security advantage of a dedicated firewall is that one cannot hack
that which is not there.
Most of your security exploits come from programs like sendmail and bind
which run as root and thus are prime targets. A firewall system which does
nothing but forward packets -- no running services what-so-ever -- will be
inherently more secure then a system running every daemon under the sun. (Or
on the Sun, in the case of Solaris. ;)
Of course, you generally need to put some services *somewhere*, generally on
a bastion machine in a DMZ behind the firewall. Such machines then end up
being the sacrificial lamb. However, by virtue of the fact that they are
segregated from the rest of your network, damage is limited.
Is this overkill for most home situations? Yes. For a simple home system,
a combination firewall/gateway/server is usually just fine, so long as you
keep it well locked down, and you keep your security patches up to date.
The one thing *everyone* should run, though, is an intrusion detection
system, like Tripwire, AIDE, or LIDS. This lets you know when you've been
compromised, so you can find the problem and fix it.
"Building Internet Firewalls", from O'Reilly, and "Building Linux and
OpenBSD Firewalls", from <mumble>, are both very good books to have with you
while you're setting up your firewall. Highly recommended.
HTH,
--
Ben Scott <[EMAIL PROTECTED]>
| "I've already explained this once, but repetition is the very soul of |
| the net." (from alt.config) |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
