RE: opinions on my plan
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sent: Wednesday, January 01, 2003 11:49 AM To: fbsd-questions Subject: opinions on my plan I am building a firewall/NAT box for my father. This is the first firewall that I've built. And, I'm trying to put only the minimum software on it that will help me remote administer it (ie. ssh) and keep it up to date (ie. portupgrade). I figured I'd need a few programs installed for convenience. But, I didn't want to sacrafice security. I thought I might get the advice of those who have gone before me. At 15:16 01/01/2003 -0600, Craig M. Luchtefeld wrote: For mine I did the following: - Minimal install - kern_securelevel_enable=YES in rc.conf - recompiled kernel for ipf and take out extra crap - disabled inetd - disabled sendmail - used ipf and ipmon for firewall/nat My firewall is running on minimal hardware and it's a firewall.. I only want to mess with it once and be done with it. Why not look at picobsd (in ports). It's a script that you run on your FreeBSD box which produces a minimal system on small media (single floppy, bootable CD, CF disc etc), and is ideally suited for running routers, firewalls, etc. You customise it for your exact requirements. It boots up and runs from RAMdisc - no hard disc required. Problems? Reboot and it's clean again.. Obviously the less you have on any externally exposed machine, the less security risk it poses. Since you can use pretty much any crap hardware to run as a router/firewall, find an old P1 (or worse) somewhere, and hide the decent machine you would need for squid internally, and put that, cvsup, etc on that, where it's safer. To upgrade the router, you just re-run the script to create a new floppy, disc image, etc. [any technical questions on picobsd best addressed to freebsd-small mailing list]. Regards Rob -- APH Computers Ltd. Tel: 0161-442 2603 Fax: 0161-443 1162 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: opinions on my plan
I'm open to all suggestions, links or any other comments. This is new territory for me. how-to on building a freebsd firewall with ipfilter: http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html NAT with ipfilter: http://www.isber.ucsb.edu/~randall/wireless/ipnat.html ipfilter only: http://www.isber.ucsb.edu/~randall/ipfilter/ -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator:// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: opinions on my plan
For mine I did the following: - Minimal install - kern_securelevel_enable=YES in rc.conf - recompiled kernel for ipf and take out extra crap - disabled inetd - disabled sendmail - used ipf and ipmon for firewall/nat My firewall is running on minimal hardware and it's a firewall.. I only want to mess with it once and be done with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sent: Wednesday, January 01, 2003 11:49 AM To: fbsd-questions Subject: opinions on my plan I am building a firewall/NAT box for my father. This is the first firewall that I've built. And, I'm trying to put only the minimum software on it that will help me remote administer it (ie. ssh) and keep it up to date (ie. portupgrade). I figured I'd need a few programs installed for convenience. But, I didn't want to sacrafice security. I thought I might get the advice of those who have gone before me. Here is what I was thinking about installing: here's what I consider to be almost mandatory sshd cvsup portupgrade here's what I thought might add for obvious reasons squid (maybe ??) portsentry (maybe ??) ncftp (client only if I can find it) links I'm mostly concerned about cvsup and portupgrade because I see them as being next to mandatory. I think I could get along without them. But, I'm concerned about security risks associated with not being current. Do they pose more security risks than they might prevent by keeping me current? Another thing about portupgrade that concerns me is what it does to my kernel sources. I tried recompiling after having run portupgrade and pretty much hosed everything. I started over from scratch and recompiled first. I haven't put portupgrade back on, yet. I wanted to get opinions about it's risk:reward ratio first. I'm open to all suggestions, links or any other comments. This is new territory for me. Thanks, Darren To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
