[Techtalk] Good firewall configuration tool for debian

Devdas Bhagat devdas at dvb.homelinux.org
Fri Apr 9 20:27:38 EST 2004 

On 09/04/04 20:23 +1000, Kathryn Andersen wrote:
<snip>
> > The NAT router will offer nothing more to you than a plain ADSL modem
> > plus a hardened Linux box, but the Linux box can actually do a lot more.
> 
> Indeed, but how many zillions of hours will I need to devote in order to
> harden my Linux box?  Or, indeed, to make my Linux box "do more"?
Actually, very little. The problem for most people that I have dealt
with is that they do not understand the concepts behind locking down the
box.
Hardening a box implies that it offers only trusted services to the
world, and that it isn't easily accessible. Since you aren't worried
about physical access or access from your internal network, you can just
lock down inbound access from the Internet.

To install a hardened box, heres what I do:
Make a minimal installation. That means no compilers, no interpreters,
no daemons.
Reboot into single user mode.
Remove most of the daemons that the distribution installs by default.
Ideally, you want to end up with a kernel, libc, and a local shell and a
few local utilities.
Install the tools I need. This is usually Perl and a few modules.
Bring up the network interfaces. (/sbin/ifconfig eth0 ip)
Patch as needed.
Install a caching DNS server. I use BIND, but most people would
recommend DJB's suite for that.
Write my firewall script. Run it.

Additionally, if required, install Squid and/or Postfix on the box.
Remove compilers, if installed.

This tends to take much longer than the typical install everything
system, but it works.

> The learning curve for these sort of things tends to be steep, and if I
> have to learn about ten complicated things at once or my box will be
> rooted, then maybe I just can't do it in enough time...
> 
> Is there a trade-off here, or am I being too daunted?
You are being too daunted. Your personal system does not need as much
hardening as described above.
It would even be enough for you to do a normal minimal installation,
turn everything off except ssh and allow ssh only from the internal
network.
The learning curve for the whole security field is high. Firewalling
however, is only a small subset of this field.
The security process consists of:
Defining requirements.
Setting policies.
Implementing policies.
Testing the implementation.
Watching over the systems to ensure nothing goes wrong.

Each of these sub processes is a large field by itself.

Oh, and the learning curve isn't much steeper than for normal Unix use.

Devdas Bhagat

More information about the Techtalk mailing list