I've got an old P75 64MB box which has, until recently, been running Smoothwall as a firewall. Since I got a rather unimpressive ADSL ethernet modem, which needs to be driven by a web browser, and which remembers the MAC address of the driving NIC, Smoothwall doesn't do the job anymore. After much effort I put SuSE-8.1 on the box. Slow, to put it mildly, but it does the job. It set up the SuSE firewall and set it to do NAT and it works fine. My question is, where do I go from here? I don't know much about the SuSE firewall, or how to harden the box against attack. I'd like it to spin down the hard disk (which presumably it doesn't need much in it's limited role) to reduce noise and power consumption. Anyone else used SuSE-8.1 as a dedicated firewall? What configurations did you make to get it as hard and efficient as possible? -- Australian Linux Technical Conference 2003: http://www.linux.conf.au/ Explain to your boss the benefits of you going...
* Derek Fountain; <derekfountain@yahoo.co.uk> on 30 Dec, 2002 wrote:
My question is, where do I go from here? I don't know much about the SuSE firewall, or how to harden the box against attack. I'd like it to spin down the hard disk (which presumably it doesn't need much in it's limited role) to reduce noise and power consumption.
For a detailed documentation of SuSEfirewall2 http://sourceforge.net/project/showfiles.php?group_id=42064&release_id=127876 Now for hardening the box SuSE 8.1 is not the ideal SuSE version I am afraid, as harden_SuSE package barks saying that it is not for 8.1 and bastille Linux project is not fully functional on SuSE 8.1 Hence I have not been using 8.1 on my prodcution servers yet. I am still on 7.3
Anyone else used SuSE-8.1 as a dedicated firewall? What configurations did you make to get it as hard and efficient as possible?
Nevertheless, make sure you do not have any unnecessary services running on the firewall. set teh security label paranoid ( note that many things can be disfunctional so be carefull with this. Do not login to your firewall box if administration is mandatory on the firewall box then use ssh with public key. If there are services running that are available to public ie webserver mail server then chrooting them is a good idea Hope these help -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Why nut dump SuSEFirewall2 altogether and try something like ShoreWall - www.shorewall.net. Took me 17 minutes (including reading the docs !!!!) to get a fully functional firewall. Jon => -----Original Message----- => From: Togan Muftuoglu [mailto:toganm@dinamizm.com] => Sent: Monday, 30 December 2002 18:42 => To: suse-linux-e@suse.com => Subject: Re: [SLE] Firewall advice => => => * Derek Fountain; <derekfountain@yahoo.co.uk> on 30 Dec, 2002 wrote: => > => >My question is, where do I go from here? I don't know much => about the => >SuSE => >firewall, or how to harden the box against attack. I'd like => it to spin down => >the hard disk (which presumably it doesn't need much in => it's limited role) to => >reduce noise and power consumption. => => For a detailed documentation of SuSEfirewall2 => http://sourceforge.net/project/showfiles.php?group_id=42064&release_id=1 27876 Now for hardening the box SuSE 8.1 is not the ideal SuSE version I am afraid, as harden_SuSE package barks saying that it is not for 8.1 and bastille Linux project is not fully functional on SuSE 8.1 Hence I have not been using 8.1 on my prodcution servers yet. I am still on 7.3
Anyone else used SuSE-8.1 as a dedicated firewall? What configurations did you make to get it as hard and efficient as possible?
Nevertheless, make sure you do not have any unnecessary services running on the firewall. set teh security label paranoid ( note that many things can be disfunctional so be carefull with this. Do not login to your firewall box if administration is mandatory on the firewall box then use ssh with public key. If there are services running that are available to public ie webserver mail server then chrooting them is a good idea Hope these help -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* Jon Biddell; <jon@fl.net.au> on 30 Dec, 2002 wrote:
Why nut dump SuSEFirewall2 altogether and try something like ShoreWall - www.shorewall.net.
Because to many files for configuration
Took me 17 minutes (including reading the docs !!!!) to get a fully functional firewall.
You mean a packet filter technically speaking great it takes me 5 minutes setting up SuSEfirewall2 hence I prefer SuSEfirewall2 ps do not put me on CC or TO as I can get the mail from the list -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Dereck, I seriously think one of your best options is www.shorewall.net - including the download, installing and reading the docs, it took me 17 minutes to get a workable and fairly secure firewall up and running. Jon => I've got an old P75 64MB box which has, until recently, been running => Smoothwall as a firewall. Since I got a rather unimpressive => ADSL ethernet => modem, which needs to be driven by a web browser, and which => remembers the MAC => address of the driving NIC, Smoothwall doesn't do the job => anymore. After much => effort I put SuSE-8.1 on the box. Slow, to put it mildly, => but it does the => job. It set up the SuSE firewall and set it to do NAT and it => works fine.
I seriously think one of your best options is www.shorewall.net - including the download, installing and reading the docs, it took me 17 minutes to get a workable and fairly secure firewall up and running.
Does it carry a web browser that supports frames and Javascript, and can I install it onto a box with no CD drive? -- Australian Linux Technical Conference 2003: http://www.linux.conf.au/ Explain to your boss the benefits of you going...
participants (3)
-
Derek Fountain -
Jon Biddell -
Togan Muftuoglu