[NTLUG:Discuss] Cd based Proxy/Firewall (again)

[Brain Kontrath]

Paul Drew wrote:
> Howdy Guys,
> For the life of me I can't find the archives or where I can search them. 
> I am going to have to install about a dozen Linux based firewalls at 
> various locations around the company soon. ....

Paul,

A CD based firewall is probably not a good idea for a business. You want 
to be able to read the logs and make changes to the firewall on the fly. 
You could use a minmal distribution of Red Hat or any of the other major 
distributions, but personally I would prefer Gentoo or Debian because 
these distros come minimal as it is and they provide easy ways to add 
and remove packages without causing dependency problems.

DFWUUG (www.dfwuug.org) recently did a series about Linux firewalls at 
thier security SIG, so it might be worth your time to check them out 
also. They had an excellent whitpaper that discussed how to implement an 
iptables firewall on RH linux, so you may want to think about possibly 
joining that user group as well.

In general a firewall box should have no services running on it (except 
for ssh), no development tools, and the kernel should be small with very 
few kernel modules (ideally no kernel modules, because monolithic 
kernels are generally more secure). No keyboards, mice or Monitors 
should be connected to the box. Also, you should use iptables 
port-forwarding to run servers from behind the firewall.  For general 
firewall and security info try this site:

http://www.linux-firewall-tools.com/


Kind Regards,

Brian




I