Date: Thu, 02 Jan 2003 10:12:45 +0000 From: Rob O'Donnell <robert@aphnet.co.uk> To: "'fbsd-questions'" <freebsd-questions@freebsd.org> Subject: RE: opinions on my plan Message-ID: <5.1.1.6.0.20030102100039.02392da8@aph2k> In-Reply-To: <000301c2b1db$272eae00$0500a8c0@strife> References: <029f01c2b1be$1965cdc0$6601a8c0@crotchett.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Darren Sent: Wednesday, January 01, 2003 11:49 AM To: fbsd-questions Subject: opinions on my plan I am building a firewall/NAT box for my father. This is the first firewall that I've built. And, I'm trying to put only the minimum software on it that will help me remote administer it (ie. ssh) and keep it up to date (ie. portupgrade). I figured I'd need a few programs installed for convenience. But, I didn't want to sacrafice security. I thought I might get the advice of those who have gone before me. At 15:16 01/01/2003 -0600, Craig M. Luchtefeld wrote: >For mine I did the following: > >- Minimal install >- kern_securelevel_enable="YES" in rc.conf >- recompiled kernel for ipf and take out extra crap >- disabled inetd >- disabled sendmail >- used ipf and ipmon for firewall/nat > >My firewall is running on minimal hardware and it's a firewall.. I only >want to mess with it once and be done with it. Why not look at picobsd (in ports). It's a script that you run on your FreeBSD box which produces a minimal system on small media (single floppy, bootable CD, CF disc etc), and is ideally suited for running routers, firewalls, etc. You customise it for your exact requirements. It boots up and runs from RAMdisc - no hard disc required. Problems? Reboot and it's clean again.. Obviously the less you have on any externally exposed machine, the less security risk it poses. Since you can use pretty much any crap hardware to run as a router/firewall, find an old P1 (or worse) somewhere, and hide the decent machine you would need for squid internally, and put that, cvsup, etc on that, where it's safer. To upgrade the router, you just re-run the script to create a new floppy, disc image, etc. [any technical questions on picobsd best addressed to freebsd-small mailing list]. Regards Rob -- APH Computers Ltd. Tel: 0161-442 2603 Fax: 0161-443 1162 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20030102100039.02392da8>