Proposed Linux server

[krose at theory.lcs.mit.edu (Kyle R. Rose)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Questions I have is whether there is enough RAM and/or disk to do
> what I want. It looks like with the fairly minimal install (X but no
> development stuff) I have about 100-200 MB left. Any other
> suggestions?

I would say you have disk and RAM backward.  If you use fine-grained
installation control, you should be able to get the install down to
about 50 megs, including Samba, NFS, sendmail, apache, ghostscript,
etc.  There is no good reason to have X on a firewall that's going to
sit in a closet.  Check through your packages: I'll bet you have stuff
like LaTeX installed on there that has no place on a server.

OTOH, more RAM is always better.  While you _can_ run a firewall on
8MB -- I did it for a while -- when I upped the RAM to 72MB, things
ran a lot smoother when the machine was trying to do several things at
once.  72 MB might be overkill, but I have SIMMs increments of 4 and
32. =)  I think 32MB would be fine for such a machine.

My firewall configuration (in front of an RCN cable modem) is a
Gateway P5-60 (freaky, huh?) with 72 MB of RAM and 120 MB of disk
space.  It runs Debian 2.3 ("woody") and has only the following
packages:

adduser apt base-files base-passwd bash bind bind-doc bsdutils cpp
cracklib-runtime cracklib2 cron debconf debianutils dhcp dhcp-client
diff dnsutils dpkg dpkg-multicd e2fsprogs elvis-tiny fdflush fdutils
file fileutils findutils gconv-modules gettext gettext-base grep groff
gs-aladdin gs-pdfencrypt gsfonts gzip hostname iplogger ldso less
libc6 libdb2 libgdbmg1 libglib1.2 libgmp2 libgtk1.2 liblockfile1
libncurses4 libncurses5 libnewt0 libpam-cracklib libpam-modules
libpam-runtime libpam0g libpaperg libpcap0 libpng2 libpopt0
libreadlineg2 libssl09 libstdc++2.10 libstdc++2.9 libstdc++2.9-glibc2
libwrap0 lilo locales lockfile-progs login lprng lynx m4 magicfilter
mailx make makedev man-db mawk mbr modconf modutils mount mtr
ncurses-base ncurses-bin netbase ntp ntpdate nvi passwd perl-5.004
perl-5.004-base perl-5.005 perl-5.005-base perl-base ppp procmail
procps psmisc samba samba-common samba-doc sed sendmail setserial
shellutils slang1 ssh svgalibg1 sysklogd syslinux sysvinit tar tcpd
tcpdump telnet textutils timezones traceroute update util-linux
whiptail wmnet xbase-clients xfree86-common xlib6g zlib1g zsh

It's pretty minimal.

The main thing to remember is that you need to do almost nothing on
this machine.  Compile your firewall's kernels on an internal machine,
for instance.  You should, in fact, not use your firewall machine as
your internal file or print server unless you can effectively block
access to those services from the outside world at the packet level.
The fewer security holes you have, the better.  These are the only
inetd services I have running:

discard         stream  tcp     nowait  root    internal
discard         dgram   udp     wait    root    internal
daytime         stream  tcp     nowait  root    internal
time            stream  tcp     nowait  root    internal
ident           stream  tcp     nowait  nobody /usr/local/sbin/fidentd

where "fidentd" is the following program:

#include <stdio.h>

main()
{
        int p1, p2;
        scanf("%d , %d",&p1,&p2);
        printf("%d , %d : USERID : UNIX : goober\n",p1,p2);
        return 0;
}

Furthermore, I have almost everything blocked using TCP wrappers:

# /etc/hosts.deny
ALL: ALL

# /etc/hosts.allow
ALL: 127.0.0.0/255.0.0.0 localnet localhost
sshd: ALL
sshdfwd-X11: ALL
sendmail: ALL
identd: ALL
apache: ALL
apache-ssl: ALL
ntpd: 127.0.0.0/255.0.0.0 localnet localhost

And it goes without saying that you should never, _ever_ use telnet to
get into your home network from the outside: use ssh or an equivalent.
In fact, you should even disallow secure password logins and require
RSA logins, so people can't even _think_ of logging into your machine
without access to a private ssh identity; passwords are just too big
of a security hole for a firewall.  (Incidentally, I personally never
use telnet.  I have not used it in about two years, because sending
plaintext passwords over anything but a null link between two machines
sitting on desks right next to each other is a bad idea. =) )

Okay, now that I've gotten way off track from the original poster's
question and brain-dumped my firewall setup in a fairly unintelligible
mess, would anyone be interested in a better and more complete writeup
of my opinion regarding good firewall design? =)

Kyle


- -- 
Kyle R. Rose                    MIT LCS NE43-309, Cambridge, MA
11 Winslow Avenue Apt. 2        617-253-5883
Somerville, MA 02144            krose at krose.yi.org
617-628-0271                    http://yi.org/krose/

DeCSS and css-auth mirror: http://mmadb.no/jlj/
See http://www.opendvd.org/ for details!

I guess I've been so wrapped up in playing the game that I never took
time enough to figure out where the goal line was -- what it meant to
win -- or even how you won.
		-- Cash McCall
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iEYEARECAAYFAjiMkOIACgkQEQGZyDkzQxTLHgCfR9s3R+EBfCtzi5fnEri1QxiQ
K+AAniljQuFSO3K3j77e34R4ER4FI4aV
=NP9n
-----END PGP SIGNATURE-----
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).