Re: Distro Choice for iptables as Enterprise Firewall

[Maximilian Wilhelm <max@rfc2324.org>]

Am Sonntag, den 31 Dezember hub Rackage | Randles folgendes in die Tasten:

Hi!

> I'm new to iptables and this list so forgive me if this subject has been 
> covered previously.

> I'm sure this topic is a cause for much debate with no definitive answer 
> however I would be glad to hear suggestions never the less.

> What Distro's are recommended for deploying iptables as a dedicated 
> firewall?

I like a small Debian installation for this purpose most.
The Debian base install is very small and you can easily remove unused
parts of it and add only the things you need (iptables, vlan, iproute,
younameit).
So you have full control on what is installed on your firewall and don´t
have to warry about unused daemons and stuff.
(I had some slightly bad experiences with a RedHat EL3 server where I
 had trouble to remove unused daemons...)

> What server hardening steps would you recommend? (/Bastille?)

Build your own kernel (currently you may want to wait to get some file
system corruption problems fixed before doing so :)) and activate
SE-Linux or patch your kernel with grsecurity[42].

Use iptables to restirct access to all needed services (ssh e.g.) and
configure your service as strict as possbile, e.g. allowing only users
with ssh-keys to access your box.

[42] http://www.grsecurity.net/

Ciao
Max
-- 
        Follow the white penguin.