Best distro for firewalls.

Best distro for firewalls.

[Rowan Reid]

I've been runnign on Sues for a few years now. Currently I run 8.0. But
I've been a little disappointed with there online updates, and a few
other things over all.  I'm looking for a good console only base system
install using an up to date well patched kernel. Also a very good update
system for patches. With SuSE since everything is controlled by Yast
updating manually really isn't a viable option. Can some of you give me
some input on like Redhat Dabian and such. Just so you know I typically
do an ftp install, with a custom configured Kernel and firewall scripts.

 
Rowan Reid
Job Captain, 
Systems Administrator
STUDIO 3 ARCHITECTS
909  982  1717

Re: Best distro for firewalls.

[Antony Stone]

On Monday 11 November 2002 5:44 pm, Rowan Reid wrote:

> I've been runnign on Sues for a few years now. Currently I run 8.0. But
> I've been a little disappointed with there online updates, and a few
> other things over all.  I'm looking for a good console only base system
> install using an up to date well patched kernel. Also a very good update
> system for patches. With SuSE since everything is controlled by Yast
> updating manually really isn't a viable option. Can some of you give me
> some input on like Redhat Dabian and such. Just so you know I typically
> do an ftp install, with a custom configured Kernel and firewall scripts.

I'm puzzled about what you want from an update service ?

If you custom configure your own kernel (good) and you create your own 
firewall scripts (good), what else do you have running on your firewall which 
you want to keep patched ?

Antony.

-- 

Success is a lousy teacher.   It seduces smart people into thinking they 
can't lose.

 - William H Gates III

RE: Best distro for firewalls.

[Rowan Reid]

> -- 
> 
> Success is a lousy teacher.   It seduces smart people into 
> thinking they 
> can't lose.
> 

I'm gonna get slapped but my firewall is also my webserver/ssh. I use
the config because it is such a low use setup. 

Re: Best distro for firewalls.

[Ben Russo]

On Mon, 2002-11-11 at 12:44, Rowan Reid wrote:
> I've been runnign on Sues for a few years now. Currently I run 8.0. But
> I've been a little disappointed with there online updates, and a few
> other things over all.  I'm looking for a good console only base system
> install using an up to date well patched kernel. Also a very good update
> system for patches. With SuSE since everything is controlled by Yast
> updating manually really isn't a viable option. Can some of you give me
> some input on like Redhat Dabian and such. Just so you know I typically
> do an ftp install, with a custom configured Kernel and firewall scripts.
> 
>  
> Rowan Reid
> Job Captain, 
> Systems Administrator
> STUDIO 3 ARCHITECTS
> 909  982  1717
> 

Well, I don't know that much about any Linux Distributions other than 
RedHat.  

It is very easy to create a boot floppy for a machine to do installs via
NFS, FTP, or SAMBA, and with a simple kickstart script you can
completely automate the install and the configuration.  there are
sections in the "kickstart" script where you can run pre and post
install scripts.  So you could perform your setup just about any way you
want, such as installing default config files after installation, or
fetching and installing third party after-market RPMs' via wget, or
building a kernel by throwing in a custom .config file and Makefile and
rerunning the compile. (you can even set up PXEboot server and then you
don't even need the floppy disk).

When you install the box and boot up for the first time you can run 
"up2date-config --nox"  to setup your automatic patch fetching and
install system with a GPG key from redhat and set the other options.

You can install packages (and automatically get all the dependencies)
by doing "up2date -i PKGNAME".  So for example if you installed a base
system and then later decided that you wanted web mail you could do:
	"up2date -i squirrel-mail" (I think that is the right pkg name).
It would fetch the most up-2-date version of squirrell mail available
from RedHat, plus it would also fetch php and apache and sendmail
etc....

By default RedHat 8 sets up the "rhnsd" daemon which will check in with
redhat through an https connection to the redhat network to check for
patches and such.  You can configure it to to work in various ways.

You get one free web rhn.redhat.com  subscription for one machine.  
(you can buy more if you want them).

If you setup the rhnsd daemon on the box when you install it you will be
e-mailed when new updates are available, and by going to the
rhn.redhat.com site and logging in you can review the errata and
schedule the updates to be pushed to your server and installed
automatically the next time the servers rhnsd daemon checks in it will 
be pushed the updates you scheduled through the web interface.

If you don't want to do it that way, and really want to do it from the
console you can use up2date-nox from the command line, but it isn't as
easy as using the gui.  You would have to do "up2date-nox --list" to get
a list of available updates, and then do "up2date -i $EACH" for the
updates.

Tripwire, and iptables, arpwatch, logwatch, pppoe, cipe, vtund etc.. are
all available for install from the standard  install medium, so for a
firewall that is nice... The defualt kernel has just about everything
available as a module by default.  The install allows for LVM, Software
RAID, journalling file systems etc. from the install menus.

stunnel and VNCserver with fvwm makes a nice, secure and relatively
lightweight (compared to KDE or GNOME) remote GUI console.
To make it even more lightweight you can remove the xload and xclock and
xbiff from the fvwmrc in /etc/X11/fvwm2/system.fvwm2rc.  I like to use
that on boxes because I can start up a few Xterms that monitor various
things and tail certain log files with filters and then I can check up
on the server at a glance with a simple command.

	http://www.stunnel.org/examples/vnc.html

But I would think that the new versions of SUSE and Debian and Mandrake
and Gentoo all have similar capabilities, just different commands and
syntax and config files to get the same things done.

-Ben.

Re: Best distro for firewalls.

[Marcelo Moreira]

> Can some of you give me
> some input on like Redhat Dabian and such. Just so you know I typically
> do an ftp install, with a custom configured Kernel and firewall scripts.
> 


Forget Red Hat, Debian and Suse...
Go for Slackware. This is the real, fully customizable distro.
Then follow the scripts in http://www.sastk.org/
to harden it.

You shoul be fine with this. Also, check google and the archives.
I believe this topic was already discussed a while ago, and you
should get some more info there.

Have fun,
Marcelo Moreira.

Re: Best distro for firewalls.

[Vladas Keparoutis]

Hi,
I'd recommend gentoo (gentoo.org)
It is very flexible and fast with updates.

-Vlad


On Mon, 11 Nov 2002, Rowan Reid wrote:

>
>
> I've been runnign on Sues for a few years now. Currently I run 8.0. But
> I've been a little disappointed with there online updates, and a few
> other things over all.  I'm looking for a good console only base system
> install using an up to date well patched kernel. Also a very good update
> system for patches. With SuSE since everything is controlled by Yast
> updating manually really isn't a viable option. Can some of you give me
> some input on like Redhat Dabian and such. Just so you know I typically
> do an ftp install, with a custom configured Kernel and firewall scripts.
>
>
> Rowan Reid
> Job Captain,
> Systems Administrator
> STUDIO 3 ARCHITECTS
> 909  982  1717
>
>

Re: Best distro for firewalls.

[Martin Stricker]

Vladas Keparoutis wrote:
> 
> Hi,
> I'd recommend gentoo (gentoo.org)
> It is very flexible and fast with updates.

Yeah, but you have to compile everything. On the 486 I use as a firewall
this is more than a pain...

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Red Hat Linux 7.3 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/

RE: Best distro for firewalls.

[Rob]

HA, i hear ya on that one.
I have personally liked RH for server setups, MDK for workstation OR server
setups.  MDK is based off of RH BUT it separates out the /etc to separate
config folders a little more so your base /etc isnt so dirty.

Robert Wideman

>>-----Original Message-----
>>From: netfilter-admin@lists.netfilter.org
>>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Martin Stricker
>>Sent: Monday, November 11, 2002 6:56 PM
>>To: netfilter@lists.samba.org
>>Subject: Re: Best distro for firewalls.
>>
>>
>>Vladas Keparoutis wrote:
>>>
>>> Hi,
>>> I'd recommend gentoo (gentoo.org)
>>> It is very flexible and fast with updates.
>>
>>Yeah, but you have to compile everything. On the 486 I use as a firewall
>>this is more than a pain...
>>
>>Best regards,
>>Martin Stricker
>>--
>>Homepage: http://www.martin-stricker.de/
>>Linux Migration Project: http://www.linux-migration.org/
>>Red Hat Linux 7.3 for low memory: http://www.rule-project.org/
>>Registered Linux user #210635: http://counter.li.org/

Re: Best distro for firewalls.

[Alasdair Ramsay]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Stricker wrote:
| Vladas Keparoutis wrote:
|
|>Hi,
|>I'd recommend gentoo (gentoo.org)
|>It is very flexible and fast with updates.
|
|
| Yeah, but you have to compile everything. On the 486 I use as a firewall
| this is more than a pain...

Have you tried distcc, makes compiling quick and easy if you have
multiple linux boxes on your lan.

http://distcc.samba.org/

Regards

Alasdair
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE92kmE4+7BX0uR648RAsf3AJwKEqqEHjncGYjD4rM9/neYBJCGkwCffGrY
A/1PN6tInamysg99k3gvvo0=
=5UvO
-----END PGP SIGNATURE-----

Re: Best distro for firewalls.

[Jet]

Why not www.devil-linux.org ?

It is CD-based solution (configuration stored in diskette).
Req RAM of 64MB and above and 486.


.//Jet
----- Original Message ----- 
From: "Rowan Reid" <rreid@studio3arc.com>
To: "'iptables-list'" <netfilter@lists.samba.org>
Sent: Tuesday, November 12, 2002 1:44 AM
Subject: Best distro for firewalls.


> 
> 
> I've been runnign on Sues for a few years now. Currently I run 8.0. But
> I've been a little disappointed with there online updates, and a few
> other things over all.  I'm looking for a good console only base system
> install using an up to date well patched kernel. Also a very good update
> system for patches. With SuSE since everything is controlled by Yast
> updating manually really isn't a viable option. Can some of you give me
> some input on like Redhat Dabian and such. Just so you know I typically
> do an ftp install, with a custom configured Kernel and firewall scripts.
> 
>  
> Rowan Reid
> Job Captain, 
> Systems Administrator
> STUDIO 3 ARCHITECTS
> 909  982  1717
> 
> 
> 
>