Re: ReiserFS on a Firewall [was: Building Debian firewall]
- To: Robert Davies <Rob_Davies@NTLWorld.Com>
- Cc: debian-firewall@lists.debian.org
- Subject: Re: ReiserFS on a Firewall [was: Building Debian firewall]
- From: matthew@sackman.co.uk (Matthew Sackman)
- Date: Fri, 1 Jun 2001 20:29:42 +0100
- Message-id: <20010601202942.A2415@sackman.co.uk>
- In-reply-to: <001e01c0e77c$d74bbd80$060569d5@oak>; from Rob_Davies@NTLWorld.Com on Mon, May 28, 2001 at 02:48:08PM +0100
- References: <20010527210133.D16446@wohnheim.fh-wedel.de> <GCEGLPFGDCACHENIJHDDGEDACDAA.blacknet@phenixcable.net> <20010528001410.E16446@wohnheim.fh-wedel.de> <15121.37153.701549.13451@gargle.gargle.HOWL> <20010528010628.A22899@erich.xmldesign.de> <005901c0e714$797ef720$897601d5@oak> <20010528124727.H16446@wohnheim.fh-wedel.de> <001e01c0e77c$d74bbd80$060569d5@oak>
The way I've done it on a debian firewall is to have a cron job run an
apt-get update and then an apt-get -d -y upgrade each morning (about 2am).
That way I just log in each day (ssh) and check what it's gonna do and then
let it get on with it.
I got pissed off after seeing 2 complete installations go down the tube with
reiserfs on the early 2.4 kernels (mine fell fould of dying when you create
a file with a very long file name (ripping CDs)). As a result I'll not touch
reiserfs for some months. However, in terms of firewall, the iptables and the
new IP/TCP stack is so much better in 2.4 kernels that iptables is a dream
to use and quite justifies using a 2.4 kernel in a production server (IMO).
Also, I find that you don't have to be too worried about what gets installed
on the gateway. I know that sounds daft, but if your firewall drops all new
incoming connections AND all invalid incoming packets then you're pretty much
safe. All I do is the following:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
and then just make sure that /etc/interfaces/options has the forwarding
option at 1 and you're sorted - I can't personally see how this can be easily
hacked on eth0. Nothing can get in apart from ssh and your clients are safely
protected and masqueraded.
HTH,
Matthew
On Mon, May 28, 2001 at 02:48:08PM +0100, Robert Davies wrote:
> > I think you should be careful about automatic apt-get anyway,
> > because someone might be able to alter the sources.list or the dns
> > reolve for your server, and inject manipulated files for this...
>
> This is a very good point, that I wanted to put to the minimalist who argued
> for using apt-get. debs have to be extended with signing, but your security
> is only as good as the ftp server you use at present, which is not ideal for
> a firewall.
>
> Using automatic apt-get update && apt-get upgrade, would not be wise for a
> critical machine. It's great for home use, but a corporate firewall...
> that's real balls to the wall stuff.
>
> Rob
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
--
Matthew Sackman
Nottingham,
ENGLAND
Using Debian/GNU Linux
Enjoying computing
Reply to: