[ale] best dist for firewall?

Jeff Hubbs hbbs at attbi.com
Fri May 3 21:09:57 EDT 2002


Guys -

Coyote Linux (the LRP-based NAT/firewall one-floppy distro) decompresses 
a tree to a ramdisk and the tree in the ramdisk has the /etc you see, 
and it does have an fstab in it.  You might want to utilize Coyote or at 
the very least generate a floppy for dissection purposes.

I haven't looked into this closely, but I suspect that what happens is 
that the ramdisk gets established and then it gets filled with the 
floppy-stored compressed tree, and then the ramdisk gets chrooted into. 
    Once the Coyote floppy boots, it's never accessed again.  I think 
that if you use the login menu to change the configuration, it doesn't 
automatically get written back to the floppy - that's a separate step.

- Jeff

Tyler Kiley wrote:

> Ya, but I was thinking you need /etc/fstab to know what device to mount at 
> /etc..... 
> 
> Tyler
> 
> On Friday 03 May 2002 03:57 pm, jb at sourceillustrated.com wrote:
> 
>>Technically, you can mount *anything* from a floppy...
>>
>>
>>>I'm intrigued by the idea of using removable media to store a firewall
>>>configuration.... would it be possible to mount a machine's /etc
>>>directory  from a floppy, or is /etc required on the root filesystem?
>>>
>>>Tyler
>>>
>>>On Friday 03 May 2002 02:58 pm, cfowler wrote:
>>>
>>>>A firewall is a firewall.
>>>>
>>>>It is not:
>>>>
>>>>A Mail Server
>>>>A Web Server
>>>>A Shell Server
>>>>A Etc. Server
>>>>
>>>>It is a firewall
>>>>
>>>>Maybe a very tight shell to configure the rules.  But if you do
>>>>it write you can create a firewall on floppy that would
>>>>require mounting on a cliet machine to configure then booting up on.
>>>>Now that is a firewall!
>>>>
>>>>On Fri, 2002-05-03 at 14:28, Glenn C. Lasher Jr. wrote:
>>>>
>>>>>I will second this.  Slackware 8.0 is exactly the right distro for a
>>>>>firewall.  Not only does it not suffer the operational and security
>>>>>issues of RH, but it also even lets you pick --at install time--
>>>>>what version of kernel you want to run, and, if you pick 2.4.x, will
>>>>>let you set up ReiserFS before installing.  We 'ave one.  Ees ver'
>>>>>nayze.
>>>>>
>>>>>On Thu, 2 May 2002, Transam wrote:
>>>>>
>>>>>>>I'm setting up a firewall on a 120mhz, 16meg machine.  I'd like
>>>>>>>to run iptables, snort/acid and a mysql db to store the snort
>>>>>>>info.
>>>>>>>
>>>>>>>Any recommended distros?  It'd be nice to get something minimal
>>>>>>>(possibly tightened) but with the 2.4 kernel (for the stateful
>>>>>>>firewalling capabilities).  I considered Slackware or Debian and
>>>>>>>then upgrading the kernel, but the thought of compiling on a
>>>>>>>120mhz machine is not a happy one.  Considering Peanut as well,
>>>>>>>but it seems to be heavily configured for the desktop.  I guess
>>>>>>>it's a last resort.
>>>>>>>
>>>>>>Slackware 8.0!  I've found Slackware FAR less buggy (both in
>>>>>>security bugs and in annoying operational bugs) than either Red
>>>>>>Hat or Mandrake and far easier to install.  It also requires FAR
>>>>>>less security patches and thus yields a lower-maintenance system.
>>>>>>Some of this is due, I think, to their interest in the best
>>>>>>disribution rather than the most money and easiest and most toys
>>>>>>(sound familiar).  Some of it is due to less "stuff" on it.
>>>>>>However, you certainly do NOT want a lot of extra junk on a
>>>>>>Firewall.
>>>>>>
>>>>>>Sheesh.  RH7.1 did not even ship with a working IP Tables.  I had
>>>>>>to download a working kernel and configure and compile it.
>>>>>>
>>>>>>I run Slackware on my Laptop and love it.  I use Red Hat on my
>>>>>>desktop only because it is the most popular distribution with my
>>>>>>clients and the friend who built my desktop put it on and I was
>>>>>>too lazy to install Slackware over it.  (Installing Red Hat over a
>>>>>>running Slackware system would have been just as much work and
>>>>>>certainly greater than zero.)
>>>>>>
>>>>>>Any Set-UID or Set-GID program is a security risk.  When I build a
>>>>>>Firewall I turn all of that stuff off.  X always is first on my
>>>>>>list and GPM is second!
>>>>>>
>>>>>>
>>>>>>>Thanks as always,
>>>>>>>
>>>>>>>John
>>>>>>>
>>>>>>Bob Toxen
>>>>>>transam at cavu.com                       [Bob's ALE Bulk email]
>>>>>>bob at verysecurelinux.com                [Please use for email to
>>>>>>me] http://www.verysecurelinux.com         [Network&Linux/Unix
>>>>>>security consulting] http://www.realworldlinuxsecurity.com/ [My 5*
>>>>>>book:"Real World Linux Security"] http://www.cavu.com/sunset.html
>>>>>>      [Sunset Computer]
>>>>>>Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night
>>>>>>outfit!" Quality Linux & UNIX security and SysAdmin & software
>>>>>>consulting since 1990.
>>>>>>
>>>>>>---
>>>>>>This message has been sent through the ALE general discussion
>>>>>>list. See http://www.ale.org/mailing-lists.shtml for more info.
>>>>>>Problems should be sent to listmaster at ale dot org.
>>>>>>
>>>>>glasher at nycap.rr.com
>>>>>You've been programmed by the Illuminati not to see the word "".
>>>>>
>>>>>
>>>>>---
>>>>>This message has been sent through the ALE general discussion list.
>>>>>See http://www.ale.org/mailing-lists.shtml for more info. Problems
>>>>>should be sent to listmaster at ale dot org.
>>>>>
>>>>---
>>>>This message has been sent through the ALE general discussion list.
>>>>See http://www.ale.org/mailing-lists.shtml for more info. Problems
>>>>should be sent to listmaster at ale dot org.
>>>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should
>>be sent to listmaster at ale dot org.
>>
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
> 
> 




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list