LiquidAcid
05-23-2007, 08:28 AM
I am after some ideas to make my firewall PC as tight as a full stop (don't think I can actually say how tight I want it without breaking the forum rules)
Anyhow, I am after ideas and maybe even some suggested reading material on the subject - preferably things with a sharp learning curve - cause I really don't have much time to diverge on this.
So far...
I have a 32 meg /boot
A 512 meg Swap
A 1024 meg /
a 1024 meg /home
a 1024 meg /tmp
a 1024 meg /opt
and a 1024 meg /usr/local
I have an aditional few gig (on the 10gig HDD).
I am stuck on the making of an install user part - because if possible I want to do zero with the root account on the firewall to help protect my network.
I can make the user - but then the user doesn't have the priviledges to alter the permissions in the tar -xjpf command to install the base system I am using (Gentoo in this case) - so some info/links on this would be appreciated.I am still searching btw for more info on this
My approach was to adduser -e xx/xx/xxxx -g wheel installuser, chuck on a password, and proceed to install - which = the fail I mentioned.
I have been reading very little on the subject - since most of the info is fairly verbose - and I got enough on my plate right now migrating from Windows - although - honestly it is a subject which I am intrigued with.
I'd also like to hear some other recomendations on the process as setting up a tight as fort nox system - any extra tid-bit would be great!
As a side note - I know the commands chown might help in this situation - but in the case of the expiring user - what happens to this ownership? - I fail to understand why root should have as much priviledges as it apparently does - is there anyway to curtail roots rights, such as to compleatly render root useless after the system is setup - in such a fashion as to make it require a compleate re-install to redeem those rights? (I'll even try using a hardened source if need be) - when the system is finished all this PC essentially will be doing is firewalling and bridging a connection to a switch - also it will be keeping a log of traffic (when I figure that out too) - the only thing I really want a user to do is to be able to access the log(in readonly) - I have considered (see my other post about making a LiveCD) making the whole OS on CD, and just using the HDD as log/swap/var space
A few recomendations on this part would be nice also.
I won't be running any server stuff on this firewall - it is a celeron Mendicino and clocks in at 334Mhz - totaly unsuitable for anything I am trying to do...(except as a firewall/entrypointy log)
[/Edit]I have after talking to people decided to remake the server with FreeBSD as my OS, and to incorporate a Jail system that would place any suspect person into lock down, am still working on the ins and outs of FreeBSD (right now determining what packages need downloadin) will update post as I continue to find out stuff)[/Edit]
Never mind they tell me I am just being silly now
Anyhow, I am after ideas and maybe even some suggested reading material on the subject - preferably things with a sharp learning curve - cause I really don't have much time to diverge on this.
So far...
I have a 32 meg /boot
A 512 meg Swap
A 1024 meg /
a 1024 meg /home
a 1024 meg /tmp
a 1024 meg /opt
and a 1024 meg /usr/local
I have an aditional few gig (on the 10gig HDD).
I am stuck on the making of an install user part - because if possible I want to do zero with the root account on the firewall to help protect my network.
I can make the user - but then the user doesn't have the priviledges to alter the permissions in the tar -xjpf command to install the base system I am using (Gentoo in this case) - so some info/links on this would be appreciated.I am still searching btw for more info on this
My approach was to adduser -e xx/xx/xxxx -g wheel installuser, chuck on a password, and proceed to install - which = the fail I mentioned.
I have been reading very little on the subject - since most of the info is fairly verbose - and I got enough on my plate right now migrating from Windows - although - honestly it is a subject which I am intrigued with.
I'd also like to hear some other recomendations on the process as setting up a tight as fort nox system - any extra tid-bit would be great!
As a side note - I know the commands chown might help in this situation - but in the case of the expiring user - what happens to this ownership? - I fail to understand why root should have as much priviledges as it apparently does - is there anyway to curtail roots rights, such as to compleatly render root useless after the system is setup - in such a fashion as to make it require a compleate re-install to redeem those rights? (I'll even try using a hardened source if need be) - when the system is finished all this PC essentially will be doing is firewalling and bridging a connection to a switch - also it will be keeping a log of traffic (when I figure that out too) - the only thing I really want a user to do is to be able to access the log(in readonly) - I have considered (see my other post about making a LiveCD) making the whole OS on CD, and just using the HDD as log/swap/var space
A few recomendations on this part would be nice also.
I won't be running any server stuff on this firewall - it is a celeron Mendicino and clocks in at 334Mhz - totaly unsuitable for anything I am trying to do...(except as a firewall/entrypointy log)
[/Edit]I have after talking to people decided to remake the server with FreeBSD as my OS, and to incorporate a Jail system that would place any suspect person into lock down, am still working on the ins and outs of FreeBSD (right now determining what packages need downloadin) will update post as I continue to find out stuff)[/Edit]
Never mind they tell me I am just being silly now