Subject: Re: Hardening a Firewall Machine
To: Richard Ibbotson <richard@sheflug.co.uk>
From: Mipam <mipam@ibb.net>
List: tech-security
Date: 10/14/2001 16:11:56
On Tue, Oct 09, 2001 at 11:00:23PM +0000, Richard Ibbotson wrote:
> Hello
> 
> If this isn't the right place to ask this question then I apologise.
> 
> I've just installed a Net BSD 1.5.2 system into some i386 hardware. 
> My
> intention is to use it as a firewall.  I'm thinking that it might be a
> good idea to harden the installation with chroot and the other thing
> I'd
> like to know about is ....  is there such a thing as a hardening
> script
> for Net BSD ?
>  
> I think what I'm saying is ... is it possible to do this and of so is
> there an FAQ or man page that I can have a look at.

Lots has been written on building firewalls and hardening them.
However, you dont want to run other services on a firewall.
So no need to chroot anything.
Instead, you'll want to remove all the programs you'll never need,
for you'll use the machine as firewall. Lots more can be said.
But look on bsdtoday.com in the archives in the security part
and see if anything comes up there. Look into the archives of
daemonnews.org, same topics. Adjust some sysctl's value,
like pumping the amount of nmbclusters, disallow stuff like
source routing, directed broadcast, the forwarding of source routed
packets and maskreply's and lots more you can set.
Increase the kernel security level etc etc.
And of course compile a kernel which is dedicated for this kind of job
so that no unnessecary things are supported in the kernel
you'll run. And for a general very good book concerning
firewalls and security you can read "repelling the wiley hacker" by
Billy Chesswick and Bellovin. Anyway, much, much more can be said,
for what i just named is FAR from complete.
But go ahead and read a lot of stuff, 
for there is a lot to find concerning firewalls
in general, but also on ipf on net/open/free.
Bye,

Mipam.