Shorewall users - Mar 2002 - Hardening RedHat for firewall use?

Ok, obviously shorewall is a great tool for building firewall rules and good
firewall rules are a key to a secure firewall environment.

But what other factors should I consider when installing RedHat for a
dedicated firewall application?

What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a place
still or is it too old now)?

What packages must I have and what can I do away with?

What hardening steps should I undertake?

Anyone have any suggestions or a cookbook they use?



Randy Millis
Calgary, Alberta
Canada
E-mail: randy.millis@shaw.ca

>From the front page news on www.shorewall.net:
3/19/2002 - Step by Step Instructions available

Scott Merrill has written a set of step-by-step instructions for Installing
a "Belt and Suspenders" Firewall Configuration under RedHat 7.2.
Thanks
Scott!

Those instructions are very complete.

Dan

----- Original Message -----
From: "Randy Millis" <randy.millis@shaw.ca>
To: "Shorewall Users (E-mail)" <shorewall-users@shorewall.net>
Sent: Saturday, March 23, 2002 10:18 AM
Subject: [Shorewall-users] Hardening RedHat for firewall use?

> Ok, obviously shorewall is a great tool for building firewall rules and
good
> firewall rules are a key to a secure firewall environment.
>
> But what other factors should I consider when installing RedHat for a
> dedicated firewall application?
>
> What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a
place
> still or is it too old now)?
>
> What packages must I have and what can I do away with?
>
> What hardening steps should I undertake?
>
> Anyone have any suggestions or a cookbook they use?
>
>
>
> Randy Millis
> Calgary, Alberta
> Canada
> E-mail: randy.millis@shaw.ca
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

See comments below.

-- 
Sincerely,

David Smead
http://www.amplepower.com.

On Sat, 23 Mar 2002, Randy Millis wrote:
> Ok, obviously shorewall is a great tool for building firewall rules and
good
> firewall rules are a key to a secure firewall environment.
>
> But what other factors should I consider when installing RedHat for a
> dedicated firewall application?
The best firewall will run no unnecessary programs, and files should all
be checksummed with regular tests for changes.
>
> What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a
place
> still or is it too old now)?
>
You need a kernel with netfilter, which is 2.4.  However, you want 2.4.18
to get past a bug in netfilter that allowed and IRC exploit.
> What packages must I have and what can I do away with?
If all you want is a firewall, take a look at LEAF Bering, which provides
what you need on a single floppy.

If you really want to cut down a RH system you should read all the
documentation from Linux from Scratch, which gives you dependency
information you''ll need.
>
> What hardening steps should I undertake?
There are a couple of books about building firewalls which you should
read.

Here''s a few rules:

Don''t let any user besides root have access.  Administer locally from a
terminal if possible.  Use on ssh2 and scp to move data to and from the
firewall.  Don''t run nfs.  Don''t run X. Use dbjdns if
you''re going to run
a nameserver.  Build in audit trails and review the logs.
>
> Anyone have any suggestions or a cookbook they use?
>
>
>
> Randy Millis
> Calgary, Alberta
> Canada
> E-mail: randy.millis@shaw.ca
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Sat, Mar 23, 2002 at 11:25:39AM -0800, David Smead
wrote:
> On Sat, 23 Mar 2002, Randy Millis wrote:
> >
> > What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a
place
> > still or is it too old now)?
> >
> 
> You need a kernel with netfilter, which is 2.4.  However, you want 2.4.18
> to get past a bug in netfilter that allowed and IRC exploit.
Red Hat 7.2 errata kernel 2.4.9-x has fixes for this. So does the 7.1 kernel. 
Don''t use Red Hat 6.2 for the reasons stated. Also, Red Hat will drop
support
for 6.2 later this year. (2 yr support cycle typically)

> Here''s a few rules:
> 
> Don''t let any user besides root have access.  Administer locally
from a
> terminal if possible.  Use on ssh2 and scp to move data to and from the
> firewall.  Don''t run nfs.  Don''t run X. Use dbjdns if
you''re going to run
> a nameserver.  Build in audit trails and review the logs.
djbdns looks like a nice little off beat package but there''s no reason
to use
it over bind that Red Hat 7.2 provides, unless you''re trying to
seriously save
space. Setup Bind to only answer queries on the local LAN interface and make
sure that shorewall has the dns port firewalled of on the public LAN interface.
The DNS HOWTO at linuxdoc.org will give you the basics on setting up bind.

-- Scott

David Smead wrote:
> ...
> > Ok, obviously shorewall is a great tool for building firewall rules
and good
> > firewall rules are a key to a secure firewall environment.
> >
> > But what other factors should I consider when installing RedHat for a
> > dedicated firewall application?
>
> The best firewall will run no unnecessary programs, and files should all
> be checksummed with regular tests for changes.
...the tool for which is tripwire (available in the default RH install). 
It''s a
pain to administer for the first few days (... weeks ... months - depending on
how much you change things), but it is worth the trouble.
> > What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a
place
> > still or is it too old now)?
> >
>
> You need a kernel with netfilter, which is 2.4.  However, you want 2.4.18
> to get past a bug in netfilter that allowed and IRC exploit.
If you care about IRC.  If not, just comment out "loadmodule
ip_conntrack_irc" in
/etc/shorewall/modules.

Tom Eastep wrote:
> ...
> > What version should I use 7.1 or 7.2 (out of curiosity does 6.2 have a
> > place still or is it too old now)?
>
> 6.2 requires a lot of work to install a 2.4 kernel (required for
> Shorewall).
> Don''t know why anyone would go to the trouble. Either 7.1 or 7.2
is ok so
> long as you keep up with all of the errata.
If there was ever a reason to not recommend 7.1 (besides the obvious
"it''s older
and won''t be supported for as long"), it''s that 7.2 has
ext3 support by default,
which makes for much shorter startup times in the event of a power failure
(note:
not "system crash", since Linux doesn''t crash ;-).

Also, 7.2 removes the concept of power tools, and puts the most popular power
tools packages in the default distribution.

Paul
http://paulgear.webhop.net