From owner-freebsd-questions Fri Jul 16 5:38:54 1999 Delivered-To: freebsd-questions@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 5885B156D6 for ; Fri, 16 Jul 1999 05:38:39 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id IAA22879; Fri, 16 Jul 1999 08:36:41 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: gill@topsecret.net ("James Gill") Cc: questions@freebsd.org Subject: Re: is having the ports secure? Date: Fri, 16 Jul 1999 12:49:02 GMT Message-ID: <378f29a4.318030864@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 14 Jul 1999 23:46:57 -0400, in sentex.lists.freebsd.questions you wrote: > >Hi.. > >If i'm trying to make a secure installation (for example a firewall box) >that will run only a finite set of services (NAT, firewalling, DNS, and not >very much else), wouldn't it be better (more secure) to not install the >whole ports collection but only the specific ports for the services I want? >Aside from the (forty?) megabytes I would save on the already pretty small >disk. > >Am I on the right track here? It should not make a difference, as installing the ports tree only gives you the make files. There are no setuid apps in there. As for installing only what you need, absolutely. You can probably not run any of inetd, since all you want is probably sshd to remotely admin the box, and then limit access to port 22 on the source IP you would be coming from. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada "Who is this 'BSD', and why should we free him?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message