From owner-freebsd-questions Wed Jan 1 13:17: 9 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE43437B401 for ; Wed, 1 Jan 2003 13:17:07 -0800 (PST) Received: from p1.ns777.net (p1.ns777.net [216.40.247.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 27C6743EC2 for ; Wed, 1 Jan 2003 13:17:07 -0800 (PST) (envelope-from craig@2400baud.com) Received: (qmail 19160 invoked from network); 1 Jan 2003 21:16:56 -0000 Received: from chcgil2-ar2-4-64-098-025.chcgil2.dsl-verizon.net (HELO strife) (4.64.98.25) by preview.ns777.net with SMTP; 1 Jan 2003 21:16:56 -0000 From: "Craig M. Luchtefeld" To: "'Darren'" , "'fbsd-questions'" Subject: RE: opinions on my plan Date: Wed, 1 Jan 2003 15:16:42 -0600 Message-ID: <000301c2b1db$272eae00$0500a8c0@strife> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <029f01c2b1be$1965cdc0$6601a8c0@crotchett.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG For mine I did the following: - Minimal install - kern_securelevel_enable="YES" in rc.conf - recompiled kernel for ipf and take out extra crap - disabled inetd - disabled sendmail - used ipf and ipmon for firewall/nat My firewall is running on minimal hardware and it's a firewall.. I only want to mess with it once and be done with it. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Darren Sent: Wednesday, January 01, 2003 11:49 AM To: fbsd-questions Subject: opinions on my plan I am building a firewall/NAT box for my father. This is the first firewall that I've built. And, I'm trying to put only the minimum software on it that will help me remote administer it (ie. ssh) and keep it up to date (ie. portupgrade). I figured I'd need a few programs installed for convenience. But, I didn't want to sacrafice security. I thought I might get the advice of those who have gone before me. Here is what I was thinking about installing: sshd cvsup portupgrade squid (maybe ??) portsentry (maybe ??) ncftp (client only if I can find it) links I'm mostly concerned about cvsup and portupgrade because I see them as being next to mandatory. I think I could get along without them. But, I'm concerned about security risks associated with not being current. Do they pose more security risks than they might prevent by keeping me current? Another thing about portupgrade that concerns me is what it does to my kernel sources. I tried recompiling after having run portupgrade and pretty much hosed everything. I started over from scratch and recompiled first. I haven't put portupgrade back on, yet. I wanted to get opinions about it's risk:reward ratio first. I'm open to all suggestions, links or any other comments. This is new territory for me. Thanks, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message