Examples of 'dpkg --get-selection > packagesinstalled.txt' for firewall

Robert Thorsby robert at thorsby.com.au
Mon Nov 25 18:24:06 EST 2002


On 2002.11.25 10:26 I wrote:
>> In fact, I would be reluctant to have such a distro as you propose 
>> [via your Installed Packages] as the OS on a firewall exposed to
>> the outside world. However, YMMV.

On 2002.11.25 17:50 Alex Satrapa responded:
> Any particular reasons - is it because it's Debian, the wrong version 
> of Debian, or there's stuff you just wouldn't install (eg: bash, 
> cron, logrotate, ipac-ng, pppoe, etc)?


I have nothing against _any_ of the major distros, nor any version of 
Debian, and for you even to suggest that in your question shows that 
you haven't understood what I was saying.

However, to put it plain beyond doubt, you have included stuff that:-
1. Is unnecessary;
2. Is a security risk;
3. Is not appropriate for a firewall; or
4. Two or more of the above.

The starting point for a firewall must be _zero_ and from there you 
must justify every package that goes in. I really suggest that you have 
a look at one of the floppy-based firewalls. Not from the point of view 
of using that particular distro but from the point of view of seeing 
what "absolutely mandatory, necessary and vital" packages _can_ be left 
out.

It may well be that you decide that a stripped down, or alternative, 
version of an applet will not do and the original must be included. OK, 
that's fine -- but you have just justified (to yourself) your decision.

As something to kick off the justification process: Why cron -- it's 
totally unnecessary, and easily replaceable.

Robert Thorsby



More information about the linux mailing list