Examples of 'dpkg --get-selection > packagesinstalled.txt' for firewall

Alex Satrapa grail at goldweb.com.au
Tue Nov 26 00:05:37 EST 2002

Robert Thorsby wrote:
> However, to put it plain beyond doubt, you have included stuff that:-
> 2. Is a security risk;

Malicious attackers are going to have to find ways to exploit bidentd, 
SSH, OpenVPN, PPPoE, PPP or the Linux networking code.  There are no 
other chinks in the armour on the external interfaces (these are the 
only ports that accept packets - everything else is dropped).  I could 
chose to remove bidentd, but that would mean several services that I use 
would be denied (eg: it is common for IRC servers to check your ident 
before letting you connect).

> ...  from the point of view of seeing what
> "absolutely mandatory, necessary and vital" packages _can_ be left out.

With a Debian box, it's a case of how much you can strip away, not how 
little you can add. Since the original poster was asking about minimally 
configured Debian for a firewall, I figured I'd contribute my version of 
"minimally" confiured as far as Debian is concerned.

It would be nice if I could cut down more than I have, but some things 
are a little too hard.  For example, substituting busybox for fileutils 
only saves space - it doesn't make the system more or less secure. It's 
also very hard to use busybox on a Debian system instead of fileutils - 
attempt to remove fileutils, and you'll also have to remove:
   adduser at bidentd bsdmainutils console-common console-data
   console-tools debconf ez-ipupdate fileutils ipac-ng iptables
   kernel-image-2.4.18 kernel-image-2.4.20-pre6 less logrotate
   mailx man-db minicom netbase ntp ntp-refclock ntpdate ppp
   pppoe ssh ssmtp

Of course, in this instance, it's a case of poor packaging - fileutils 
and busybox provide similar functionality so they should both "provide" 
similar abilities.

More information about the linux mailing list