Examples of 'dpkg --get-selection > packagesinstalled.txt' for
firewall
Alex Satrapa
grail at goldweb.com.au
Tue Nov 26 00:05:37 EST 2002
Robert Thorsby wrote:
> However, to put it plain beyond doubt, you have included stuff that:-
> 2. Is a security risk;
Malicious attackers are going to have to find ways to exploit bidentd,
SSH, OpenVPN, PPPoE, PPP or the Linux networking code. There are no
other chinks in the armour on the external interfaces (these are the
only ports that accept packets - everything else is dropped). I could
chose to remove bidentd, but that would mean several services that I use
would be denied (eg: it is common for IRC servers to check your ident
before letting you connect).
> ... from the point of view of seeing what
> "absolutely mandatory, necessary and vital" packages _can_ be left out.
With a Debian box, it's a case of how much you can strip away, not how
little you can add. Since the original poster was asking about minimally
configured Debian for a firewall, I figured I'd contribute my version of
"minimally" confiured as far as Debian is concerned.
It would be nice if I could cut down more than I have, but some things
are a little too hard. For example, substituting busybox for fileutils
only saves space - it doesn't make the system more or less secure. It's
also very hard to use busybox on a Debian system instead of fileutils -
attempt to remove fileutils, and you'll also have to remove:
adduser at bidentd bsdmainutils console-common console-data
console-tools debconf ez-ipupdate fileutils ipac-ng iptables
kernel-image-2.4.18 kernel-image-2.4.20-pre6 less logrotate
mailx man-db minicom netbase ntp ntp-refclock ntpdate ppp
pppoe ssh ssmtp
Of course, in this instance, it's a case of poor packaging - fileutils
and busybox provide similar functionality so they should both "provide"
similar abilities.
More information about the linux
mailing list