Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Source Distribution for Firewalls?

Posted by Cliff on from the where-"do-it-yourself"-is-too-easy dept.

Peter Miller asks: "I want to build a new firewall. I want fine control over the exact contents of the disk. So I went looking at Linux source distributions. Every one I looked at (Gentoo, Lunar, etc) put the development environment on the final disk image. I don't think this is good for a firewall. Even Linux From Scratch does this, it isn't automated, and the nALFS UI is incomprehensible. I'd rather not have the package database in the final image, either. Micro-distros like FloppyFW doesn't publish their root image build script, and that's the route I'd like to follow. What do you security zealots out there use to build your firewalls from scratch?"

4 of 83 comments (clear)

  1. It depends, but usually... by Ratso+Baggins · · Score: 3, Interesting
    "What do you security zealots out there use to build your firewalls from scratch?"

    Not linux

    --

    --
    "we live in a post-ideological world..." - Billy Bragg.

  2. DEBIAN by Jeremiah+Cornelius · · Score: 2, Informative
    Debian.

    Seriously.

    It can build a TIGHT little install, on the base system. I can purge packages like Perl when it's done building - could even script dpkg/apt if I had to do this often.

    You wanted a source distro? you can do this with apt-source. Seems more painful than need be - with signed binaries available. I have been using the Adamantix packages (used to be Trusted Debian) and Bastille by Jay Beale and crew. I am pulling binary packages from my own apt-repository, so the firewall itself doesn't pull from the Internet, but only a dedicated admin segment.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. (Free||Open)BSD and a mod of the Soekris scripts by JumpSuit+Boy · · Score: 3, Interesting
    The Soekrisset of embedded boards for this purpose have bred a number of project that produce build setups for wired and wireless routers.
    Three points:

    they come with scripts and docs

    they produce bare (no dev tools) images to use on compact flash cards

    The dev machine is separate
    I use a modified version of an OpenBSD on an old watchguard box.

    See Soekris on OpenBSD and Soekris on FreeBSD

    --
    Oh really?
  4. coyote linux? by horatio · · Score: 4, Insightful

    Maybe I'm missing something, but isn't coyote linux a somewhat obvious choice for this?

    The scripts are open to modification as much or as little as you like. IIRC, the end of the script is building/compiling the packages you've requested.

    --
    There is very little future in being right when your boss is wrong.