Firewall - Very limited Access - suggestions

[Guy Fraser]

Kevin F. Berrien wrote:

> I know what you mean, also given the security requirements of this 
> installation.  I was thinking of using a GUI, and reviewing the 
> firewall script.  I've got that good Linux Firewalls text to read up on.

Hi

Hardening the bastion host is more than just firewall rules.

If I were building a bastion host on FC2 I would also read up on 
SElinux. I believe that the extensions are already built into the 
kernel and I have seen some configuration apps somewhere.

With the SElinux extensions it is possible to restrict access to 
commands so that root is no longer able to gain access to everything 
on the system. You can have another more obscure username/uid that has 
more access rights than root. If possible you may want to have another server outside the bastion host, that provides your DNS and other 
"public" services {mail,web}.

A few years ago I set up a bastion host. Although it is in convenient 
I configured it so that there was no remote access to the machine 
and root was not able to log in directly from any console. Further security included a locked case, no floppy, no CD, and USB disabled 
in BIOS.

I don't know if it is good or bad, but the administrator left on bad 
terms and nobody could get into the machine to change passwords. They 
found the key, and installed a CD drive then Win 2000. They decided 
that having a technically inclined person to maintain their systems 
was too expensive. I have already had to shut down their connection 
once due to open relay complaints, it cost them more to have an 
"expert" fix there machine than I would have charged to maintain 
their bastion host for a year.

Hope all goes well.