best choice of kernel version for a new firewall

Hi,

I'm relatively new to linux and about to set-up a firewall for a small home
network. I use the debian distribution (woody) and about to compile a new
kernel (2.6.8) before I begin to set the thing up for it's main function.

Reading the kernel documentation, I notice that the stable debian
distribution doesn't include some of the minimum software requirements for
me to compile my kernel (things like, e2fsprogs, jfsutils etc.). I'm
wondering at this point whether I should be tracking down and installing
these newer software components and going for the latest (stable) kernel, or
just use an earlier kernel version to help ease the learning curve. I wanted
the newer kernel in the hope that it was more secure than the standard
Debian kernel.

What do people think?

Thanks in advance,
Brett.

On Tue, 30 Nov 2004 11:15:29 +1100, Brett wrote:

> Hi,
>
> I'm relatively new to linux and about to set-up a firewall for a small
> home network. I use the debian distribution (woody) and about to compile a
> new kernel (2.6.8) before I begin to set the thing up for it's main
> function.
>
> Reading the kernel documentation, I notice that the stable debian
> distribution doesn't include some of the minimum software requirements for
> me to compile my kernel (things like, e2fsprogs, jfsutils etc.). I'm
> wondering at this point whether I should be tracking down and installing
> these newer software components and going for the latest (stable) kernel,
> or just use an earlier kernel version to help ease the learning curve. I
> wanted the newer kernel in the hope that it was more secure than the
> standard Debian kernel.
>
> What do people think?
>
> Thanks in advance,
> Brett.

Though I mostly use Linux myself, I'd seriously consider using OpenBSD
when setting up a machine expressly to act as a firewall. However, if you
still want to use Linux, SELinux might be an appropriate kernel to look
into.

Good luck.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brett wrote:
|
| Reading the kernel documentation, I notice that the stable debian
| distribution doesn't include some of the minimum software
requirements for
| me to compile my kernel (things like, e2fsprogs, jfsutils etc.).

jfsutils is required for building a 2.6 kernel ?!?

| What do people think?

For a small home network, new to Linux - just use the latest
prebuilt stable kernel supplied, or even stick with the one you have.

Has anyone here experienced a remotely exploitable kernel bug in a
box not offering services ? I've never heard of one, except maybe an
odd DoS packet but that is lame. If your paranoia level is such that
you need more security than the default Linux kernel, then as a self
professed newbie you ought to ship in prebuilt firewall software by
people who do nothing else.

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFBq8RPGFXfHI9FVgYRAvHbAKC9LLhLbFAFkoOLmJk3Me JK4V0K9wCeIZMg
ZZ+33k93cwq16Z2r9Qwwwgg=
=UsC3
-----END PGP SIGNATURE-----

"Simon Waters" <(E-Mail Removed)> wrote in message
news:cogg8s$r2s$1$(E-Mail Removed)...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brett wrote:
> |
> | Reading the kernel documentation, I notice that the stable debian
> | distribution doesn't include some of the minimum software
> requirements for
> | me to compile my kernel (things like, e2fsprogs, jfsutils etc.).
>
> jfsutils is required for building a 2.6 kernel ?!?

Thats what the docs say.

> | What do people think?
>
> For a small home network, new to Linux - just use the latest
> prebuilt stable kernel supplied, or even stick with the one you have.
>
> Has anyone here experienced a remotely exploitable kernel bug in a
> box not offering services ? I've never heard of one, except maybe an
> odd DoS packet but that is lame. If your paranoia level is such that
> you need more security than the default Linux kernel, then as a self
> professed newbie you ought to ship in prebuilt firewall software by
> people who do nothing else.
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
>
> iD8DBQFBq8RPGFXfHI9FVgYRAvHbAKC9LLhLbFAFkoOLmJk3Me JK4V0K9wCeIZMg
> ZZ+33k93cwq16Z2r9Qwwwgg=
> =UsC3
> -----END PGP SIGNATURE-----

Well, OK, re-building the kernel isn't just for the firewall. I also
thought it would be another step forward in being more proficient under
Linux. I guess I was just wondering if there was a smaller step I should
take, eg. "compiling and installing 2.4 is MUCH easier, or something"

Brett.

On Tue, 30 Nov 2004 11:15:29 +1100, Brett
<(E-Mail Removed)> wrote:
> Hi,
>
> I'm relatively new to linux and about to set-up a firewall for a small home
> network. I use the debian distribution (woody) and about to compile a new
> kernel (2.6.8) before I begin to set the thing up for it's main function.
>
> Reading the kernel documentation, I notice that the stable debian
> distribution doesn't include some of the minimum software requirements for
> me to compile my kernel (things like, e2fsprogs, jfsutils etc.). I'm
> wondering at this point whether I should be tracking down and installing
> these newer software components and going for the latest (stable) kernel, or
> just use an earlier kernel version to help ease the learning curve. I wanted
> the newer kernel in the hope that it was more secure than the standard
> Debian kernel.
>
> What do people think?
>
Upgrade your system to sarge. It will soon be the new stable distro,
hopefully by the end of this year.

--
"At a scheduled time, the robot would pull the flush lever and scream as
it got sucked down the drain." --Kibo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brett wrote:
|
| Well, OK, re-building the kernel isn't just for the firewall. I also
| thought it would be another step forward in being more proficient
under
| Linux.

Under Debian you install the kernel-package, and follow the steps,
and you get a kernel package, and you install it and swear at
yourself for having missed something stupidly obvious. But yes it is
fun to do once to convince yourself you understand it, or if you are
~ contributing new stuff, or debugging a driver....

Long ago decided people who get their hardware to work without
recompiling kernels are the competent Debian users - but it is a
minority opinion.

Simon

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFBq9QrGFXfHI9FVgYRAjteAKDGn/R9LyCWewGOUT5qA0TOyk65vwCfbynV
3TMNm9jkzwZ7xOh+Ne2dfwA=
=pcfF
-----END PGP SIGNATURE-----