Some other things one might consider are:
-turning off ipforwarding entierely and
running heavily logged proxies instead
-turning off access from TROTW (The Rest
Of The World) to things you need through
hosts.deny/hosts.access rules
-keeping up with bugtraq advisories and
new security patches provided for your distro
-providing physical security and improving
your boundaries against "social engineering"
(otherwise known as learning how to keep a secret)
-coming up with more effective strategies
for dealing with intruders (e.g. honeypots
and off-site logging, doing the diffs auto-
matically, setting alarm levels appropriately, etc)
Perhaps the least effective security measure is
throwing your toys on-list. It's uh...*pretty* silly.
The closest thing I've seen to an out-of-the-box linux
firewall would be the SuSE "minimal install" followed by
running the hardsuse script.
There is a description of what this does at:
http://portal.suse.de/en/content.php?SEARCH&content/security/secure_webserv.html
And even Marc Heuse recommends OpenBSD for those who aren't
100% satisfied with the measures taken in hardSuSE and, say,
Bastille.
And don't underestimate the power of unplugging your network
from the rest of the world if you have security concerns.
Cheryl
_______________________________________________
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
