Setting up a firewall box. A couple of questions.

[ursidae]

I´m going to set up a firewall running slackware 8.0 on an old p75 with a 500mb hd and I have some questions.

1. How do you think I should partition the hd?

I assume it´s wise to have /var on its own. I like logs so I guess I should make it big.
How big is a minimal slackware installation? I can´t remember.

Any other suggestions?

2. How useful is the default kernel?

I don´t have another linux installation I can use to compile a new kernel on right now, and 500mb might be a bit tight with the kernel source and gcc installed so I would like to use the default kernel (2.4.5).

Is the default kernel useful for a firewall/gateway? It is not missing things like netfilter is it?

[tolstoy]

I would just begin the install, do an expert install (don't know if slack has that option) and choose all your packages by hand (choose just what you need). Once you start the install, you should be given an indication of how large your installation will be and so how to partition your drive. Then you can start the installation over and set up the partitions right. I would have 2 partitions: /var and / (besides swap of course). It is probably a good idea to give yourself enough room on the root partition so that 25% or so of it is left free. /var should take up all the rest of the dis space (or you could have the partition just for /var/log as long as everything is loggin there). Also you might want to think about giving yourself enough room to unpack and compile new kernel sources. As for the kernel, recompile it and go through all the netfilter options. You will probably be all right with the defualt kernel, but why not trim the fat and tweak it up a bit.

[ursidae]

I gave /var ~110Mb. I can always add another 500Mb hd and move /var there if I feel I want to save all logs. I have one around here somewhere. I think I have enough room left on / for a kernel compile.

Now I just have to learn iptables.

[tolstoy]

I liked this book when it covered ipchains. The newer version on iptables is evern better.

http://www.bookpool.com/.x/o4snnr6jgr/sm/0735710996

[Feztaa]

Now I just have to learn iptables.

You won't regret it. It's the most configurable firewalling tool I've ever seen. Much more robust than ipchains

You won't regret it. It's the most configurable firewalling tool I've ever seen. Much more robust than ipchains

/me whispers OpenBSD's pf. Much better than ANY other packet filter in existance! Ask Ashcrow or Kint.

[ursidae]

I liked this book when it covered ipchains. The newer version on iptables is evern better.

http://www.bookpool.com/.x/o4snnr6jgr/sm/0735710996

Thanks for the tip. Just looking at the table of contents tells me this is exactly what I have been looking for.

[xkill]

Default Kernel?? Don't think so. I think you should compile everything required for your firewall design into the kernel. Don't load them as modules. You have plenty of room, as long as it's only for a firewall and not for a "real" box. Yeah, do the expert install thing and pick every program by hand...I did a full install(because I'm a little lazy) and then wen't back and did a mass uninstall to trim down the system. You definitely need kernel source though. good luck

Oh yeah, on my slack 8.0 box I don't think the kernel had netfilter compiled in...or anything related to iptables for that matter.

[Ashcrow]

/me whispers OpenBSD's pf. Much better than ANY other packet filter in existance! Ask Ashcrow or Kint.

Very true! Iptables is a great tool but it doesn't beat pf.

[ursidae]

Default Kernel?? *Don't think so. *I think you should compile everything required for your firewall design into the kernel. *Don't load them as modules. *You have plenty of room, as long as it's only for a firewall and not for a "real" box. *Yeah, do the expert install thing and pick every program by hand...I did a full install(because I'm a little lazy) and then wen't back and did a mass uninstall to trim down the system. *You definitely need kernel source though. *good luck

Oh yeah, on my slack 8.0 box I don't think the kernel had netfilter compiled in...or anything related to iptables for that matter.

I always do the expert install. I´m a minimalist.

I have been thinking about the kernel compile. I will just install slack on my desktop and compile it there then transfer it. This way I don´t have to worry about space.