it might be a little too demanding, but this is what I had in mind. I'll
put time into getting it right, but I have no time to waste, so I am asking
you for advice regarding this.
I need for a devil-linux configuration to the following.
1._ All requests to priviledged ports are escalated to unpriviledged ones.
1.1_ 80 -> 8080
1.2_ 443 -> 8443
1.3_ 25 -> 2500
(no ftp server or VPN needed (at least for now))
1.4_ except for DNS client connection exclusively to my ISP
1.5_ I would like to let only my ISP to ping my outside box
2._ On the CD-ROM I would like to have apache or
(preferably!!!) tux: http://www.redhat.com/docs/manuals/tux/
2.1_ exclusively serving static pages (images, stylesheets, html, css,
2.2_ fielding and processing the ssl-based/https requests
2.3_ directing requests to back-end servers based on the incoming port;
2.3.1_ everything email (port 25 -> 2500) should be directed to a NIC
which connects to the mail server on the back end
2.3.2_ request for dynamic web pages are routed in a DNS Round-Robin
fashion (does not need to be a weighted one) to a number of back-end Web
18.104.22.168_ could be plugged in on demand
2.4_ back-end server should have its own firewall or
3._ They might just be the same machine with only firewall and a bunch a
4._ a small LAN needs connection to the net from behind the devil-linux
5._ log every thing knocking on to my external ethernet card on one of the
back-end machines using snort and broadcasting the logs as described in the
honeypot project; http://www.spitzner.net/
This is just an outline, but, what is wrong with my idea/approach?
I haven't pondered about the pros and cons of this possible design,
including security risks which are the main reason I am trying to go this
Any links, "previous art", criteria, quidance, ... on this?
I know there are "many ways to skin a cat" I wrote what I had in mind in a
rather structured way (or a perhaps a laundry list), but I might have to
settle/start with part of it.
Protect your PC - get McAfee.com VirusScan Online
should be all possible.
- you should not have the web-server on the firewall
- tux: I don't like the idea of having a kernel based http server
one exploit and you're so screwed.
- make sure the web-server is running in a chroot environment
DL 0.6 series support grsecurity, which actually helps you securing
the chroot jail
- when you add apache to DL, do it via the build system
this make future updates for you easier and I can add it to the
We are Penguin, resistance is futile!
I just came across Devil-linux. It seems to be a very promising concept!
Just one question:
I read that DL is QoS capable. Does this mean that just the necessary
kernel modules are compiled, or is there a more or less comfortable tool
for setting up QoS? Could not find info in this list's archive.
Background: I need to limit my ADSL upstream, so that downstream won't
get all f**** up when sending data, ACK packets have to be priorized
(prioritized? ;-) ).
Have a nice day!