# Gentoo Firewall / Security Question

## Centinul

I'm using the firewall script that is provided on gentoo-wiki.com for my Gentoo Firewall box. I've been thinking about other security measures for my system.

The main questions are:

How important is it that I implement GRSecurity or SELinux on this firewall?

Also, would it be more or less beneficial to implement GRSecurity or SELinux on the boxes behind the firewall?

----------

## Centinul

Bump!

----------

## Xaid

I don't have a similar setup as you, but what I implemented for security are the following:

I'm using a hardened profile for my main system and have PaX enabled, this should be easy to do since it doesn't really require a lot of work, you might have to tweak a few things to get them working after enabling PaX (if you have an Nvidia card and want to use OpenGL applications with the propreietry Nvidia driver, flash with firefox...etc but thats easy).

I run a daily rootkit scanner (rkhunter) via cron and the logs are sent to me on daily bases and I use logwatch which gives you a summary of the logs and optionally email it to you (called via cron as well in here).

I installed Snort and snortsnarf which produces HTML breakdown of the Snort logs.

thats pretty much all I have, I use sudo if I need root-priviledge with some programs (such as shutdown for example) and I don't run services which are not needed. Its pretty much a basic security setup which can be improved on.

I can't give you any advice on Grsecurity vs. SELinux since I haven't use any of them before but I think you have to read a bit about both of them and decide for yourself, SELinux on the firewall box is not a bad idea I think. 

I think GRsecurity is easier to setup, but don't take my word on it, check the docs to be sure.

Good luck.

----------

## Centinul

On the topic of logs I installed syslog-ng when I installed Gentoo. How do I use tha tto sort throuhg my firewall logs for potential attempts? and then have it emailed to a user not on the firewall system.

----------

## Xaid

Centinul, I'm using syslog-ng as well as my system logger, if you check the documentation on their website, you should be able to do some filtering and send the output to a program (mail for example). I havent personally done this since I find using logwatch a lot easier  :Smile: 

here's the link for the syslog-ng documentation: 

http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.html/book1.html

I recommend that you take a look at sys-apps/logwatch and then edit the config file for it (usually /etc/log.d/conf/logwatch.conf) and set the  MailTo variable to something like root@somedomain.com. You can set which services to watch, the detail level and how many days do you want the check to include (yesterday, a week's worth...etc).

----------

## alaindu

he he, i dont even have iptables installed - i dont think iv got any sort of firewall at all.... im just browsing the net and stuff, and its a standalone gentoo machine - do you think i should firewall it?  :-S

----------

## Xaid

alaindu,

Its a good idea to have a firewall running, there is a basic firewall script on http://gentoo-wiki.com and there are some

GUI frontends for iptables, such as "firestarter", "kmyfirewall" and lots more, you can search on http://packages.gentoo.org

for "iptables" and see what you come up with.

----------

## DNAspark99

I terms of firewalls, I can't recommend 'fireHOL' enough, it's exactly what i was looking for - quick, simple, and highly effective.

There's some good info here on grsecurity and the various useful kernel options, i've got a hardened box with grsecurity + pax, no major problems with my configs so far.

----------

## Centinul

How do I make logwatch work with Iptables? I looked for the iptables service in the logwatch /services/ folder but it wasn't listed. Thanks!

----------

## Xaid

Hi Centinul,

I'm guessing that logwatch currently doesn't parse iptable logs, I found this link on logwatch's homepage that you might want to take a look at http://www2.logwatch.org:81/tabs/docs/HOWTO-Make-Filter.html

I found another program that might be useful, net-analyzer/fwlogwatch from taking a quick look at their homepage, it seems to be exactly what you need to parse iptable logs.

----------

