1 |
Neil Bothwick <neil@××××××××××.uk> writes: |
2 |
|
3 |
> On Tue, 25 Dec 2007 22:53:10 -0600, reader@×××××××.com wrote: |
4 |
> |
5 |
>> This machine is been prepped to be a sort of DMZ machine, but not |
6 |
>> more wannabe than really since it will not route stuff to my home lan |
7 |
>> at all... just be the recipient of all blocked stuff at an upsteam |
8 |
>> NETGEAR firewall/router. |
9 |
>> |
10 |
>> I would like an opinion about the USE flags I keep in /etc/make.conf |
11 |
>> |
12 |
>> USE="mysql emacs mbox hal acpi logrotate vga nptl nptlonly \ |
13 |
>> -ipv6 -imap -maildir -gnome -X -kde" |
14 |
> |
15 |
|
16 |
[...] |
17 |
|
18 |
----- Notes ----- Notes ----- |
19 |
|
20 |
First let me reiterate what this OS is supposed to do. My original |
21 |
post was so riddled with typos and bad grammer, I'm amazed you |
22 |
understood enough of it to make a sensible reply. |
23 |
|
24 |
Briefly: This machines' purpose is to receive the output of a DMZ |
25 |
switch at a NETGEAR router upstream. It will not be routing anything |
26 |
to the local lan and has only 1 nic. I just want a pipeline of all the |
27 |
baloney my firewall is dropping for my own investigation. |
28 |
|
29 |
The netgear router/firewalls' own logging capabilities produces a big |
30 |
awkward, poorly formatted log. Getting it mailed and processed is a |
31 |
pain, and having it log directly to a lan machines' syslog seems to |
32 |
truncate the data to the point its nearly useless. The configuration |
33 |
proceedure is also way awkward compared to hand editing an iptables |
34 |
script. |
35 |
|
36 |
I plan to install an iptables firewall that drops incoming portscans |
37 |
sweeps untoward connection attempts etc. etc.logs the info and study |
38 |
the logs with tcpdump etc. |
39 |
|
40 |
---- End Notes ----- End Notes ----- |
41 |
|
42 |
Neil wrote: |
43 |
> It depends on the profile you use, since that affects the defaults |
44 |
> for flags not set/unset in /etc. Which profile are you using, hopefully a |
45 |
> server one, and what does "emerge --info show". The output from emerge |
46 |
|
47 |
|
48 |
Gack.... I've never given a moments thought to which profile I used. |
49 |
It appears to be pointing at the default one. |
50 |
|
51 |
/etc/make.profile -> ../usr/portage/profiles/default-linux/x86/2006.1 |
52 |
|
53 |
emerge --info shows a hefty list of USE flags. Good lord. I had |
54 |
no idea all those were being used during emerges. |
55 |
|
56 |
I think I better do some reading before proceeding with this. |
57 |
|
58 |
I'm thinking, switching to the `hardened' profile is probably what I |
59 |
should be doing. |
60 |
|
61 |
How does one go about changing the profile? Is it as simple as just |
62 |
changing the symlink? |
63 |
|
64 |
googling on `site:gentoo.org profile' |
65 |
|
66 |
I find a little guide showing how to change from 2004.0 to 2006.X. It |
67 |
talks about a different setup being deployed post 2004.0. So I'm wondering |
68 |
if there are more or different steps involved now? |
69 |
|
70 |
The full output of that search even when adding `-forums' is too much |
71 |
to swim thru without a little more paring down. |
72 |
|
73 |
-- |
74 |
gentoo-user@g.o mailing list |