Once the gateway hardware has been assembled, it is time to install the operating system and configure it to provide the necessary services. The installation should be as minimal as possible. Any unnecessary services and programs that are installed only increase the risk that one of the programs on the gateway may be vulnerable. Do not install the X Windows System or any of the optional applications.
It is important to install the development tools and the system source code. After installation, the kernel will be recompiled and the new versions of several services might need to be downloaded and compiled, so the development tools will be necessary.
Make the /var partition of decent size during
the drive setup. A couple hundred megabytes should be more than
sufficient. A gateway can generate many logs, and this is where they
will be stored.
If the installer for the distribution you are using has a firewall-configuration section (like the current RedHat installers), leave it unchanged for now. The firewall rules will be changed once the system is running and will be more complex than the basic configuration tool in the installer can generate.
The kernel configuration should
be reviewed to remove unneeded support. Take out support for anything
that won’t be needed for the hardware configuration
of the gateway. The general process for doing this is described in
Chapter 5 (see Section 5.2 and especially Section 5.2.2). Enable the optional
modules for Netfilter; the firewall on the
gateway will use several of these modules. The gateway will also need
support for SYN cookies and IP forwarding.
If the gateway is going to connect to the wireless network using
HostAP or a wireless network card instead of an
Ethernet connection to the AP, make sure the kernel has support for
the wireless drivers selected.
Just as with the clients, the unneeded services on the gateway should be disabled. The basic approach to doing this for Linux is described in Chapter 5.
Check to see what services are running and disable all of the
unneeded remotely accessible services. Don’t forget
to check the inetd or
xinetd services as well as the
rc-based services.
The services that will be used, and should be enabled, are
arpwatch, syslog,
dhcpd, and sshd.
arpwatch and syslog will be
used for monitoring and logging. dhcpd will
provide DHCP addresses to clients. To allow remote administration of
the gateway sshd must be running. This will
provide encrypted shell sessions from the ssh
client program.
Disable the
iptables and ipchains
services in rc; a replacement script will be
developed later in this chapter to configure the
iptables service.