Which Red Hat?

Mon Feb 17 17:12:45 PST 2003

Quoting David Alban (extasia at extasia.org):
> Greetings!
> 
> I want to do a clean install of Red Hat on a P133 box w/scsi.  I want
> to put two network cards in the box, with one for dsl and one for my
> internal network.  The box will be a firewall.
> 
> I've heard folks say various things about the different Red Hat
> versions.  Can anyone recommend a particular version (or set of
> versions)?  Or, can anyone recommend against a particular version, or
> set thereof?

Redhat advanced server is supposed to be the "enterprise
edition" of RedHat.  It's supposed to be long and well
supported and slower changing than Linuxes usually are.

I like BSD's by personal choice. OpenBSD goes on about being security
focussed, but much of the changes they've made have found their
ways into Free and Net.  I waffle between Net and OpenBSD builds
on a Soekris box (www.soekris.com - about the size of a hub, boots
from a compact flash).

The biggest problems I find on any Unix is the large amount
of crap that's installed by default.  I just remove inetd.conf
on Solaris as a first step.  Then it's a matter of stripping out
startup scripts.  Same for all other Unixes.

I've pushed several OS vendors (free and non) to START OUT with a
minimal config.  Many of us dealt with Sun putting out an
/etc/hosts.equiv with "+ +" in it for YEARS in SunOS 4.x.  Let me
run a scrip to turn things on.  SGI and Redhat have chkconfig; Sun
foisted System V on us, but never gave us real management tools.
(should nfsserver even try to run if rpcbind/portmap is not on?
Why does inetd get started with no inetd.conf file?  (that one took
OpenBSD 20 minutes to fix when I reported it)  Does anyone NEED
echo?).

OpenBSD comes with ssh turned on and that's about it (and portmap
for reasons I don't get).  This is nice.  It's also repeatable
with some work on other OSs.

-OpenBSD is implementing readonly segments of ELF - something noone
 else is doing.  OpenBSD-current is painful right now.
-NetBSD is in the middle of adding decent threading at the moment.
-FreeBSD is going through a big change with 5.0.  4.7 is stable,
 but 5.0 has some nice things.
-Solaris doesn't really want to run on one or two CPU machines.
 They finally have newer user-land tools (tcsh, zsh, ssh, apache!
 and "perl"!  About freaking time).
-RedHat and Suse both have good enterprise releases after demands
 from IBM and the like.  No corp wants to have to upgrade OSs every
 4 months with major changes every year.

Support may be an issue.  Playing "juggle the RPMs" when you need
a new kernel sucks.  Getting the Enterprise versions may be helpful
here.

Then you get to choose proxies (you wouldn't let your users
connect with random programs to strangers, would you)  And we're
back to "firewall classic".  See the firewalls at greatcircle archives
back to 1993 for more on those topics.

Usually, the best choice for a bastion's OS is one you are very
familiar with.  More to the point, one you are NOT very familiar
with, will not serve you well.

And of course, you do the full gambit of setting up strong filtering
on your router after the Firewall and have another router inside
the firewall that ideally is from another company/different OS.
(Belts and suspenders).

But it sounds like a home gateway type thing.  So why not just
use a little NAT box for $80 with no fan, no disk, no worries.
Sure, it won't do IPSec or run IPv6 tunnels, but it will basically
keep new connections from being opened to your inside machines.