Chapter 11. Unix and Linux Bastion Hosts

This chapter discusses the details of configuring Unix for use in a firewall environment, building on the principles discussed in Chapter 10. You should be sure to read both chapters before attempting to build a bastion host. As usual, we use the word “Unix” for both Unix and Linux, except when we explicitly say otherwise.

It’s impossible to give complete instructions on how to configure any given machine; the details vary greatly depending on what version of Unix you’re running and exactly what you intend to do with the machine. This chapter is intended to give you an outline of what needs to be done, and how to figure out how to do it. For more complete configuration details, you will need to look at resources that are specific to your platform.

Useful Unix Capabilities

Every operating system has certain special capabilities or features that can be useful in building a bastion host. We can’t describe all these capabilities for all systems, but we’ll tell you about a few special features of Unix because it’s a common bastion host platform:

setuid/setgid

Every Unix user has a numeric user identification (uid ) in addition to his or her login name and belongs to one or more groups of users, also identified by numbers (gids). The Unix kernel uses the uid and the various gids of a particular user to determine what files that user has access to. Normally, Unix programs run with the file access permissions of the user who executes the program. The ...

Get Building Internet Firewalls, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial