Linux Know-How provides a collection of introductory texts on often needed Linux skills.

Compiling the Kernel

Install as little of the Linux system as you can. My installation started with a server configuration and then I turn off ever un-needed service in /etc/inetd.conf. For more security you should uninstall the unneeded service.

Because most distributions don't dome with a kernel useful to your purpose. You will need to compile your own kernel. It is best if you do this on a computer other then the firewall. If you do install a C compiler and utilities on your firewall, remove them after you have completed configuring your kernel.

Start with a clean minimal installation of your Linux distribution. The less software you have loaded the less holes, backdoors and/or bugs there will be to introduce security problems in your server.

Pick a stable kernel. I am using kernel 2.2.13 kernel for my system. So this documentation is based on it's settings.

You well need to recompile the Linux kernel with the appropriate options. If you haven't recompiled your kernel before you should read the Kernel HOWTO, the Ethernet HOWTO, and the NET-2 HOWTO.

Here are the network related setting I know work. I have marked some with a ?. If you will be using this feature, turn it on as well.

I use "make menuconfig" to edit my kernel settings.

    <*> Packet socket
    [ ] Kernel/User netlink socket
    [*] Network firewalls
    [ ] Socket Filtering
    <*> Unix domain sockets
    [*] TCP/IP networking
    [ ] IP: multicasting
    [*] IP: advanced router
    [ ] IP: kernel level autoconfiguration
    [*] IP: firewalling
    [?] IP: always defragment (required for masquerading)
    [?] IP: transparent proxy support
    [?] IP: masquerading
    --- Protocol-specific masquerading support will be built as modules.
    [?] IP: ICMP masquerading
    --- Protocol-specific masquerading support will be built as modules.
    [ ] IP: masquerading special modules support
    [*] IP: optimize as router not host
    < > IP: tunneling
    < > IP: GRE tunnels over IP
    [?] IP: aliasing support
    [*] IP: TCP syncookie support (not enabled per default)
    --- (it is safe to leave these untouched)
    < > IP: Reverse ARP
    [*] IP: Allow large windows (not recommended if <16Mb of memory)
    < > The IPv6 protocol (EXPERIMENTAL)
    < > The IPX protocol
    < > Appletalk DDP
    < > CCITT X.25 Packet Layer (EXPERIMENTAL)
    < > LAPB Data Link Driver (EXPERIMENTAL)
    [ ] Bridging (EXPERIMENTAL)
    [ ] 802.2 LLC (EXPERIMENTAL)
    < > Acorn Econet/AUN protocols (EXPERIMENTAL)
    < > WAN router
    [ ] Fast switching (read help!)
    [ ] Forwarding between high speed interfaces
    [ ] PU is too slow to handle full bandwidth
    QoS and/or fair queueing  --->

After making all the setting you need you should recompile, reinstall the kernel and reboot.

I use the command:

make dep;make clean;make bzlilo;make modules;make modules_install;init 6 to accomplish all of this in one step.

Last Update: 2010-12-16