Sometimes all it takes...

[mdlbear]

...is a bit of a push. In this case, it was the recently-reported vulnerability in ssh, that got me to finally start upgrading my firewall from the no-longer-supported and ancient RedHat 6.2 to the fabulously well-supported and stable Debian 3.0 (Woody). I've had the new hardware sitting around ever since I upgraded Emmy's computer; it's a bit old (K6-2/266) but it's about twice as fast, with twice as much memory, as what I'm using now. I've had Debian installed on it for about two weeks.

So, last night I tackled the problem of getting routing and firewalling up. Since I installed the newer 2.4 kernel and iptables, I couldn't use my well-tested ipchains firewall. After playing around with alternatives that were either too simpleminded (gnome-lokkit) or too complex/confusing (fwbuilder), I settled on Shorewall, and installed the new box in parallel to my old firewall.

Next step was to turn off ssh on the old firewall.

It's taken several hours to figure out Debian's pecular way of multi-homing ethernet cards and, this morning, figure out what Shorewall needed in order for DNS to work properly. (You have to allow UDP DNS packets in both directions.) But it's now at the point where I'll be able to dump the old one sometime tomorrow, after I get the web servers configured on the new one. This will have the additional advantage of making the server pile a bit quieter.