i dunno .. maybe i'm waaay off .. but .. why not just use the canary patch? :)

apply, recompile, voila.

I've noticed that I can do mostly anything with immunix that I can using distros such as redhat.
Immunix is great because you get that added level of security due to the compiler security
optimizations (shameless plug). The immunix staff seems like they have tons of work to do and
sometimes can't support some of the freakier things you might want to do with your box, so you
might find yourself having to compile stuff yourself, etc.

i'm using immunix, freeswan, netdev entropy and a few other custom kernel mods with 2.4 and
compile everything on many servers i've built from source.

Immunix staff (or anyone), please correct me if i'm misleading William here ..

anyhow, here's what i'd do:

# Let's start off with a few variables to begin with.
# this is where all the directories will sit.

BASE=/root/install
TARS=$BASE/tars
MAKE=$BASE/Makefiles
CONFS=$BASE/confs
CRON=$BASE/cron
PATCH=$BASE/patches
RPMS=$BASE/rpms
SCRPT=$BASE/scripts
SRC=$BASE/source
SYS=$BASE/sysconfig
INITD=$BASE/init.d
XINET=$BASE/xinetd.d
LOG=$BASE/logrotate.d
PAM=$BASE/pam.d
PREFIX=/usr

# this is the version information for whatever we need to install.

KERNEL_VER="2.4.18"

# kernel config
# are you -sure- you want to do this?

if [ "$KERNEL" == "Y" ]; then

        # copy over the kernel and untar.

        cp -f $TARS/linux-$KERNEL_VER.tar.gz /usr/src;
        cd /usr/src;
        tar zxvf /usr/src/linux-$KERNEL_VER.tar.gz;
        mv -f /usr/src/linux /usr/src/linux-$KERNEL_VER;
        rm -r /usr/src/linux-$KERNEL_VER.tar.gz;
        cd /usr/src/linux-$KERNEL_VER;

        # Mr. Proper, anyone?

        make mrproper;

        # copy over the canary patch (ESSENTIAL to get immunix working with 2.4)

        cp -f $PATCH/canary-2.4.1.patch /usr/src/linux-$KERNEL_VER;

        # got Firewall?(tm)

        if [ "$IPTABLES" == "Y" ]; then

                cd $TARS/;
                tar zxvf $TARS/iptables-1.2.7.tar.gz;
                cd $TARS/iptables-1.2.7;
                cp -f $MAKE/Makefile-iptables $TARS/iptables-1.2.7/Makefile;
                make KERNEL_DIR=/usr/src/linux-$KERNEL_VER;
                make install KERNEL_DIR=/usr/src/linux-$KERNEL_VER;
                cp -f $INITD/iptables /etc/init.d
                chkconfig --add iptables;
                chkconfig --level 35 iptables on;
                cp -f $SYS/iptables /etc/sysconfig;
                rm -rf $TARS/iptables-1.2.7;

                # copy over a firewall script to wherever. make sure to run this
                # once you're all done compiling and so on.

                cp -f $SCRPT/rc.firewall.sh /etc/sysconfig/iptables;

        fi

        # ok, here's the canary patch that immunix needs so that you can get 2.4 going.
        # it'll probably complain about on diff not being able to be applied in Makefile
        # so just do it manually if this is the case.

        cd /usr/src/linux-$KERNEL_VER;
        patch -p1 < canary-2.4.1.patch;

        # install GRSecurity.

        if [ "$GRSEC" == "Y" ]; then

                cp -f $PATCH/grsecurity-1.9.4-$KERNEL_VER.patch /usr/src/linux-$KERNEL_VER;
                patch -p1 < grsecurity-1.9.4-$KERNEL_VER.patch;

        fi

        if [ "$WHATEVER" == "Y" ]; then

                echo "you get the idea ....

        fi

        # only make oldconfig if you've copied over an existing .config file.

        make oldconfig && make dep && make bzImage;

        cp -f /usr/src/linux-$KERNEL_VER/arch/i386/boot/bzImage /boot/vmlinux-2.4.18-1_imnx;
        cp -f /usr/src/linux-$KERNEL_VER/System.map /boot/System.map-2.4.18-1_imnx;
        rm -f /boot/vmlinuz && rm -f /boot/System.map;
        ln -s /boot/vmlinux-$KERNEL_VER-1_imnx /boot/vmlinuz;
        ln -s /boot/System.map-$KERNEL_VER-1_imnx /boot/System.map;

        # copy over your desired lilo.conf file

        cp -f $CONFS/lilo.conf /etc/lilo.conf;
        /sbin/lilo;
fi

 --- williamelan.net wrote: > I'm wondering how support for 2.4 kernel is coming and if there
is a
> "beta" patch available.
> This is really becoming an issue for me as my primary use for immunix is
> in firewall server through which passes over 100Mb of traffic and where
> security is of most importance. Now I'm starting to redesign firewall
> system with setup of vlans (instead of using individual ports and subnets
> and separation of traffic at L2 switch which as some know is no longer
> super safe considering some tools hackers have used). The problem is that
> latest vlan support is only avaialble with 2.4 kernels (especially ISL)
> and while I found eariler patch for 2.18 kernel with 802.1Q VLANs that
> would mean changing vlan config on cisco from ISL to 802.1Q and ISL is
> works better with all cisco network. Besides that 2.4 offers support for
> iptables and more secure apprach to user-level monitoring programs and
> better support QoS, so I'd really really like to upgrade to 2.4 and would
> prefer not to do it with immunix rather then going with another distribution.
>
> ----
> William Leibzon
> Elan Communications
> williamelan.net
>
> _______________________________________________
> Immunix-users mailing list
> Immunix-usersmail.wirex.com
> http://mail.wirex.com/mailman/listinfo/immunix-users

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
_______________________________________________
Immunix-users mailing list
Immunix-usersmail.wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]