OpenBSD is touted as "secure" out of the box. But I believe that when it's installed, it may very well become "unsecure", depending on the installer. However, OpenBSD says they haven't had a remote r00t exploit from the default installation in 3 years and running. They also say they are the only OS that can claim this. I considered doing an OpenBSD firewall and/or web server. However, I chose to stick with Debian Linux. This was (as I said before) because of the package manegment. Lets say there was this REALLY BAD vulnerability in BIND, and your server was terribly open because of it. Security advisories you receive say the latest version is out and you should upgrade to it. Or, how about a worse scenario. Let's say there's a really bad vulnerability in a program that you have installed, but don't know there is a security problem with it. With Debian, there is a debian auto-upgrade server: security.debian.org. When one runs the: apt-get update apt-get upgrade the security upgrade server is polled and all packages one has installed are checked against what's available on the server. They are downloaded, upgraded, reconfigured(if need be) and restarted (if daemons) all automagically. This also occurs for programs with new versions (ie not security problems, just the next version, such as the next release of Debian as a whole. One command will upgrade the whole operating system!) That is slick! That means I don't need to be up on all linux advisories. I can trust the the debian security team, and the many debian users to find vulnerabilities as they come across them, report them, and provide fixes for them. Linux aside, Debian has some smart guys and gals there. If they made a Debian/FreeBSD as Pat says, that will be worth checking out! Cory -----Original Message----- From: Dennis Eberl [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 14, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: [EUG-LUG:424] Re: FreeBSD at Staples Jacob Meuser wrote: > > On Mon, Mar 12, 2001 at 09:08:19AM -0800, Franklin Hays wrote: > > > > I would be interested in hearing opinions on this as well. Playing with > > the idea of using OpenBSD for my firewall and slackware linux for my > > servers. > > > OpenBSD is a great choice for a firewall. You can choose to install a really > small system (you can leave out the manpages, which an attacker could use to > learn your system), and a normal install won't activate any user space daemons, > so hardening an OpenBSD system is pretty much a non-issue. I also find packet > filter rules in OpenBSD much easier to understand than ipchains, or whatever > the new way is. Networking in OpenBSD is more advanced than Linux. (bridging > and IPv6 are standard, not "experimental") <----- snip -----> Yes, that (i.e., security) seems to be Van Rhadt's (if I have his name correct) main technical grip with the FreeBSD and NetBSD releases. OpenBSD is "secure" out of the box. I'm hoping to find the BSDs a little easier to configure as well. Thanks for pointing out OpenBSD's salability. I hadn't thought of that. Don't laugh, but can you get it (qua firewall) down to a diskette (or two) in size a la the Linux Router Project (LRP) and its permutations? Dennis Eberl
