At 10:15 29/11/00 +1030, Ben Nagy wrote:
>[snip]
>
>Are you JOKING?
I understand your feeling, but I can't let it pass when someone says "Do
not ever thing of
using FreeBSD". whatever is the level of Open, Free is still better than
many other
systems. I don't wanna cite any particular OS to avoid bringing the debate
to a no end.
If the guy stoped at "audited code", I wouldn't have said anything but his
"manpages,
ftp proxy and the like" just got me out of my quiet partition...
I admit that the guys at Open do a nice job about reviewing the code. But
that's not all...
>There have been about two dozen FreeBSD advisories in the
>last month! I can't even remember the last OpenBSD advisory I saw.
so here is a confidence: a look at securityfocus lists:
OpenBSD:
2000-11-10: adduser vulnerability shared with RedHat)
2000-10-05: talkd vuln.
2000-10-05: arp related DoS
2000-10-04: fstat vuln
....
yes FreeBSD has more reports, but most concern ports, which are
third party software that none is forced to install, nor are they installed
by default.
Also those reports concern the whole system, and I'll never install a whole
system as a firewall!
ppp? xfce port? vulnerable or not, I'm not gonna let'em in. If I want Doom,
I'll install
it on my workstation.
>I agree
>that FreeBSD is not bad in a general sense, but unless/until it has the
>level of active security review that OpenBSD gets I'm not interested in
>using it for a security host. Just as I'm not interested in using OpenBSD as
>a workstation.
The fact that the guys don't say "we are first after security, then we'll
make an OS"
does not mean they neglect security. There are simply too things to do in a
volunteer
world.
> >
> > >Built in ftp proxy.
>
>This was an error - OpenBSD does not have a built in FTP proxy. IPFilter
>kind of has one but it's not a real proxy. Which is a shame.
would that be really good? Apart from being able to filter commands, what
would be the pros compared to just ipfiltering it?
> >
> > ipfilter is enough for most of us.
> > the few who need a proxy can consider the FWTK one.
>
>Or the SuSE one, which I found easier to get working an better for granualar
>control. *shrug*
last time I tried to compile it, it failed because it required a library (I
don't remember, but
I think it's some regex thing). checking the code showed that it was
unfinished in some
sense (ifdefs somewhere but not everywhere), so I simply abandoned, given
that I'm not
desperately after an ftp proxy. also, I'v seen a comment about whatta do in
case one has
both PASV and PORT and the guys seem lost here, which gave me another reason
to forget about it.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
