mouss wrote:
> At 10:15 29/11/00 +1030, Ben Nagy wrote:
>
>> There have been about two dozen FreeBSD advisories in the
>> last month! I can't even remember the last OpenBSD advisory I saw.
>
>
> so here is a confidence: a look at securityfocus lists:
> OpenBSD:
> 2000-11-10: adduser vulnerability shared with RedHat)
> 2000-10-05: talkd vuln.
> 2000-10-05: arp related DoS
> 2000-10-04: fstat vuln
The adduser vulnerability seems applicable. I can't actually get to my
OpenBSD 2.6 box right now or I'd test it. Of course, since normal users
aren't generally allowed to run such things, it seems fishy. I wonder
what the perms are on add* on obsd.
The talkd vulnerability isn't in the current release. Regardless I
disable such useless services as talk on my systems, so it's not an
issue - And please, show me an exploit. But I digress...
The ARP DoS attack doesn't work on the LAST version of obsd (2.7) let
alone the latest.
The fstat vulnerability is listed as affecting 2.7 and below. It does
however seem like a nasty potential exploit. I'm sure it will be fixed
quite rapidly.
>
> .....
>
> yes FreeBSD has more reports, but most concern ports, which are
> third party software that none is forced to install, nor are they
> installed by default.
2000-11-14: FreeBSD ppp deny_incoming Vulnerability
2000-11-01: FreeBSD getnameinfo() Denial of Service Vulnerability
2000-10-13: FreeBSD fingerd File Disclosure Vulnerability
2000-09-13: FreeBSD eject Buffer Overflow Vulnerability
This one's a potential local root exploit.
But I guess all I've really served to demonstrate is that we're all
capable of being petty :)
> Also those reports concern the whole system, and I'll never install a
> whole
> system as a firewall!
I'm personally not fond of installing a PC as a firewall regardless :)
>> I agree
>> that FreeBSD is not bad in a general sense, but unless/until it has the
>> level of active security review that OpenBSD gets I'm not interested in
>> using it for a security host. Just as I'm not interested in using
>> OpenBSD as
>> a workstation.
>
> The fact that the guys don't say "we are first after security, then
> we'll make an OS"
> does not mean they neglect security. There are simply too things to do
> in a volunteer
> world.
It's not that they neglect security at all, just that they aren't as
security-anal as the OpenBSD team. Mind you, I've heard that FreeBSD
will be undertaking the same kind of code review as OpenBSD, so who can
say where this will all lead.
>> >
>> > >Built in ftp proxy.
>>
>> This was an error - OpenBSD does not have a built in FTP proxy. IPFilter
>> kind of has one but it's not a real proxy. Which is a shame.
>
> would that be really good? Apart from being able to filter commands, what
> would be the pros compared to just ipfiltering it?
Unless it was a caching proxy, none at all.
>> > ipfilter is enough for most of us.
>> > the few who need a proxy can consider the FWTK one.
>>
>> Or the SuSE one, which I found easier to get working an better for
>> granualar
>> control. *shrug*
>
> last time I tried to compile it, it failed because it required a
> library (I don't remember, but
> I think it's some regex thing). checking the code showed that it was
> unfinished in some
> sense (ifdefs somewhere but not everywhere), so I simply abandoned,
> given that I'm not
> desperately after an ftp proxy. also, I'v seen a comment about whatta
> do in case one has
> both PASV and PORT and the guys seem lost here, which gave me another
> reason
> to forget about it.
What else is there as far as proxies on unix? A quick search on
freshmeat (http://freshmeat.net/search/?q=proxy) turned up a handful of
stuff, but it doesn't seem like much of it is security-related. (There's
some anti-ad proxies...)
http://edge.fireplug.net/
"It's a packet filtering firewall with Network Address Translation or
what some refer to as transparent proxy. It's much nicer to use than a
regular proxy server because there is no special configuration needed
for any of the clients running on the LAN. It is also considerably
faster than a regular proxy server."
Or so the forum archive indicates.
This is interesting though:
http://freshmeat.net/projects/etherdivert/?highlight=proxy
("Ethernet Frames Diverter for Transparent WWW proxying bridge")
Anyway, there's pages and pages of stuff to flip though, and I'm not
gonna. :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
