At 11:06 29/11/00 -0800, Martin wrote:
>The adduser vulnerability seems applicable. I can't actually get to my
>OpenBSD 2.6 box right now or I'd test it. Of course, since normal users
>aren't generally allowed to run such things, it seems fishy. I wonder what
>the perms are on add* on obsd.
>
>The talkd vulnerability isn't in the current release. Regardless I disable
>such useless services as talk on my systems, so it's not an issue - And
>please, show me an exploit. But I digress...
>
>The ARP DoS attack doesn't work on the LAST version of obsd (2.7) let
>alone the latest.
>
>The fstat vulnerability is listed as affecting 2.7 and below. It does
>however seem like a nasty potential exploit. I'm sure it will be fixed
>quite rapidly.
It was never my intent to evaluate OpenBSD. I do think it is one of th most
secure OSes.
However, I don't like bear peple who don't know what security means come
and pisses
at my ears by saying that other OSes are bad and should not be used (I'm
talking
about the "don't" that generated this thread).
>>.....
>>yes FreeBSD has more reports, but most concern ports, which are
>>third party software that none is forced to install, nor are they
>>installed by default.
>
>2000-11-14: FreeBSD ppp deny_incoming Vulnerability
>2000-11-01: FreeBSD getnameinfo() Denial of Service Vulnerability
>2000-10-13: FreeBSD fingerd File Disclosure Vulnerability
>2000-09-13: FreeBSD eject Buffer Overflow Vulnerability
>This one's a potential local root exploit.
>
>But I guess all I've really served to demonstrate is that we're all
>capable of being petty :)
let me petty too:
- ppp: I've never had to consider this on a FW
- getnameinfo: this is an IPv6 function and I don't see many IPv6
connections out there.
- fingerd: you'd be a fool to enable this anyway
- eject: I just rm this!
anyway, my purpose was to show that there were incidents with openBSD, and you
seem to agree...
>>Also those reports concern the whole system, and I'll never install a whole
>>system as a firewall!
>
>I'm personally not fond of installing a PC as a firewall regardless :)
???
are you among those who sold their soul to sun or a some similar company?
I really prefer Intel!
I really have nothing to do with their last-designed boxe that only run
slowaris.
>It's not that they neglect security at all, just that they aren't as
>security-anal as the OpenBSD team. Mind you, I've heard that FreeBSD will
>be undertaking the same kind of code review as OpenBSD, so who can say
>where this will all lead.
dunno. anyway, I'm certainly not gonna spend my time auditing any code. The
best
approach is to _rewrite_ the code. there's no point in analysing it.
I simply can't understand that there are guys who audit code instead of
redesigning the
whole stuff. NetBSD seems to have a better thinking process...
>Unless it was a caching proxy, none at all.
caching ftp? I simply feel against this... that would be a violation of the
protocol.
>What else is there as far as proxies on unix? A quick search on freshmeat
>(http://freshmeat.net/search/?q=proxy) turned up a handful of stuff, but
>it doesn't seem like much of it is security-related. (There's some anti-ad
>proxies...)
there are too much insecure proxies that are better in the trash can than
somewhere else. if you're really intereseted, then "freefire" is a good start
(http://sites.inka.de/lina/freefire-l/index.en.html). but ...
if it's really of any interest, I can write a proxy in 2 hours. the problem
is not coding
a proxy, transparent or not, but coding a "specific" proxy. ftp isn't a
protoxol a generic
proxy would handle!
>http://edge.fireplug.net/
>"It's a packet filtering firewall with Network Address Translation or what
>some refer to as transparent proxy. It's much nicer to use than a regular
>proxy server because there is no special configuration needed for any of
>the clients running on the LAN. It is also considerably faster than a
>regular proxy server."
this is simply too stupid! fi it's a filtering fw, then it's may not be
referred to as a proxy,
transparent or not. also, it might not be nicer, cos' nicer is a relative
concept... but
let me just forget about such stupid talks...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
