On 2022-03-22 16:13:47+0100, ??ukasz Moska??a <l...@lukaszmoskala.pl> wrote: > Dnia Mon, Mar 21, 2022 at 08:22:36PM -0700, Eric Thomas napisa??(a): > > Hello, > > > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > > and generally > > harden my home network using OpenBSD. Can I use OpenBSD services AND have > > it act as a desktop workstation on the same machine? > > Ref: > > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine > > You CAN do that, but you shouldn't. > You should run as little services on firewall as possible. Let's say that > there's bug in browser, that causes machine to hang up. Now, because your > browser had bug, your whole network is down, untill you do hard reboot.
OpenBSD's reliability seems to make this very unlikely. Still a valid point, but to be balanced for your needs. I guess there could be hardware issues triggered by a browser? > If someone could exploit bug in browser to gain root access (not very likely, > but still), attacker could see traffic from your entire network, not just > your workstation. > Less services running on firewall means smaller attack surface. Best practice > would be to run only network-related services, like DNS, DHCP, VPNs, IDS/IPS > on firewall, and keep everything else away from it. True there is a smaller attack surface on separate machines, but more other costs (machines to deal with, at least). OpenBSD's mitigations (code auditing, pledge/unveil, and the best track record I have ever heard of in a general-purpose posix OS, etc), plus some other things you can do (which I am learning more about now) to limit what browsers can do to other apps in X, & maybe putting a umask of 0077 in the /etc/profile (but with an exception when running pkg_add), make this less likely enough that using a single machine might be worthwhile for you overall. Especially if learning is the goal, and you are not supporting a huge expensive enterprise or some such. Having an extra machine to test upgrades on before doing it in production can be useful. The other points made (which I didn't quote) could be valid for you. Just $.02.
