On Sat, 2004-10-09 at 19:24, Siju George wrote: > I ''ve read some articles on hardening OpenBSD and also received > suggestions. They tell me it is not a good Idea to install a GUI or > compiler on an OpenBSD machine that acts as a firewall.
Gui applications (particularly web based ones which are the easiest to write) tend to be complex and insecure, this is a good reason to keep them off the firewall itself. We have a home grown web based network management system which includes the ability to do most of the configuration necessary for pf in our environment. This app runs on another system and we use ssh to download pf.conf to the firewalls. THis is a reasonable compromise. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
