Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-16 Thread Switch 1024
> > -- Forwarded message -- > From: Kevin Chadwick > To: misc@openbsd.org > Cc: > Bcc: > Date: Sun, 14 Jun 2020 13:58:39 + > Subject: Thoughts or links on optimally secure defaults for pf.conf and > fstab, whilst aiming to minimise support issues. > We are basing the server

Re: Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-15 Thread Stuart Henderson
On 2020-06-14, Kevin Chadwick wrote: > We are basing the server part of our products on OpenBSD. > > We care more about reducing support issues than say performance. > > We will have batteries but I hope to deploy some kind of root partition > redundancy, for upgrades. You'll need to cope with

Re: Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-14 Thread Kevin Chadwick
On 2020-06-14 13:58, Kevin Chadwick wrote: > set reassemble yes no-df > match scrub (random-id max-mss 1389) > > Should I drop the no-df from set reassemble? Any other recommendations > welcome? To be clear. Previously, with scrub (no-df... the set reassemble line was missing/default.

Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-14 Thread Kevin Chadwick
We are basing the server part of our products on OpenBSD. We care more about reducing support issues than say performance. We will have batteries but I hope to deploy some kind of root partition redundancy, for upgrades. However, Is sync or softdep a better default for the best chance of