On Tue, 2003-01-07 at 15:26, Daniel R. Miessler wrote: > > Why would you tell someone to run blackice witch has bugs in it. > > If your going to have a firewall, just grab a box that is not being used > > and put Openbsd on there and make your firewall that way. > > Because when you pass ports through a packet filter into a machine offering > services, OpenBSD isn't going to help you. There is little difference > between doing this and just turning off all services other than the public > ones and putting it right on the Internet with no protection at all.
I hope you're simply trolling, because that has to be one of the most asinine, ignorant responses I've seen on this list to date. You obviously have little experience with firewalls. Do you understand the concepts of stateful inspection? TCP flags? An open server without firewall protection has no ability to protect itself from spoofed or mangled connections. OpenBSD has a fully functional, state-of-the-art packet inspection and state engine in PF. It not only has the ability to track full state in TCP(full sequence tracking), UDP and ICMP (connection tracking), but it also has the ability to defragment incoming packets for reassembly and proper analysis. Not to mention the current QoS code that's been released for some time now, and the upcoming (6 months or so) stateful synching abilities between disparate systems. OpenBSD/PF compete aggressively with all of the major commercial offerings out there... FW-1, Netscreen, etc. To claim that OpenBSD is inferior to BlackIce in any stretch of the imagination... is laughable. I'm not here to criticize BlackIce or compare it to OpenBSD. Rather, I just wanted to point out that you have no idea what the hell you're talking about when it comes to OpenBSD firewalls. -J.
