On Sun, 2004-05-02 at 21:02, Aaron Joyner wrote: > I realize this is, after all, a Linux User's Group, but when it comes > right down to it, I must readily admit that OpenBSD has better > firewalling capabilities with the pf firewall, than either Linux or > FreeBSD. > > The amount of things that are possible with pf, including but not > limited to: > - scrubbing packets (changing the packet's random identifiers to be > _more_ random to help protect hosts behind the firewall with bad random > number generators) > - complete on-the-fly reassembly of tcp connections (so no fragments > pass through the filter that could bypass the rules) > - simple and *incredibly* powerful class-based queueing > - the ability to stack class based queues with in priority based > queues, as deep as your requirements require > - rulesets that allow you to actually filter on interface by name, as > opposed to changing that interface to an IP when the rule is imported > (as iptables does with simple rules) > - the list goes on and on > > The ability to boot entirely to a serial console as well as push the > BIOS out is just icing on the cake (Linux is capable of doing this as > well, it's only not as well documented because it's a less common > setup). I have to say, the box that Jason and I setup for transparent > firewalling is very much an "ideal" firewall in my mind. It's next to > impossible that it would be the first machine on your network to be > compromised, and it's the gatekeeper to protecting the rest of the > machines. > > About the only thing we could have added that we didn't have, would be > some form of Intrusion Detection or Prevention software.
Another nice feature of OpenBSD is that it is incredibly hard to break into - or to exploit if it is broken into. Most services run in a chroot with only user privileges. Still you can easily add intrusion detection. Snort works fine (you can install it via ports). My favorite is simply to add a hidden partition to your setup and backup your configs, binaries, and libraries to the this partition - then run an hourly comparison (from the binaries on the hidden partition). > I'm not sure > how we would handle convenient alerting of intrusions, as it can't > readily send mail. I wonder how difficult it would be to originate a > spoofed smtp connection from that machine sourced from a machine inside > the network destined for a machine outside the network. Another option > would of course be a simple dial-up modem and only page under extreme > circumstances. Perhaps another serial connection to a machine running > a daemon on that port, that would allow you to connect and send mail. > Okay, that's about the extent of my ideas and ramblings. Just a few > thoughts. :) How about a third network card in the box and if you need to send a warning, have the system bring that NIC on-line and send out a warning, then take the NIC off-line again? Jon Carnes -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
