On Sun, May 21, 2000 at 11:18:53PM -0600, montefin wrote: > Ethan, > > You bring up an interesting point. One alternative to my Plan is a.) > yes, upgrade from Red Hat 6.1 to Debian Potato on the Pentium II box, > but b.) install OpenBSD in place of Debian on the 486DX firewall box. > > Any opinions on that from anyone? OpenBSD is a very nice, clean system, its indeed very secure out of the box, its also somewhat sparten out of the box... (that is what /usr/ports is for) so far i have not gotten around to finishing up my NAT setup on my OpenBSD box (just been doing other things/lazyness etc) but here is some impressions/notes on OpenBSD: when a bug (security or otherwise) is found in OpenBSD only a source code patch is released on openbsd.org you must install the source code in /usr/src, patch it and rebuild the affected program yourself. this is really not that hard, the first line of the .patch tells you what it applies to. when i first installed OpenBSD 2.6 i had to rebuild, the kernel, libc, syslogd, and one or two other things, it was all just a matter of patch -p1 < some.patch && make && make install quite painless really. the kernel is built somewhat differently then linux kernels are: on linux we configure it with either make config, make menuconfig or make xconfig. with OpenBSD we configure are kernel like this: cd /usr/src/sys/arch/i386/conf/ cp GENERIC HOSTNAME vi HOSTNAME cd /usr/src/sys/conf/ cp GENERIC HOSTNAME vi HOSTNAME config HOSTNAME cd /usr/src/sys/arch/i386/compile/HOSTNAME/ make depend make mv /bsd /bsd.old cp bsd /bsd shutdown -r now different but again not that painfull. also note that in OpenBSD (and presumably NetBSD) there is no such thing as a IDE/ATAPI driver, instead there is a scsi driver for IDE stuff, a bit strange but it does ensure that /dev/cd0a is always your first CDROM regardless of whether its IDE or scsi. (see you don't need silly devfs to get device file consistency) i found that the documentation on getting PPP working was OK but with just enough mistakes to make a newbie jump off a bridge, if you know what your doing and know how to read debug output from the ppp.log you can see the problem. OpenBSD's PPP includes ipnat making a NAT setup a bit simpler to setup presumably, the rulset seems to go into ppp.conf (i have not finished working this out yet) documentation on setting up NAT with dynamic IP's is quite absent (i may just get a static IP rather then fsck with it, i want one anyway) if you look at the docs on ipfilter you will instantly start liking it over ipchains, the rules are actually readable. setting up rules looks quite simple (unless you have stupid dynamic IP which obfuscates everything it seems) here are a few things i really like about OpenBSD: 1) Blowfish encrypted passwords with configurable number of rounds. try running one of these babies through john the ripper even the most crappy passwords (like `password') take over 30 seconds to be discovered by john instead of a split second like linux's md5 or old crypt. 2) STRONG crypto everywhere, in the libc, in the kernel, in the base system. everywhere, ssh, kerberos, IPSEC, etc all in the default install mmmmmm. ;-) 3) /usr/ports ;-) this is just plain cool, its also usually very simple to update a port yourself to the current version if its outdated. when you install a port its listed in the package list and can be removed with pkg_delete. 4) simple clean and unbloated default install. 5) sendmail is easily replacable with postfix or whatever MTA you prefer, /usr/sbin/sendmail is a wrapper, you configure what the real on is in /etc/mailer.conf. a sort of alternatives system for the MTA. 6) don't have to update the boot loader every time you touch your kernel. 7) shutting down services is very easy to do (there are not many to shutdown either) the initscripts are BSD style of course but are really quite elegant and easy to customize. though if you are attached to the sysv style /etc/init.d/foo stop you may be annoyed by the bsd style kill `cat /var/run/foo.pid`. there is no killall command (and if there were i think the bsd style killall does just that, it kills ALL) a few things i dislike about OpenBSD: 1) the passwd program lacks a built in cluestick, it will happily let your users set there password to any lame thing they want, including `password' `abcdef' `123456' and so on. there seems to be no way to fix this other then replacing the password program alltogether, which is not trivial given OpenBSD's Blowfish passwords and built in kerberos support. 2) no /etc/limits support, it seems the only way to set resource limits is by sprinkling ulimit commands in /etc/profile /etc/csh.cshrc and so on, not very convenient. 3) typical unix semi broken keyboard/termcap setup, delete key does not work etc. (Debian is the FIRST and ONLY *nix i have encountered that lacks this annoying problem) 4) the filesystem is SLOW compared to ext2, soft updates help but there is still absolutly no comparison. 5) no PAM support, really this only annoys me insofar as i cannot trivially add things like a cluestick for passwd or selectivly deny password authentication to certain (instead of all) ssh users (making them use RSA only). 6) no NAT aware identd, yes lying ident works well for dealing with lame irc servers but that is not very useful for multiuser networks, or where ident can be useful to the LOCAL admin in finding a troublemaker. (oidentd works very nicely under linux but its NAT support is linux only) 7) the boot loader has no security whatsoever, with LILO we can add restricted and password= to lilo.conf and prevent someone from doing evil without tampering with the box (cutting locks, etc). OpenBSD's has no means to do this other then configuring it to be totally non-interactive, thus screwing you if something breaks and you need to boot single user. (you can configure init to require the root password on entry to single user mode but the boot loader will also allow you to boot any other device (floppy, cd) right from the boot: prompt regardless of BIOS settings) anyway this has gotten way to long but gives you an idea of what BSD is like. I like OpenBSD despite some of the annoying limitations i have run into its a very nice system, its secure by default and strong audited code base is great for firewalls where you don't want to worry about things. (you still should monitor for advisories and such but you rarly find security bugs affecting OpenBSD) -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp1LKaYYUh43.pgp
Description: PGP signature