Best firewall gateway version of Linux ?

Damien Elmes resolve at repose.cx
Tue Jan 15 16:09:26 EST 2002 

Alex Satrapa <grail at goldweb.com.au> writes:

> On Tuesday, January 15, 2002, at 01:27 , Nathan Le Nevez wrote:
> 
> >> OpenBSD.
> >
> > Since when has OpenBSD been considered a 'linux'? It's a completely
> > different operating system, much like FreeBSD, NetBSD.
> 
> Forgive me for daring to suggest that there was another OS out there which
> could possibly be more secure than Linux. It's just curious to me that lots of
> people seem to have this idea that the only choice is "Windows or Linux?"
> 
> OpenBSD was designed to be as secure as possible.  People who say "which
> version of Linux should I use for my firewall" may as well be saying "which
> version of Windows should I use for my firewall?"
> 
> There are other options.
> 
> Then there's the second mistake the original poster made, about *how* to set
> up a mail server on the firewall box - not *should he* set up a mail server
> on the firewall box. He may as well have been saying, "Which version of IIS
> should I use for my mission-critical web site?"

i think you're being a bit zealous here. security is important, but it's also
important to be pragmatic.

first of all, most home users don't have the ability to run a seperate firewall
and mail server. if you have unlimited funds then that's a theoretically more
secure setup, but it's no holy grail and certainly no substitute for a competent
admin.

i do agree with you that running telnet and sendmail on a box that's protecting
a network is silly. but then there are many wildly publicised secure
alternatives to sendmail, and you'd be hard pressed to find any reason not to
use ssh over telnet.

on openbsd:

it's a pretty good operating system. but again, it's no panacea, and i take an
objection to people who think that dropping it in to any particular situation
will raise the security bar more than a smidgen. personally i have an qualm
to the code auditing thing; it's not a sane way to sustain secure software. a
better solution (which doesn't exist in a widely available form) is better
limits within the operating system and more fine grained access controls. that
way even if a part of the code is missed that is broken, it probably can't be
made to do what an intruder wants.

or people could just start writing software which isn't vulnerable to buffer
overflows, which account for by far the most common exploit. 'cyclone' is an
experimental C compiler which comes a good length of the way to fixing this.

and while you may take objection to the BSDs not often being mentioned, you
have to realise that

a) this is a linux list. i'm all for alternative-OS discussion here, but you
can't really expect it

b) the BSDs do not have the install base and ease of use that some linux
distros these days do. this can be a considerable advantage to someone new
entering the field.

> To answer your original question - yes, I'm aware that OpenBSD is not a
> Linux, but the original poster was asking a question which indicated he was
> dangerously under-informed. The purpose of a firewall is to enhance the
> security of your home network - with a very distant second place going to
> doing so in a convenient/expedient manner.

and thus openbsd is often touted as 'security by default'. but i know of few
boxes that are installed and then left alone, and by suggesting obsd is more
secure, you're really only lulling them into a false sense of security.

-- 
Damien Elmes
resolve at repose.cx

More information about the linux mailing list