Slashdot Mirror
Securing Small Networks with OpenBSD
Some random person wrote: "O'Reilly's OnLamp.com has a long article about using OpenBSD to secure small networks connected to the Internet."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
There are a *LOT* of redundancies and unoptimized rules in his firewall ruleset. For example, you only need to keep state once for a connection, either in or out. Both is pointless. Firewall ruleset design (via ipf or pf) is better documented in the FAQ, although the documentation for pf is terse generally assumes a working knowledge of ipf. The rulesets could have been collapsed down into less than half of what is listed.
:-(
Also he should have either used OpenBSD 2.9, or moved to 3.0 and done this based on pf, which has a more elegant syntax. Although the IPF syntax doesn't change between 2.8 and 2.9, 2.9 represents a newer versin of IPF, and why on earth would you not just use it instead?
It's too bad there isn't more BSD news - this really isn't something worth being posted to slashdot.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
EmBSD, have to say I am a pretty big advocate of "less is more", basically it is the bare minimum of OpenBSD for securing a network (kernel, packet filter, ssh, syslogd and ipsec/named/dhcpd if you need em) and it all fits on under 32 meg and its all under the BSD license, so its free. It all comes preconfiged for firewalling (ipf and ipnat turned on and everything else just gone or turned off), so there is less to make mistakes with, less means less vulrablities and less to manage. So I would say look at EmBSD after reading this article and compare for yourself.