Slashdot Mirror
Securing Small Networks with OpenBSD
Some random person wrote: "O'Reilly's OnLamp.com has a long article about using OpenBSD to secure small networks connected to the Internet."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
openbsd 2.8 and ipf - HOT and NEW!
idiots...openbsd team are excellent coders, they know nothing about security though...look at this, if a hole is found the whole system is vulnerable....not secure at all....
If you ignore ACs because they are anonymous - you're an idiot.
*BSD is dying
Yet another crippling bombshell hit the beleaguered *BSD community when recently High Times confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest High Times survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent High Times comprehensive networking test.
You don't need to be Wavy Gravy to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Recently, Slashdot [goatse.cx] confirmed that WindRiver bucked FreeBSD out on its ass for a carton of Winstons and a six-pack of Pabst Blue Ribbon. This only serves to confirm the fact that FreeBSD is unwanted, doomed to be passed around like an old copy of redhat 5.2.
Fact:
Slashdot is for sickos.
LInux is for gay homosexuals.
All in the subject.
There are a *LOT* of redundancies and unoptimized rules in his firewall ruleset. For example, you only need to keep state once for a connection, either in or out. Both is pointless. Firewall ruleset design (via ipf or pf) is better documented in the FAQ, although the documentation for pf is terse generally assumes a working knowledge of ipf. The rulesets could have been collapsed down into less than half of what is listed.
:-(
Also he should have either used OpenBSD 2.9, or moved to 3.0 and done this based on pf, which has a more elegant syntax. Although the IPF syntax doesn't change between 2.8 and 2.9, 2.9 represents a newer versin of IPF, and why on earth would you not just use it instead?
It's too bad there isn't more BSD news - this really isn't something worth being posted to slashdot.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
Actually the subject is a bit harsh. It *is* worth reading - just keep in mind that this shouldn't be a reference on good rule construction or design.
Is that a salami in my pants or am I just happy to be me?
EmBSD, have to say I am a pretty big advocate of "less is more", basically it is the bare minimum of OpenBSD for securing a network (kernel, packet filter, ssh, syslogd and ipsec/named/dhcpd if you need em) and it all fits on under 32 meg and its all under the BSD license, so its free. It all comes preconfiged for firewalling (ipf and ipnat turned on and everything else just gone or turned off), so there is less to make mistakes with, less means less vulrablities and less to manage. So I would say look at EmBSD after reading this article and compare for yourself.
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
Recently, Slashdot confirmed that WindRiver bucked FreeBSD out on its ass for a carton of Winstons and a six-pack of Pabst Blue Ribbon. This only serves to confirm the fact that FreeBSD is unwanted, doomed to be passed around like a cross-eyed harelip orphan from one foster parent to another.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survval prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *SD is dead.
Fact: *BSD is dead
News value: zero.
BTW why do some folks seem to think that FreeBSD is any less worthy in this respect? Image?
So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shround over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
It may be that BSD's future is on the desktop while Linux takes the server space. Or alternatively, that the BSD's remain small but important platforms for special purposes and developing new ideas.
So what's dying?
Is "some random person" actually Lisa? If we subscribe to /. do we get to see the actual name of the article submitter?