If you're 12 years old and receiving explicit emails, you don't need to file suit. Contact your local police. Complain about the nasty email you've been getting.
They'll bust the spammers. In this case, criminal is better than civil, I think.
Perhaps the iMac article is their way of apologizing to M$. "Look, we're sorry, we didn't really mean it: of course you can do whatever you want with your holy VBScripts.":)
I also have a strange feeling about other "security" options that they choose. For example: Not using shadowed password files. They say it wouldn't be neccessary since the only user available is root anyway.
Let's go even farther on this theme of bad choices.
You can logon directly to the root account remotely? You don't have to su first?
Ouch, but that's a major hole. That's like waving a Big Flag. Kiddies, look at this "firewall." Guess what account you should try?
Never allow remote logons to uid 0. Always at least force wheels to su.
There are CGIs available to manage the firewall? Oh, and they use port 81 to access it. How... creative. And it gets better. SSH is on port 222. Have you guys ever heard of port scanners? Custom ports is a way of flagging to intruders which firewall software is being used, except when the custom port pattern is unique.
I can go on. It has a built-in DHCP server. DHCP servers should never be mounted on external firewalls as their logfiles contain too much valuable information when the firewall's security is compromised.
Hmm, at least it has an HTTP proxy. Probably Squid. No SOCKS support though. And yes, it uses NAT. Gack.
Well anyway, maybe this c't review will convince a few people to give up a NAT-based solution. Sadly, they'll probably just go to another one.
It's also why setting up a bootable CDROM is in many cases the way to go.
Keep your logfiles on the HD. Nothing else really needs to be there.
Of course, I don't do this. But I'm only protecting a few home computers. If I had an organization... I'd burn a CDR and boot firewalls from it. Just leave it in the drive. Good luck hacking that.
Check the release notes. They should be on the FreeBSD Foundation main site.
Releases are snapshots of -STABLE I believe made at the time of the release. If you want to find out whether a particular change made it into a release, you need to know whether the code change migrated from -CURRENT to -STABLE before the release was done. A lot of stuff in -CURRENT is pretty experimental though and takes a while to get over to -STABLE. Your best bet is probably to check the release notes, or of course the hairy method which is to download the sucker, install it, and read/usr/src/ to find out what code is there if you think you'll recognize the changes.:)
You only mention having one firewall. It sounds to me like you've moved past the time where one firewall is sufficient.
Normally, big organizations use two firewalls. One firewall sits at the main connection to the 'net. Behind this firewall are the organization's public servers; web servers and so on.
Another machine which sits behind this firewall is also a firewall. This second firewall is much more paranoid; ideally it's just running a SOCKS5 proxy and maybe a few other proxies, no NAT. Anyway, it blocks all incoming server accesses: you can't run a server on any machine behind it that will talk to the public 'net. You put every machine that doesn't need to be a public server behind the second firewall.
This makes it much easier to relax. Intruders have to compromise two firewalls in order to reach your organization's private documents and databases.
Anyway, back to your original question. Generally if you want to run a pure firewall, with no non-standard services, and don't mind a certain degree of hair, OpenBSD is recommended. It's got a stellar security record, and will dramatically reduce the number of updates you have to make. FreeBSD's advantages usually lie in performance: but with a firewall, performance issues matter a lot less than they do with, say, a database server. FreeBSD is far from insecure though, but OpenBSD is definitely up there in the sky as the God of Freenix Security.
But lastly, I will tell you something that you'll find out anyway if you read Zwicky: Masquerading provides inferior security to application-based proxies. Get NEC SOCKS5, or at least Dante SOCKS4 running (if you don't use any UDP services, SOCKS4 is fine). Turn off the NAT (or masq or whatever you linuxies call it:)... Your firewall will thank you.
Real Men download tarballs using FTP and figure out their own damn config options and find needed patches by scouring old Usenet postings, mailing list archives, and Magic 8 Balls.
Okay, well, I guess I'm half of a Real Man then.:)
I do download tarballs and figure out my own config options; but the only time I ever use the patch command is when I've been sent a FreeBSD Security Update that tells me to; I think the last time was when I patched telnetd a year or so ago.:)
However, the only Standard Tools that I have compiled from tarballs on my FreeBSD box are Apache, sendmail, openssl, openssh, and socks5. These are all programs that I know I will never remove from the box (unfortunately I can't run qmail; I do actually need sendmail, sigh). The only ones with very wacky config directives are Apache and sendmail. (The gateway box runs Apache with CGI turned off, along with a lot of other things disabled; mostly it's a front-end for the web servers that sit behind it on my LAN.)
However, ports are really really good for one major thing: experimenting with new software. I played with about a dozen or so text editors before settling on jed (which I'm still running from the port). Also, they're handy for installing tools that you need to compile certain tarballs. (For example, automake tends to get deleted off my system once I've got Stuff Installed. Another one is GCC-2.95. I don't have nearly enough drive space on the gateway box to compile it but I can bring it in as a port without too much pain when I really need it.)
That problem only happens with tables. NS 1-4 (and Mosaic before it too, at least versions of Mosaic with table support) wants all tabled content to be a known size before any of the table is rendered (which means that if only the HTML designers would consistently put in HEIGHT and WIDTH values for their IMG tags, NS4 people would not be bothered). NS6 and Mozilla do not suffer from this defect. They are capable of moving the images around, like IE5 does. (And possibly IE4. I know IE3 suffers from the old Mosaic defect just the same way though.)
Incidentally, I'm typing this in NS6.2 on a Mac. You're wrong about NS4.77 on the Mac; it has exactly the same old problem.
It can be done with eBay though. There are plenty of earlier iMacs that turn up on there: you'd want to get relatively recent Macs to play with, for the AirPort support.
Used computers. That's the way to go for your situation.
In fact, it's generally the way to go, period. Unless you want a true badass machine; new computers have passed Ludicrous Speed and are heading for Too Fast To Use Sensibly.
Hmm. And you couldn't somehow authorize the scheduler with the root password? IE make it so that the scheduler (a) requires the admin/root password and (b) when it runs, runs as root?
If not, then this sounds like a feature request, because OS 9's blind updates are actually rather handy.
I don't use OS X, but Software Update on OS 9 is capable of updating automagically: just tick Update software automatically and untick Ask me before installing new software, set a schedule, and it'll auto-download, install, and reboot if necessary.
Not really a cool thing for a fileserver, but if you're just running webservers, where a second or two of non-availability doesn't hurt anything really, then it's fine.
Like most/. posters, you're partly true but mostly wrong. Apple doesn't usually buy product placements: AFAIK the only two exceptions were Star Trek IV (remember Scotty trying to talk to the Mac?) and Mission: Impossible.
However, they don't have to these days, now that Amiga is dead and Macs are ubiquituous throughout the film industry.
It's three out of twelve possible. The three awards won (which can be found here for those so inclined) were:
AFI Movie of the Year
AFI Production Designer of the Year
AFI Digital Effects Artist of the Year
Winning a quarter of the available awards has to be considered "cleaning up" by any standard.
I'm a little miffed that neither Ian McKellen nor Viggo Mortensen got nominated, though; apparently the Best Movie owes nothing to its actors or its director, but rather its production design and digital f/x (which were admittedly both very good).
If people weren't too cheap to buy a $50 copy of DOS, they would have gone out and legally purchased a $300 copy of OS/2? I think not. It's not like there was a 'free' Linux distribution as an alternative in those days.
DR DOS, PC DOS, CP/M-86, Desqview. There used to be plenty of alternatives.
I actually have one machine that runs on PC DOS 7.
Slashdot Mirror
Looks like you've caught a troll. Looks like the piecewise account acquired a +1 karma bonus, so now he's switched to a new account: watch that one.
Sigh. It wouldn't be so easy for /. to get trolled if the moderators weren't so dopey.
If you're 12 years old and receiving explicit emails, you don't need to file suit. Contact your local police. Complain about the nasty email you've been getting.
They'll bust the spammers. In this case, criminal is better than civil, I think.
Many people are paid to read /. - it's just that their PHBs haven't realized this fact yet :)
Perhaps the iMac article is their way of apologizing to M$. "Look, we're sorry, we didn't really mean it: of course you can do whatever you want with your holy VBScripts." :)
Theoretically, the read-only mounted harddrive could be remounted as read/write. I admit that this would be hard.
But it's theoretically impossible with a CDROM, as the media just won't cooperate. ;)
Boot times should not be a great concern with a firewall; you should only be booting it once a year or so anyway.
Let's go even farther on this theme of bad choices.
You can logon directly to the root account remotely? You don't have to su first?
Ouch, but that's a major hole. That's like waving a Big Flag. Kiddies, look at this "firewall." Guess what account you should try?
Never allow remote logons to uid 0. Always at least force wheels to su.
There are CGIs available to manage the firewall? Oh, and they use port 81 to access it. How... creative. And it gets better. SSH is on port 222. Have you guys ever heard of port scanners? Custom ports is a way of flagging to intruders which firewall software is being used, except when the custom port pattern is unique.
I can go on. It has a built-in DHCP server. DHCP servers should never be mounted on external firewalls as their logfiles contain too much valuable information when the firewall's security is compromised.
Hmm, at least it has an HTTP proxy. Probably Squid. No SOCKS support though. And yes, it uses NAT. Gack.
Well anyway, maybe this c't review will convince a few people to give up a NAT-based solution. Sadly, they'll probably just go to another one.
It's also why setting up a bootable CDROM is in many cases the way to go.
Keep your logfiles on the HD. Nothing else really needs to be there.
Of course, I don't do this. But I'm only protecting a few home computers. If I had an organization... I'd burn a CDR and boot firewalls from it. Just leave it in the drive. Good luck hacking that.
Check the release notes. They should be on the FreeBSD Foundation main site.
Releases are snapshots of -STABLE I believe made at the time of the release. If you want to find out whether a particular change made it into a release, you need to know whether the code change migrated from -CURRENT to -STABLE before the release was done. A lot of stuff in -CURRENT is pretty experimental though and takes a while to get over to -STABLE. Your best bet is probably to check the release notes, or of course the hairy method which is to download the sucker, install it, and read /usr/src/ to find out what code is there if you think you'll recognize the changes. :)
You only mention having one firewall. It sounds to me like you've moved past the time where one firewall is sufficient.
Normally, big organizations use two firewalls. One firewall sits at the main connection to the 'net. Behind this firewall are the organization's public servers; web servers and so on.
Another machine which sits behind this firewall is also a firewall. This second firewall is much more paranoid; ideally it's just running a SOCKS5 proxy and maybe a few other proxies, no NAT. Anyway, it blocks all incoming server accesses: you can't run a server on any machine behind it that will talk to the public 'net. You put every machine that doesn't need to be a public server behind the second firewall.
This makes it much easier to relax. Intruders have to compromise two firewalls in order to reach your organization's private documents and databases.
Normally, the area between the two firewalls where the servers live is called the DMZ. You can find out much more about this method of firewalling in an excellent book with a rather dull title: Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, and Deborah Russell.
Anyway, back to your original question. Generally if you want to run a pure firewall, with no non-standard services, and don't mind a certain degree of hair, OpenBSD is recommended. It's got a stellar security record, and will dramatically reduce the number of updates you have to make. FreeBSD's advantages usually lie in performance: but with a firewall, performance issues matter a lot less than they do with, say, a database server. FreeBSD is far from insecure though, but OpenBSD is definitely up there in the sky as the God of Freenix Security.
But lastly, I will tell you something that you'll find out anyway if you read Zwicky: Masquerading provides inferior security to application-based proxies. Get NEC SOCKS5, or at least Dante SOCKS4 running (if you don't use any UDP services, SOCKS4 is fine). Turn off the NAT (or masq or whatever you linuxies call it :)... Your firewall will thank you.
It's under the BSD license. They do charge for it, yes, but it's not a closed license.
However, I also believe development on it has ceased and its code has been folded into FreeBSD, like many other x86 BSD projects.
Not all Slashdotters work for computer companies. The original poster said "product."
Okay, well, I guess I'm half of a Real Man then. :)
I do download tarballs and figure out my own config options; but the only time I ever use the patch command is when I've been sent a FreeBSD Security Update that tells me to; I think the last time was when I patched telnetd a year or so ago. :)
However, the only Standard Tools that I have compiled from tarballs on my FreeBSD box are Apache, sendmail, openssl, openssh, and socks5. These are all programs that I know I will never remove from the box (unfortunately I can't run qmail; I do actually need sendmail, sigh). The only ones with very wacky config directives are Apache and sendmail. (The gateway box runs Apache with CGI turned off, along with a lot of other things disabled; mostly it's a front-end for the web servers that sit behind it on my LAN.)
However, ports are really really good for one major thing: experimenting with new software. I played with about a dozen or so text editors before settling on jed (which I'm still running from the port). Also, they're handy for installing tools that you need to compile certain tarballs. (For example, automake tends to get deleted off my system once I've got Stuff Installed. Another one is GCC-2.95. I don't have nearly enough drive space on the gateway box to compile it but I can bring it in as a port without too much pain when I really need it.)
Groovy. Keep it. I believe it's now illegal as it violates some of the AT&T copyrights. :)
That problem only happens with tables. NS 1-4 (and Mosaic before it too, at least versions of Mosaic with table support) wants all tabled content to be a known size before any of the table is rendered (which means that if only the HTML designers would consistently put in HEIGHT and WIDTH values for their IMG tags, NS4 people would not be bothered). NS6 and Mozilla do not suffer from this defect. They are capable of moving the images around, like IE5 does. (And possibly IE4. I know IE3 suffers from the old Mosaic defect just the same way though.)
Incidentally, I'm typing this in NS6.2 on a Mac. You're wrong about NS4.77 on the Mac; it has exactly the same old problem.
It can be done with eBay though. There are plenty of earlier iMacs that turn up on there: you'd want to get relatively recent Macs to play with, for the AirPort support.
Used computers. That's the way to go for your situation.
In fact, it's generally the way to go, period. Unless you want a true badass machine; new computers have passed Ludicrous Speed and are heading for Too Fast To Use Sensibly.
Actually, I really wanna get a projector just so I can play Quake on the wall. It would be so cool. :)
Er, gay?
Well, I suppose some people have extended the term to cover lesbians, so maybe, okay, for them it's gay. :)
Hmm. And you couldn't somehow authorize the scheduler with the root password? IE make it so that the scheduler (a) requires the admin/root password and (b) when it runs, runs as root?
If not, then this sounds like a feature request, because OS 9's blind updates are actually rather handy.
I don't use OS X, but Software Update on OS 9 is capable of updating automagically: just tick Update software automatically and untick Ask me before installing new software, set a schedule, and it'll auto-download, install, and reboot if necessary.
Not really a cool thing for a fileserver, but if you're just running webservers, where a second or two of non-availability doesn't hurt anything really, then it's fine.
Like most /. posters, you're partly true but mostly wrong. Apple doesn't usually buy product placements: AFAIK the only two exceptions were Star Trek IV (remember Scotty trying to talk to the Mac?) and Mission: Impossible.
However, they don't have to these days, now that Amiga is dead and Macs are ubiquituous throughout the film industry.
But didn't Cameron at least get a nomination?
Also, that's the Oscars. The AFI should know better. :)
It's three out of twelve possible. The three awards won (which can be found here for those so inclined) were:
Winning a quarter of the available awards has to be considered "cleaning up" by any standard.
I'm a little miffed that neither Ian McKellen nor Viggo Mortensen got nominated, though; apparently the Best Movie owes nothing to its actors or its director, but rather its production design and digital f/x (which were admittedly both very good).
Oh please. The budget's a little over $100 mil for the first movie. All three movies are coming in with less of a budget - total - than Titanic.
It's expensive, but it's not that expensive.
DR DOS, PC DOS, CP/M-86, Desqview. There used to be plenty of alternatives.
I actually have one machine that runs on PC DOS 7.
A former (thankfully) boss of mine believed that all her web designers needed the latest in video card technology in order to do, um, web design.
I have seen $500+ video cards used to do nothing but 800x600 and 24-bit colour. It's very wacky.