I didn't mean to get anyone so worked up. I really like Linux and use it on several machines. Different OSes are designed for different things by default. OpenBSD is designed for security. Linux tries to be designed for everything else and does a pretty amazing job. Sure someone with enough knowledge can completely reconfigure everything about Linux and remove all of the insecure services and tighten up the security, but I know I can't audit the code for impropery writen things that will allow an exploit and there aren't too many of those people around. This is not done (of course it gets done over time) with Linux. That is the primary job of the OpenBSD team. There are other differences in the OSes, BSD is better at this and Linux is better at that. With the next release on OpenBSD they will start using new firewalling code that has been written to use the exact syntax as IPF. This is because the developer of IPF has started playing with the wording of his license and saying that no one else can modify his code. The OpenBSD team has been modifying his code for years. I won't recomend upgrading to OpenBSD 3 (the next release) or OpenBSD without IPF for a while. You will still be able to manually add IPF to OpenBSD 3 instead of using PF (the new OpenBSD firewall). Has anyone on the list actually written out their own Netfilter rules set? I have and I have to say that it made me hate Netfilter. Especially after working with IPfilter which is almost trivial to get working correctly. So I am a little biases in that area. But yes, Netfilter does offer some advanced features and more finly tuned control that IPfilter, but it is that control that makes makes the config a nightmare. Can a Linux system be used to do a very good router+firewall+nids? Of course, it will just take a lot more knowledge and work to get working correctly and secure than OpenBSD. If someone has the knowledge to properly secure Linux and configure it to do all this, they are probally not going to ask the list for advise on how. Linux is great, but it is not the answer for everything. Dusty > > The default security settings of OpenBSD are much better for security, and > the audited code is tighter, but I must respectfully disagree that Linux > security is bad. If you know what you are doing, disable all services and > properly configure iptables, Linux can be just as secure as OpenBSD in doing > that job. > > But yes, Linux distributions, particularly Red Hat, have made extremely > bonehead decisions in the past in leaving certain services active in default > install. Fortunately they have learned their lesson, and the latest > distributions of Linux are more secure by default, but things could still be > improved. I don't know why they insist on keeping portmap and sendmail > installed and active in default install. > > Netfilter has much greater flexibility and power in firewalling rules than > IPFilter, but that power of flexibility is not usable by many people because > the configuration syntax is so damn hard. In order to use the more advanced > features of Netfilter, most people use scripts made by other people, and > they do not understand much of what syntax in the script actually means. > ipf syntax is much more intuitive in nature and as a result it is much > easier for users to understand the implications of rules that they > customize. Netfilter script users are often limited to the options given in > the script, with advanced additional advanced features needing a much deeper > level of understanding. > > It is also true that OpenBSD requires less system resources than Linux, but > I think that's only true mainly because most Linux distros include > EVERYTHING that a server can possibly do. If you were to strip down Red Hat > to the bare essentials, custom minimalist kernel and libraries, I'm sure > that it can be comparatively lean as the BSD's in doing specific jobs like > this. There has to be a reason that embedded developers are now choosing > Linux rather than BSD as an embedded operating system, even though BSD > licenses would give them more benefit in intellectual property and market > competitive edge because they do not have to contribute their changes back > to the community (example: Microsoft's TCP/IP stack from BSD). > > That being said, there are strong arguments to use either Linux or OpenBSD. > It will be much harder to create the rules necessary for multiple network > interfaces with Netfilter than ipf. Ready-made scripts for your desired > configuration would not be readily available, so you would probably have to > make it yourself. Perhaps if you were making an enterprise grade firewall > Linux may better suit the job with the extra features and flexibility (QoS, > flexible rate limiting, custom classes, more advanced NAT, custom conntrack > modules, etc), but this is your home firewall and you don't need these > advanced features. ipf is simply quicker and easier to secure properly. Of > course if you want to go through this process to learn, it this is a great > learning opportunity. > > On the downside, OpenBSD is currently in an awkward situation with ipf. The > community didn't realize it until recently, but IPFilter is _not_ free & > open source software. It is completely controlled by the author, and it is > not permitted to distribute modified binaries of ipf. As a result, the > makers of OpenBSD have dropped IPFilter and began to write a replacement. > This may or may not be a problem in the future, depending on how quickly > OpenBSD can code a mature replacement. I believe they are attempting to > make it as compatible as possible with the existing IPF configuration > syntax, but it will be over a year or two before it becomes as mature and > proven as IPF. This may make an upgrade path for OpenBSD uncertain. > > Fortunately the OpenBSD folks have done an awesome job in quickly > implementing OpenSSH, and many folks feel that they will do a great job with > their new firewalling code. It is just a question of how long it will take > to reimplement and make it mature. I think within a few years FreeBSD and > NetBSD may also drop IPF in favor of OpenBSD's implementation so that they > will not be hindered by the non-free nature of IPF. > > Basically... > Linux is harder to secure, but more flexible. OpenBSD is much easier to > secure, but less flexible. The question here is if you actually need the > more advanced and flexible options (you don't), and how much time you want > to spend configuring this (your choice). > > Best tool for the job. > > ----- Original Message ----- > From: "Dusty" > To: "Linux & Unix Advocates & Users" > Sent: Saturday, August 25, 2001 11:07 PM > Subject: [luau] Re: Router + firewall + NIDS questions > > > > For this system I can only recommend OpenBSD. Linux is great, but > security is NOT the first consideration with Linux. With OpenBSD it is. > IPfilter, which currently comes with OpenBSD (ver 2.9) is awesome (one of > the best firewalls around free or commercial) and much easier to configure > than IPtables/Netfilter in Linux. Snort is a great choice for IDS. A 486 > or (preferably) old Pentium running OpenBSD with 32mb ram and a 500MB hard > drive is all you would need. I use an 85mhz Sun Sparc5 with 32mb ram to do > this same thing, plus mail, web, and dns. It sits 98% idle! > > > > Having multiple NICs would be fine, a little more difficult on the config, > but nothing too much. Basically your system will just have to route traffic > to each interface and you will need to use bigger netmasks (ie > 255.255.255.248 instead of 255.255.255.0). But your firewall can control > the traffic much tighter. If you don't already have the extra NICs, I would > spend the money on a cheap HUB or switch. > > > > For more info on OpenBSD goto http://www.openbsd.org and for info on > configuring http://www.nomoa.com/bsd. The network install for OpenBSD is > pretty easy and I recommend it. > > > > --- > You are currently subscribed to luau as: dusty@sandust.com > To unsubscribe send a blank email to $subst('Email.Unsub')