Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Dec 2001 18:15:26 -0800 (PST)
From:      "f.johan.beisser" <jan@caustic.org>
To:        Mike Meyer <mwm-dated-1008472485.f63e8b@mired.org>
Cc:        <questions@freebsd.org>
Subject:   RE: openbsd
Message-ID:  <20011211175559.K16958-100000@localhost>
In-Reply-To: <15381.31268.834854.418233@guru.mired.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Dec 2001, Mike Meyer wrote:

> f.johan.beisser <jan@caustic.org> types:
> > On Mon, 10 Dec 2001, Bill Schoolcraft wrote:
> > > Now, correct me here when needed.  Back when I started using (not
> > > hacking) FreeBSD the version was 3.4 and it was a "slam_dunk" that
> > > OpenBSD was the secure way to go.
> > i still regard that as being true, even in our FreeBSD 4.4 times.
>
> Even if you use the Extreme Security settings in sysinstall?

i've found the Extreme Security to be more annoying than helpful. while i
do like the idea, it's also good for rendering the machine useless to a
beginner user, since it shuts out kernel modules, renders the root
filesystem read only on mounting (not a bad idea, really, just
inconvienent on the initial install.. and really nasty when it comes to
/tmp and X).. on the other hand, it does still allow ssh, while disabling
the inetd.

i have just found that it's generally in my best interests to just do
these things myself, since the various security settings (that i've seen,
i can be wrong.. i don't use them at all) don't seem to strike a decent
balance. i don't want services running, except for sshd. i don't generally
use the kernel security settings on my workstation.. no need for them,
usually.

> > well, the idea is that openbsd is secured out of the box. you don't have
> > to do these adjustments to it, since they should already be done.
>
> Most of the adjustments can now be done via the install process.

yes, but again, the idea is that you don't have to do them. they're
already done.

while i can argue the relative merits of both OSs (i use both, for
different things, some things are just easier to do in openbsd than in
freebsd). i don't think this is the forum for that.

> > when i'm locking down my FreeBSD machine, the first thing i do is shut off
> > inetd. since i don't use it, there's no reason i need it. the next 3
> > things are only somewhat nessassary, but i do them anyway: recompile the
> > kernel to use firewalling, up the maxusers and then, finally, install
> > extra packages.
>
> inetd can be disabled via the install process, and you don't have to
> recompile the kernel to use firewalling anymore.

i prefer to have the firewall in the kernel. it's a goofy preference, that
i know isn't nessassary to run it, but i do this anyway. i don't always
allow kernel modules on every machine, in some cases, it's preferable to
not have those modules available, even if the machine is set up to prevent
the use of them.

> > i still think freebsd has a little ways to go to be "up to par" with
> > openbsd's default "secure" install.
>
> I haven't looked at OpenBSD in a long while, but it wouldn't surprise
> me if the FreeBSD sysinstall Extreme Security setting was more secure
> than OpenBSD's default install.

this could be. again, i don't use the security settings because they're
not quite "fine grained" enough for my purposes. yes, i don't bother with
portmapper. i mearly don't need any of the inetd services (i do just about
everything through ssh, myself), nor do i use distributed filesystems in
an unprotected environment. i don't think that any other service should be
run if it can be avoided.

on the same note, OpenBSDs default install (0 customisation) has just
about the right balance. minor hacks to the rc.conf, and the machine is
ready to go.

from initial install, to rolling out a finished machine: 30/40 minutes.
FreeBSD is my choice for most things, it's what i recommend to people who
want to try out UNIX. it's what i use for my workstation and most servers
at my job. effectively, what doesn't have FreeBSD on it, has BSD/OS (aka
BSDi), and only recently did we introduce OpenBSD.


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211175559.K16958-100000>