From owner-freebsd-advocacy@FreeBSD.ORG Wed Dec 3 16:24:23 2003 Return-Path: Delivered-To: freebsd-advocacy@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C00B16A4CE for ; Wed, 3 Dec 2003 16:24:23 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A84643FAF for ; Wed, 3 Dec 2003 16:24:22 -0800 (PST) (envelope-from mike@adept.org) Received: from localhost (localhost [127.0.0.1]) by localhost.adept.org (Postfix) with ESMTP id 1CD4B15442 for ; Wed, 3 Dec 2003 16:24:22 -0800 (PST) Received: from fubar.adept.org ([127.0.0.1]) by localhost (fubar.adept.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 32009-08 for ; Wed, 3 Dec 2003 16:24:21 -0800 (PST) Received: from adept.org (mojo.televoke.net [63.237.196.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fubar.adept.org (Postfix) with ESMTP id DA36715440 for ; Wed, 3 Dec 2003 16:24:21 -0800 (PST) Message-ID: <3FCE7EB5.8060409@adept.org> Date: Wed, 03 Dec 2003 16:24:21 -0800 From: Mike Hoskins User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031110 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <002b01c3b99e$a1dc3340$6c01a8c0@MITERDOMAIN> <3FCDE98B.8020701@401.cx> <3FCDED20.8050508@centtech.com> In-Reply-To: <3FCDED20.8050508@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: advocacy@freebsd.org Subject: Re: uptime 4.0 X-BeenThere: freebsd-advocacy@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Evangelism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 00:24:23 -0000 Eric Anderson wrote: > Just curious, but, has anyone ever heard of a firewall? I typically defense in depth. security is multi-layered like an onion, or so people have been touting for the last decade, so you keep systems up to date and pay attention to host security as part of defense in depth... even when you have a firewall. bridges pass packets. if you assume a device passing packets (even when the device is "inaccessable" as defined in this thread) never needs patched... you are probably relatively safe, but you are not really "correct". bugs may occur and patches may be necessary that affect the bridging code itself, no? of course. again, the best way to make this issue moot is to get a working patch mechanism that doesn't require a reboot. talk about a HA pipe dream! > I just think that "large uptime = bad admin" is a pretty shallow and > close minded way to stereotype people based on how long a machine has > been powered on without a reboot. Nobody said "1200 days without a > security patch! woohoo!".. stereotypes never work. if you have good technical reasoning for what you're doing, great. i think some people are just a little more "anal" about security -- probably the same people getting paid to do security stuff where they work. ;) peace.