From owner-freebsd-questions Mon Dec 10 19:14:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-31-201-166.mmcable.com [65.31.201.166]) by hub.freebsd.org (Postfix) with SMTP id C4D0D37B419 for ; Mon, 10 Dec 2001 19:14:45 -0800 (PST) Received: (qmail 19784 invoked by uid 100); 11 Dec 2001 03:14:45 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15381.31268.834854.418233@guru.mired.org> Date: Mon, 10 Dec 2001 21:14:44 -0600 To: "f.johan.beisser" Cc: questions@freebsd.org Subject: RE: openbsd In-Reply-To: <74612279@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ X-Delivery-Agent: TMDA v0.42/Python 2.1.1 (freebsd4) From: "Mike Meyer" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG f.johan.beisser types: > On Mon, 10 Dec 2001, Bill Schoolcraft wrote: > > Now, correct me here when needed. Back when I started using (not > > hacking) FreeBSD the version was 3.4 and it was a "slam_dunk" that > > OpenBSD was the secure way to go. > i still regard that as being true, even in our FreeBSD 4.4 times. Even if you use the Extreme Security settings in sysinstall? > > I bring this question up at the *BSD meetings I go to here in the > > San Francisco Bay Area and seeing we are up to 4.4 (I've stayed at > > 4.2) the consensus I've been listening to is that some minor > > adjustments would secure your FreeBSD box as well as your OpenBSD > > box. Could you comment on this ? > well, the idea is that openbsd is secured out of the box. you don't have > to do these adjustments to it, since they should already be done. Most of the adjustments can now be done via the install process. > when i'm locking down my FreeBSD machine, the first thing i do is shut off > inetd. since i don't use it, there's no reason i need it. the next 3 > things are only somewhat nessassary, but i do them anyway: recompile the > kernel to use firewalling, up the maxusers and then, finally, install > extra packages. inetd can be disabled via the install process, and you don't have to recompile the kernel to use firewalling anymore. > i still think freebsd has a little ways to go to be "up to par" with > openbsd's default "secure" install. I haven't looked at OpenBSD in a long while, but it wouldn't surprise me if the FreeBSD sysinstall Extreme Security setting was more secure than OpenBSD's default install. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message