[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security: FreeBSD vs OpenBSD

To: Martin Marconcini <megadeth@millic.com.ar>
Subject: Re: Security: FreeBSD vs OpenBSD
From: Jedi/Sector One <j@pureftpd.org>
Date: Mon, 4 Feb 2002 19:21:12 +0100
Cc: Generic Player <suck@my-balls.com>,"David S." <davids@idiom.com>, misc@openbsd.org, Chris <cl@escape.ca>
Content-Disposition: inline
References: <4.3.2.7.2.20020204020342.01d2a2e8@pop.escape.ca> <20020204044315.GA2416@hades.shoptime.com> <200202040731.SAA17751@caligula.anu.edu.au> <4.3.2.7.2.20020204020342.01d2a2e8@pop.escape.ca> <4.3.2.7.2.20020204031029.01d2efc8@pop.escape.ca> <006501c1ada4$9e6893a0$034b1eac@orion> <6114737816.20020204145905@millic.com.ar>
User-Agent: Mutt/1.3.25i

On Mon, Feb 04, 2002 at 02:59:05PM -0330, Martin Marconcini wrote:
> You are suggesting that we should create Mini-Firewalls on every box?
> (that is, by configuring pf/ipf or whatever?)

  This is not a bad thing. The traditionnal "one-local-network/one
firewall/internet" scheme has limits :

- You have a single point of failure. If the firewall crashes or gets rooted,
and your network is dead.
- Your firewall must support all traffic. It doesn't scale. Keeping a lot of
states for a lot of machines in a single machine simply doesn't work.
- You can't protect machines from internal attacks.
- You can't do per system user accounting.
- You add a hop.

  Things like filtering reserved classes and internal addresses on ext
interface to limit spoofing can be done on the router. Once the rules are
set on the router, you usually never change them again. No need for an
additionnal firewall to do that.

  Having PF rules on every box is far more flexible. You can explicitely
allow traffic only between two machines of the internal network. It of
courses scales infinitely well. Per-user accounting is possible. If a
firewall crashes, only one server crashes. You never run out of states. You
don't need to module states or scrub the traffic. You can easily restrict
outgoing traffic to only match what local services are supposed to ever
connect to (backdoors can't be accessed except from 127.0.0.1), etc.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

Follow-Ups:
- Firewalls for all! (was Re: Security: FreeBSD vs OpenBSD)
  - From: Ralph Forsythe <rforsythe@centerone.com>

References:
- Re: Security: FreeBSD vs OpenBSD
  - From: Chris <cl@escape.ca>
- Re: Security: FreeBSD vs OpenBSD
  - From: Luiz Gustavo <gustavo@shoptime.com>
- Re: Security: FreeBSD vs OpenBSD
  - From: Darren Reed <avalon@coombs.anu.edu.au>
- Re: Security: FreeBSD vs OpenBSD
  - From: Chris <cl@escape.ca>
- Re: Security: FreeBSD vs OpenBSD
  - From: "Generic Player" <suck@my-balls.com>
- Re: Security: FreeBSD vs OpenBSD
  - From: Martin Marconcini <megadeth@millic.com.ar>

Prev by Date: bloody ftpd connection again
Next by Date: Re: keymapping
Prev by thread: Re: Security: FreeBSD vs OpenBSD
Next by thread: Firewalls for all! (was Re: Security: FreeBSD vs OpenBSD)
Index(es):
- Date
- Thread