[Gllug] My firewall is rooted

Stephen Harker steve at pauken.co.uk
Mon Jul 15 16:49:00 UTC 2002 

On Monday 15 July 2002 15:52, tet at accucard.com wrote:
> >Is OpenBSD any better/worse than Linux/Smoothwall etc? I guess
> >if you've switched off all the services, it's just down to your
> >filtering rules and the kernel.
>
> In my opinion, yes, it's still better. One remote hole in 6 years is
> still an enviable record. Filtering rules didn't help in this case
> because virtually everyone allows ssh through anyway. sshd is one of
> the most critical parts of the system in that it has to run as root[1],
> and it's commonly open to the world. The only thing that could protect
> against is was a more thorough audit of the code in advance.

It's just that to patch and update an OpenBSD machine means patching the 
system source and recompiling the whole shebang with 'make build' or whatever 
which on an old Pentium P75 firewall with 16MB RAM can take DAYS! or is there 
another quicker way of patching the appropriate binary? I must have another 
read of the FAQ.

Whereas a nice 'apt-get update && apt-get dist-upgrade' can do the trick in 
minutes.

I must say however, that I much prefer the ipf/pf style of filtering rules and 
a seperate nat.conf file to ipchains/iptables which does seem unnecessarily 
obtuse. Or else I just had a headache that day.

> Note that most Linux distributions were vulnerable to this as well,
> although interestingly, many weren't susceptible in the default install.

An older firewall (OpenBSD 2.8) at another branch is running such an old 
version of SSH that it appears to still be safe ... Which doesn't mean I'm 
not going to update it very soon!!!

> [1] One of the improvements in the bug-fixed ssh is privilege separation,
>     which runs the majority of sshd as a normal user, and only the critical
>     parts fo the code as root. The advantage, obviously, is that it's
>     easier to verify that the small part running as root is correct and
>     bug free than it is to verify the entire application...

I have that enabled now on the other boxen :-)

Steve


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list