[Gllug] My firewall is rooted

tet at accucard.com tet at accucard.com
Mon Jul 15 20:04:54 UTC 2002

>It's just that to patch and update an OpenBSD machine means patching the 
>system source and recompiling the whole shebang with 'make build' or whatever 
>which on an old Pentium P75 firewall with 16MB RAM can take DAYS! or is there 
>another quicker way of patching the appropriate binary? I must have another 
>read of the FAQ.

Indeed, and that's my only complaint about OpenBSD. There's no precompiled
updates that I can find *at all*. It may well be the most secure OS around,
but until they solve the ease of use issues, it's always going to avoid
mainstream use. Note that this isn't a case of dumbing down the OS for the
masses. I'm more than able to cope with patching and recompiling source as
necessary. But when there's a security hole that means my servers are
vulnerable, I want it fixed ASAP, and the problem is that I don't have
*time* to babysit OpenBSD through a source upgrade when I'm rushing round
trying to secure the other servers as well.

>An older firewall (OpenBSD 2.8) at another branch is running such an old 
>version of SSH that it appears to still be safe ... Which doesn't mean I'm 
>not going to update it very soon!!!

Yep, my home firewall's running 2.8, and no, I'm not going to be rushing
out to replace it, for two reasons -- firstly, it works, and isn't
vulnerable. Pretty much the only remote risks to the system are in sshd
or ipf (discounting kernel bugs in the IP stack, and given the amount of
scrutiny the BSD stack has had, I think that's fairly safe). sshd has
just had a full security audit, and the version on 2.8 has been deemed
safe (OK, so there's a potential local exploit, but I'm talking about
remote security here). That just leaves ipf, which is more mature and
hence statistically more likely to be secure than pf. The second reason
is that when I tried to upgrade to 3.0 a few months ago, it failed, and
refused to forward packets between interfaces, which is pretty terminal
for a firewall :-) I *will* get round to upgrading at some point, but
I'm not in a great hurry.

Just curious -- what version was the compromised box running? The OpenBSD
security advisories imply that 2.9 is secure, despite the fact that its
running sshd-2.9, which is theoretically one of the vulnerable ones...


Gllug mailing list  -  Gllug at linux.co.uk

More information about the GLLUG mailing list