[Gllug] My firewall is rooted

tet at accucard.com tet at accucard.com
Mon Jul 15 14:52:35 UTC 2002

>Is OpenBSD any better/worse than Linux/Smoothwall etc? I guess
>if you've switched off all the services, it's just down to your
>filtering rules and the kernel.

In my opinion, yes, it's still better. One remote hole in 6 years is
still an enviable record. Filtering rules didn't help in this case
because virtually everyone allows ssh through anyway. sshd is one of
the most critical parts of the system in that it has to run as root[1],
and it's commonly open to the world. The only thing that could protect
against is was a more thorough audit of the code in advance.

Note that most Linux distributions were vulnerable to this as well,
although interestingly, many weren't susceptible in the default install.


[1] One of the improvements in the bug-fixed ssh is privilege separation,
    which runs the majority of sshd as a normal user, and only the critical
    parts fo the code as root. The advantage, obviously, is that it's
    easier to verify that the small part running as root is correct and
    bug free than it is to verify the entire application...

Gllug mailing list  -  Gllug at linux.co.uk

More information about the GLLUG mailing list