Re: why isn't there a newer linux fw-howto

[Adam Shostack <adam () homeport org>]

On Tue, Oct 06, 1998 at 12:49:44AM -0700, Jan B. Koum  wrote:
| On Mon, 5 Oct 1998, Adam Shostack wrote:
| >I'll be a contrarian.  The Linux audit project is going full steam,
| >and has found lots of interesting stuff.  Freebsd is great for desktop 
| >systems, and comes easy to use, but its a lot more work to take it to
| >FW ready.  If you want a BSD system, try openbsd.

|       I'll be a contrarian to a contrarian. Ouch!
| 
|       AFAIK people in both Net and FreeBSD camps do follow OpenBSD tree
| for security fixes. As for FreeBSD been only great for desktop: I'd think
| folks at yahoo and hotmail who run their web server on FreeBSD would not
| agree with you on this one. :)

Good point. :)

|       Also, what is "a lot more work" to which you are referring to is
| needed to make a FreeBSD box ready? In general any Unix box by default
| needs work to be a firewall: extra services turned off, custom kernel
| created, ip filtering enabled, etc.

        Some securelevel stuff, making sure that tripwire & such don't
scream about the (recently fixed) dirty page/mtime bug.  Setting the
sysctl variables.  Using ipfilter, which I know well, instead of
ipfw. I suppose a lot of it is knowing the system you're using, which
is why I like Open-, and Perry likes Net-, and leads me to:

|       But I do notice that we all agree on one thing: if it has to be a
| free source unix based firewall, it is gotta be BSD.

        Its gotta be a system you know well.  If you know Linux back
and forth, then by all means, don't pick up *BSD because someone tells 
you its a good firewall box.  Its nothing without knowlegeable people
to tweak it.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume