Re: Ammunition needed to defend OpenBSD/pf
On Wed, 3 Aug 2005 18:26:52 -0600 (MDT), Diana Eichert [EMAIL PROTECTED] wrote: just use some 50cal BMG rounds, that should be effective ammunition. sorry, I just had to after following this thread for awhile I think you're taking the phrase Bullet-Proof Software a bit too literally. ;-) JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Ammunition needed to defend OpenBSD/pf
Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I'm certain I can think of lots of reasons, but with a few stout beers in me, one of the first thoughts that comes to mind is how thankful you will be when troubleshooting some firewall or related issue and you find your privsep'ed tcpdump happily providing you with what you need to have a better day. Danny
Re: Ammunition needed to defend OpenBSD/pf
On Tue, 02 Aug 2005 22:54:22 -0500, Shawn K. Quinn wrote: On Tue, 2005-08-02 at 22:09 -0400, Jim Fron wrote: What it does that an OBSD solution can't is be low power, cheap, and bought off the shelf (maybe there are off-the-shelf suppliers of OBSD machines, but they aren't in every strip mall in the country). To the third of those, I agree. To the first two of those, I offer as counterexamples the rather famous Soekris Technologies hardware. Even a loaded net4801 is relatively low power (1.5A at 12V). As for cheap, they certainly aren't out of our budget as home users. -- Shawn K. Quinn [EMAIL PROTECTED] And those Soekris 4801s are what I'm using - and defending vociferously! Here in Australia they ain't all that cheap due courier delivery using a carrier that charges (IIRC about $60AUD ) for paperwork that wouldn't even be needed if they came USPS. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Ammunition needed to defend OpenBSD/pf
Hi, I have 1 argument for D-Link and against OpenBSD: D-Link can DSL. OpenBSD can not. So you have to buy at least a DSL modem for OpenBSD. And since you are buying a DSL modem, why not add 20 Euros and buy a DSL-router? At least for a small home network. Regards Alex
Re: Ammunition needed to defend OpenBSD/pf
On Wed, Aug 03, 2005 at 10:30:25AM +0200, Alexander Farber wrote: | Hi, | | I have 1 argument for D-Link and against OpenBSD: | | D-Link can DSL. OpenBSD can not. So you have to | buy at least a DSL modem for OpenBSD. And since you | are buying a DSL modem, why not add 20 Euros and | buy a DSL-router? At least for a small home network. I actually consider that a plus. Using a very simple DSL modem that does RFC1483 bridging, you can then have your router/firewall be redundant with CARP/pfsync. If the DSL modem breaks, you can easily replace it with another (cheap!). That means very little downtime in emergencies and no downtime when upgrading your OS. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Ammunition needed to defend OpenBSD/pf
Melameth, Daniel D. wrote: Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I'm certain I can think of lots of reasons, but with a few stout beers in me, one of the first thoughts that comes to mind is how thankful you will be when troubleshooting some firewall or related issue and you find your privsep'ed tcpdump happily providing you with what you need to have a better day. And that troubleshooting would in all likely-hood be of your configuration of said firewall and not the firewall itself. Regards, Ray
Re: Ammunition needed to defend OpenBSD/pf
On 2005-08-03 03:03, Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Don't know about that model but I've had a D-Link that would run hot and after a while one could no longer login and change any settings without having to power it off and wait until it cooled down. After that I lost faith in such boxes and won't use it for my own home even less for business. Again, I don't know anything about that one, but OBSD will probably be way more flexible than anything you can buy for that price, but most important of all is the support you'll have when going with OBSD. On than lists you'll get high-quality answers to all your questions and faster than D-Link can give you. -- Erik Wikstrvm
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 03 Aug 2005 11:03:34 +1000, Rod.. Whitworth [EMAIL PROTECTED] wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ Hi Rod, As sick as it may sound, FUD works. First, discredit your opponent: Try using the line, There are lies, damned lies and then there are supposedly working features. (laugh) Heck, if you think that's bad, even worse is supposedly secure systems. (laugh) Next, pump up your product: Though it seldom counts as a Valid Business Reason I usually mention the tremendous Hack Value and extensive Bragging Rights of using The-Most-Secure-Operating-System-On-The Planet! to the corporate decision makers. If they're smart enough to give you that I don't want to hear your FUD look, just level with them. If you really want me to go into all the various technical details involved in a full source code audit the costs you would bear to do an equivalent audit on a closed source binary through reverse engineering and you'd also need a detailed comparison of standards compliance validation and testing as well as a comparison of how long your ass will be sitting out there on the cold dark net with your pants down when some new exploit is discovered... Sure... If you want to waste your time and money putting together a complete report so I can bore you to tears with all the technical details, I'd be more than happy to do it. Say absolutely nothing until their nerve finally breaks and they give you fumbled reply -game over. And close the deal: The bottom line is if you really want to have hard facts on which system would be more secure, you would be forced to higher very talented security reverse engineers at $300 per hour to do a full binary audit of the firmware in the netgear box and that would cost you tens of thousands of dollars. When you realize there's no such thing as a PERFECT security audit, you could choose an unproven netgear consumer crap with a questionable audit that cost you a fortune or you could choose a proven product like OpenBSD that has been audited at the source code level multiple times by many individuals. As stupid as it may seem, the FUD works every time. ;-) The only question is, Is it really FUD? -Yes and no. Though it is FUD is most regards, you also just laid out a valid and important Business Reason for using OpenBSD -A company should not be spending the kind of money it would require to make detailed and informed decision between an unknown closed binary running on the netgear consumer crap versus an already audited OS with a proven track record. On the other hand, if they have money to burn and want to do a binary audit on the netgear crap, give me a call and I'll set you up with the right people. ;-) Kind Regards, JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 3 Aug 2005 11:03:23 +0200, Paul de Weerd wrote: On Wed, Aug 03, 2005 at 10:30:25AM +0200, Alexander Farber wrote: | Hi, | | I have 1 argument for D-Link and against OpenBSD: | | D-Link can DSL. OpenBSD can not. So you have to | buy at least a DSL modem for OpenBSD. And since you | are buying a DSL modem, why not add 20 Euros and | buy a DSL-router? At least for a small home network. I actually consider that a plus. Using a very simple DSL modem that does RFC1483 bridging, you can then have your router/firewall be redundant with CARP/pfsync. If the DSL modem breaks, you can easily replace it with another (cheap!). That means very little downtime in emergencies and no downtime when upgrading your OS. Damn right. Modems (dial-up from old days, ADSL now are disposable and best seen out where their lights tell me something. Anyway 60EUR is more than I pay for a netcomm or zyxel (about $70AUD= 42 EUR) From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Ammunition needed to defend OpenBSD/pf
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod.. Whitworth Sent: Tuesday, August 02, 2005 9:04 PM To: Miscellaneous OBSD Subject: Ammunition needed to defend OpenBSD/pf Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. Many of these devices provide the what if I get hit by a bus protection of a simple, single purpose system. If you use something like OpenBSD, it can be viewed as a homegrown application that must be supported by the organization, and that depends on the individual who set it up. You don't need to know how to use vi to modify the firewall settings on one of those dlink devices. I'm not saying that a dumb, web configurable device is better. I've seen too many point and click firewalls that were setup incorrectly by someone who didn't know what they were doing. Emacs and vi make sure a total idiot cannot change your firewall settings. I have had a $2500 point and click firewall die on me, and the support contract does me no good during the wait for the next day shipment. I replaced it with a PC and free software until the new unit showed up. If your business, not you, has the skills to manage OpenBSD, then do it.
Re: Ammunition needed to defend OpenBSD/pf
I do not know what a system looks like to an attacker trying to fingerprint you using boxes from Office Depot. However, I would hope that using OpenBSD/pf that I could advertise the fact that I am using OpenBSD/pf, and someone would just move on to their next target. Sincerely, Rob
Re: Ammunition needed to defend OpenBSD/pf
At 04:30 AM 8/3/05, Alexander Farber wrote: I have 1 argument for D-Link and against OpenBSD: D-Link can DSL. Does it really? My D-link router (at home) is tossing SYN attacks back to the modem (as determined by ISP monitoring) causing the DSL modem to lockup. I am eager to learn how to setup a BSD router (on old PC first) and thinking Soekris will be worth the money. Also, read the fine print on D-link's lifetime warranty - you must register product shortly after purchase and it still expires soon after product is discontinued. OpenBSD can not. So you have to buy at least a DSL modem for OpenBSD. And since you are buying a DSL modem, why not add 20 Euros and buy a DSL-router? At least for a small home network. DSL modems have no value. My ISP just sent me a replacement without asking for the old one back (which still works, but not well enough for us). My neighbour has two modems on the shelf after similar transactions.
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 2005-08-03 at 10:30 +0200, Alexander Farber wrote: Hi, I have 1 argument for D-Link and against OpenBSD: D-Link can DSL. OpenBSD can not. So you have to buy at least a DSL modem for OpenBSD. And since you are buying a DSL modem, why not add 20 Euros and buy a DSL-router? At least for a small home network. You mean having the DSL router and modem be in the same physical box, thus introducing a single point of failure? That's a huge minus. I once had a DSL modem go bad on me, and setting up my routing and firewall rules all over again just because I had to get a new modem would have been a nightmare. -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 2005-08-03 at 09:47 -0400, Will H. Backman wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod.. Whitworth Sent: Tuesday, August 02, 2005 9:04 PM To: Miscellaneous OBSD Subject: Ammunition needed to defend OpenBSD/pf Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. Many of these devices provide the what if I get hit by a bus protection of a simple, single purpose system. If you use something like OpenBSD, it can be viewed as a homegrown application that must be supported by the organization, and that depends on the individual who set it up. You don't need to know how to use vi to modify the firewall settings on one of those dlink devices. I'm not saying that a dumb, web configurable device is better. I've seen too many point and click firewalls that were setup incorrectly by someone who didn't know what they were doing. Emacs and vi make sure a total idiot cannot change your firewall settings. I have had a $2500 point and click firewall die on me, and the support contract does me no good during the wait for the next day shipment. I replaced it with a PC and free software until the new unit showed up. If your business, not you, has the skills to manage OpenBSD, then do it. At my last job, I had a Watchguard firewall with a backup Watchguard sitting on the shelf in case that one died. All of the server traffic went thru the Watchguard and the users browsed through an OBSD box. The first thing my replacement did was to replace the OBSD box with another Watchguard ($700US). I had to reboot the Watchguard about every other month, and never had to cycle the OBSD box. My 2centsUS.
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 2005-08-03 at 09:47 -0400, Will H. Backman wrote: Many of these devices provide the what if I get hit by a bus protection of a simple, single purpose system. If you use something like OpenBSD, it can be viewed as a homegrown application that must be supported by the organization, and that depends on the individual who set it up. You don't need to know how to use vi to modify the firewall settings on one of those dlink devices. You don't need to use vi to modify OpenBSD config files either; there's also mg. You can also scp to another box and edit them with whatever you want there if you don't like either vi or mg. I have a D-Link access point here, and the Web-based config was a bit confusing in places. Not to mention, the Web-based config means it eats an IP address, even though it's basically a bridge. I would much rather have a serial port and shell prompt. I'm not saying that a dumb, web configurable device is better. I've seen too many point and click firewalls that were setup incorrectly by someone who didn't know what they were doing. Emacs and vi make sure a total idiot cannot change your firewall settings. Agreed, it seems more and more that people think typing is an optional part of computer literacy. Especially given the level of people that abbreviate three-letter words in chat/IM... -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Ammunition needed to defend OpenBSD/pf
On Wed, Aug 03, 2005 at 02:35:07AM -0700, J.C. Roberts wrote: your FUD look, just level with them. If you really want me to go into all the various technical details involved in a full source code audit the costs you would bear to do an equivalent audit on a closed source binary through reverse engineering and you'd also ... This is venturing into off-topic territory, but it reminds me of a discussion I started on the wxWidgets users mailing list. Basically, we had a similar situation where I work: trying to determine the best GUI platform for our development. I was championing wxWidgets for it's nice license, open sourceness, great community support, robust feature set and the most compelling reason: cross-platform compatibility. In the end, MFC won out, effectively due to so-called industry standards and establishedness (and this was by my peers, not management). I know this thread is D-Link vs OpenBSD, and security definately has a different flavor than GUI toolkits, but there are some parallels here, primarily, the nice open source platform with every technical advantage versus mindshare/saturation of existing stuff. Here's a link to the the wxWidgets thread I mentioned above: http://tinyurl.com/clmdu I think everyone on this list has done a wonderful job explaining why an OpenBSD box will beat the D-Link practically hands-down. The cynical side of me thinks that managers, no matter how great the reality of OpenBSD, are likely to reject it based on a fear and/or ignorance of open source, or with logic like, Well if it's so good, how come I've never heard of it? I don't know if this thin rationale could be applied to the router situation, but there's always the standard line of, If it breaks, who's going to support/fix it? I doubt D-Link offers this kind of warranty, but some manager might think, Well if it breaks, it then becomes D-Link's responsibility to fix it, and their liability for any down time and/or security breaches. Another cynical view is that managers don't like having their employees knowing more then them or any kind of non-commodity knowledge (aka intellectual capital). E.g., with OpenBSD, it's not common knowledge, and expertise in that system might make you, as an employee, not replaceable or not easily outsourced. Sorry for the rant, I just get frustrated at times trying to be an advocate for open source :) Matt -- Matt Garman email at: http://raw-sewage.net/index.php?file=email
Re: Ammunition needed to defend OpenBSD/pf
That logic is completely false and you contradict yourself. Allowing for multiple points of failure does not mean that something is less reliable as you have described. It means that if/when one fails, the other will still be available. Using your example of a power supply lasting 10 years, that would translate to 2 failures in 10 years, not 1 failure in 5 years. I think you understand the concepts, as your best solution is to have multiple points of failure with failover using CARP. Jim O'Donald -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chefren Sent: Wednesday, August 03, 2005 12:47 PM To: misc@openbsd.org Subject: Re: Ammunition needed to defend OpenBSD/pf On 08/03/05 19:25, Shawn K. Quinn wrote: You mean having the DSL router and modem be in the same physical box, thus introducing a single point of failure? That's a huge minus. ??? You would prefer a milion boxes for each individual transistor or logic gate? Two boxes have two CPU's, two power supplies etc in the same production line and the total is thus =less= reliable than a single box solution. If the power supplies are equal and each statistically break down once in ten years in total that becomes once in five years. By the way, the same applies for RAID, more concurrent harddisks definitely means =more often broken drives=. Although the system won't break down if well designed, you still have to do more repairs. Five drives instead of one: Five times as much disks to repair/replace. Good is often to have a spare, pre installed(!), DSL router and modem, better is to have a concurrent and tested(!) backup channel. Best is to have a working backup channel: CARP! +++chefren
Re: Ammunition needed to defend OpenBSD/pf
On Wednesday 03 August 2005 01:15 pm, Jim O'Donald wrote: Using your example of a power supply lasting 10 years, that would translate to 2 failures in 10 years, not 1 failure in 5 years. And if the box is properly designed, it will continue running unless both power supplies fail simultaneously - an event which should have extremely low probability.
Re: Ammunition needed to defend OpenBSD/pf
On 08/03/05 20:55, Dave Feustel wrote: On Wednesday 03 August 2005 01:15 pm, Jim O'Donald wrote: Using your example of a power supply lasting 10 years, that would translate to 2 failures in 10 years, not 1 failure in 5 years. And if the box is properly designed, it will continue running unless both power supplies fail simultaneously - It was about a router and a modem in one box or in two =serial= boxes. an event which should have extremely low probability. Highly uninteresting theory or plain hogwash... Practice is very very different, for example electrolytic capacitors all break down after the same time. Often related to temperature, voltages and time. +++chefren
Re: Ammunition needed to defend OpenBSD/pf
On 08/03/05 20:15, Jim O'Donald wrote: That logic is completely false and you contradict yourself. Pooh pooh. Allowing for multiple points of failure does not mean that something is less reliable as you have described. It means that if/when one fails, the other will still be available. But since as far as I know in =this= case they are in line and not in parallel one failure is a failure of the system. Availability of other parts isn't that interesting, I presume the stickers are stil readable and so on... Two equal power supplies in line: Twice as much the risk of a brakedown of the system and two times as much failures of power supplies. Two equal power supplies in parallel: Half the risk of a brakedown of the system but still two times as much failures of power supplies and twice the support effort for the power supplies. +++chefren
Re: Ammunition needed to defend OpenBSD/pf
On 8/3/05, Matt Garman [EMAIL PROTECTED] wrote: I think everyone on this list has done a wonderful job explaining why an OpenBSD box will beat the D-Link practically hands-down. The cynical side of me thinks that managers, no matter how great the reality of OpenBSD, are likely to reject it based on a fear and/or ignorance of open source, or with logic like, Well if it's so good, how come I've never heard of it? In security I don't see this problem too often, most of the best projects are so esoteric or so expensive that people don't expect to have heard of them, even in the trade rags. OTOH, I've actually had management explain that one vendor was a better choice than another because even though nobody had really heard of either company, the more expensive vendor and product had a name that sounds more professional. This is why we buy Intel Pro/1000 instead of SysKonnect, Dell PowerEdge instead of Soekris, etc. I don't know if this thin rationale could be applied to the router situation, but there's always the standard line of, If it breaks, who's going to support/fix it? I doubt D-Link offers this kind of warranty, but some manager might think, Well if it breaks, it then becomes D-Link's responsibility to fix it, and their liability for any down time and/or security breaches. I'd venture *every* commercial vendor has a warranty and EULA specifically excluding any liability for downtime, security breaches, etc. In big corporations, many managers and directors carry the meme that having a big name vendor behind a project or deployment provides somebody to take the fall (Nobody gets fired for buying IBM^H^H^HCisco), and that in general buying the name brand is an effective CYA move. When things go south, it's easier to stand in front of the board explaining how a Cisco router crashed (in generic terms) than to be justifying any choice that isn't a household word. The day after a major outage is not a good time to be called before the board to explain what exactly an OpenBSD is, and why free means there's nobody to sue. I'm not saying this is a valid argument, just an effective one. I will admit that when you have an entire Cisco-based network lock up at 2AM, it doesn't take long for the vendor to get their grief counselors on an conference call to fill your ears with reassurances of how their engineers are working fervently in the lab to recreate and resolve your problem. This is one area where the big vendors have OpenBSD beat hands down. Another cynical view is that managers don't like having their employees knowing more then them or any kind of non-commodity knowledge (aka intellectual capital). E.g., with OpenBSD, it's not common knowledge, and expertise in that system might make you, as an employee, not replaceable or not easily outsourced. I believe this to be very common subliminal belief among managers, not something they are comfortable revealing to front line staff. OTOH, I've used this all employees must be readily replaceable idea to OpenBSD's advantage, citing the widespread deployment of OpenBSD (as documented by the bsdcertification.org task report) to not only justify using OpenBSD for production, but also to include OpenBSD as a requirement on our open position postings. Kevin Kadow (P.S. If you still feel up to dealing with megacorporation management after reading the above, I can be contacted off-list. This is a senior full-time staff position in Chicago, no paid relocation, must have an IT degree and/or extensive experience in corporate IT security. Expect a lot of Cisco questions.)
Re: Ammunition needed to defend OpenBSD/pf
chefren wrote: Two equal power supplies in line: Twice as much the risk of a brakedown of the system and two times as much failures of power supplies. Lets see. Let X be the (boolean) random variable designating ''system X breaks down in the first N years''. Equally, let Y be the random variable designating ''system Y breaks down in the first N years''. Then P(X = 1) is the probability of X breaking down and similarly, P(Y = 1) is the probability Y breaks down. Now (X = 1) and (Y = 1) are clearly independent. If one breaks down, it does not influence wether or not the other one does. But since the events are independent, they cannot be mutually exclusive. This makes sense logically, since both X and Y can break down in N years so intecsection(X = 1, Y = 1) is not the empty set which implies X and Y not mutually exclusive. The addition rule for independent events gives us: P(union(X = 1, Y = 1)) = P(X = 1) + P(Y = 1) - P(X = 1) * P(Y = 1) So you forget the last term by saying ''twice as much''. You have to deduct the probability that both events occur (or it would have been ''counted'' twice). Two equal power supplies in parallel: Half the risk of a brakedown of the system but still two times as much failures of power supplies and twice the support effort for the power supplies. Now in this case, we still have independence, but now both has to fail. In other words P(intersection(X = 1, Y = 1)) = P(X = 1) * P(Y = 1) This is theory. In practice a failing power supply will be changed as soon as it shows an error. Especially in the serial case. This means that in practice, one has to do a more heavyweight probability analysis. One needs the probabilities after one month, after 2, 3, 4, etc to do the discrete case. I can assure you the probabilities are not as easy as you are taking them to be.
Re: Ammunition needed to defend OpenBSD/pf
On 8/3/05, Matt Garman [EMAIL PROTECTED] wrote: The cynical side of me thinks that managers, no matter how great the reality of OpenBSD, are likely to reject it based on a fear and/or ignorance of open source, or with logic like, Well if it's so good, how come I've never heard of it? The same reason why free, functional and secure is simple. Having the mind and morals to understand the simplicity can take years. Most of us end up using the systems where we work, or if that fails, make where we use the systems, work.
Re: Ammunition needed to defend OpenBSD/pf
just use some 50cal BMG rounds, that should be effective ammunition. sorry, I just had to after following this thread for awhile
Re: Ammunition needed to defend OpenBSD/pf
Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Well, I we connected a new client with straight ethernet via a Dlink DL-600 (which their previous isp made them buy). It just wouldn't work. I could see it's mac address, but that was it. So I went there (7pm on Saturday night) and stuffed around with it for 1/2 an hour. Reset it. Reconfigured it etc. Zip. Nup. Nada. I plugged in a workstation and configured it and yep, it worked. I had a completely new OBSD firewall configured for them within 1/2 an hour. On a Saturday night. Oh, and the user interface on the dlink? Brain-dead would be a compliment. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Ammunition needed to defend OpenBSD/pf
Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Ammunition needed to defend OpenBSD/pf
On 8/2/05, Rod.. Whitworth [EMAIL PROTECTED] wrote: Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Complete documentation and source code you can not only look at, but modify if you're so inclined. aaron.glenn
Re: Ammunition needed to defend OpenBSD/pf
* Aaron Glenn [EMAIL PROTECTED] [2005-08-02 19:01]: On 8/2/05, Rod.. Whitworth [EMAIL PROTECTED] wrote: Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Complete documentation and source code you can not only look at, but modify if you're so inclined. ... and it doesn't fall over and die under load. -Bob -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.
Re: Ammunition needed to defend OpenBSD/pf
On Wed, 03 Aug 2005 11:03:34 +1000 Rod.. Whitworth [EMAIL PROTECTED] wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. It's a D-Link. Is there really anything else you need to know? Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? OpenBSD isn't marketing hype/bullshit compliant. Or alternatively the reverse. No 200 tunnel limit. No 500 user limit. It's not D-Link. --- Lars Hansson
Re: Ammunition needed to defend OpenBSD/pf
Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. The DLink doesn't have failover or load balancing. To get that, you need the DFL-1100, which is $2500 (each). The DLink is limited to 200 tunnels, I doubt OpenVPN has such a limit. There's only one admin user on the DLink, so if someone changes something it's harder to tell who really changed it. (I assume that's what they mean when they say you can't have multiple administrators.) DLink has had more major (dumb) vulnerabilities in their products, OpenBSD can't compete there.
Re: Ammunition needed to defend OpenBSD/pf
The next firmware or os version may require the purchase of a new appliance because these upgrades will not support your appliance. On the other hand, you can bet that a new release of obsd/pf will not require the purchase of new hardware. On Tuesday 02 August 2005 08:03 pm, Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Ammunition needed to defend OpenBSD/pf
On Aug 2, 2005, at 9:03 PM, Rod.. Whitworth wrote: Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. What it does that an OBSD solution can't is be low power, cheap, and bought off the shelf (maybe there are off-the-shelf suppliers of OBSD machines, but they aren't in every strip mall in the country). What it doesn't do is more a matter of the hardware itself. I've read reviews of various manufacturer's consumer-grade equipment, and I've tried to help people through their issues with their store- bought solutions. From the reviews I've read, which are, admittedly, third-hand accounts, consumer-grade solutions are alternately unstable or poor quality. Some run hot, some have to be power-cycled on a regular basis. My first-hand experience says this: sometimes consumer-grade equipment just doesn't work. When it doesn't, there is NOTHING you can do about it except take it back to the store for an exchange. Or two. You can't debug it: it either works or it doesn't. And you have no idea how, or if, it will function under heavy load. An OBSD solution is one you can log into. Your limitations on filtering, etc., at least for small networks, will be limited only by how much hardware you want to throw at it. You won't be surprised one day to find that you've maxed out your filtering rules. If there's a security issue or something broken about a consumer- grade solution and it's the firmware, not just bad hardware that needs to be returned, you're at the mercy of the manufacturer waiting for them to release a firmware update. Under OBSD, it's likely that a security issue or a major feature broken will get good attention, and you can patch it yourself if no one else is bothering. If your consumer box is more than a few models old, they may NEVER update the firmware, and you'll just have to buy a new one to fix the problem. I've been end-of-lifed on proprietary OS on some hardware devices that are perfectly serviceable, such as 10/100 PCI cards because the manufacturer released a new 10/100 card that they want you to buy. And next year, when there's a new protocol or security service you want to offer, you won't have to buy a new machine, you just add the software.
Re: Ammunition needed to defend OpenBSD/pf
On Tue, 2005-08-02 at 22:09 -0400, Jim Fron wrote: What it does that an OBSD solution can't is be low power, cheap, and bought off the shelf (maybe there are off-the-shelf suppliers of OBSD machines, but they aren't in every strip mall in the country). To the third of those, I agree. To the first two of those, I offer as counterexamples the rather famous Soekris Technologies hardware. Even a loaded net4801 is relatively low power (1.5A at 12V). As for cheap, they certainly aren't out of our budget as home users. -- Shawn K. Quinn [EMAIL PROTECTED]