Re: [m0n0wall-dev] The future

From:	Jim Thompson <jim at netgate dot com>
To:	Peter Curran <peter at closeconsultants dot com>
Cc:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] The future
Date:	Thu, 13 Oct 2005 10:03:07 -1000

On Oct 13, 2005, at 9:08 AM, Peter Curran wrote:

> just to continue the general discussion re. OpenBSD.
>
> This was on Undeadly today:  http://securityfocus.com/columnists/361
>
> This is pretty much why I am more interested in using OpenBSD for  
> my firewall
> than any of the alternatives.  I know it may not be as fast, and  
> that m0n0
> has never had a security issue with FreeBSD, but at the end of the  
> day I want
> 1. SECURITY, 2. Secure Design, 3. SECURITY, 4. Functionality, 5.  
> Performance
> in that order.

  ICMP source quench can be filtered, rather than what OpenBSD has  
implemented.

The others have no business on a device that is anywhere at the  
endpoints of the connection.
In fact, the Path-MTU code can't be correctly implemented anywhere  
but at an endpoint, and the connection
reset attack doesn't affect any BSD-derived system.

So this doesn't really apply to firewalls.