[ previous ] [ next ] [ threads ]
 
 From:  Jim Thompson <jim at netgate dot com>
 To:  Peter Curran <peter at closeconsultants dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] The future
 Date:  Thu, 13 Oct 2005 10:03:07 -1000
On Oct 13, 2005, at 9:08 AM, Peter Curran wrote:

> just to continue the general discussion re. OpenBSD.
>
> This was on Undeadly today:  http://securityfocus.com/columnists/361
>
> This is pretty much why I am more interested in using OpenBSD for  
> my firewall
> than any of the alternatives.  I know it may not be as fast, and  
> that m0n0
> has never had a security issue with FreeBSD, but at the end of the  
> day I want
> 1. SECURITY, 2. Secure Design, 3. SECURITY, 4. Functionality, 5.  
> Performance
> in that order.

  ICMP source quench can be filtered, rather than what OpenBSD has  
implemented.

The others have no business on a device that is anywhere at the  
endpoints of the connection.
In fact, the Path-MTU code can't be correctly implemented anywhere  
but at an endpoint, and the connection
reset attack doesn't affect any BSD-derived system.

So this doesn't really apply to firewalls.