On Oct 13, 2005, at 9:08 AM, Peter Curran wrote:
> just to continue the general discussion re. OpenBSD.
> This was on Undeadly today: http://securityfocus.com/columnists/361
> This is pretty much why I am more interested in using OpenBSD for
> my firewall
> than any of the alternatives. I know it may not be as fast, and
> that m0n0
> has never had a security issue with FreeBSD, but at the end of the
> day I want
> 1. SECURITY, 2. Secure Design, 3. SECURITY, 4. Functionality, 5.
> in that order.
ICMP source quench can be filtered, rather than what OpenBSD has
The others have no business on a device that is anywhere at the
endpoints of the connection.
In fact, the Path-MTU code can't be correctly implemented anywhere
but at an endpoint, and the connection
reset attack doesn't affect any BSD-derived system.
So this doesn't really apply to firewalls.