Re: [ossig] A very lengthy article on installing and securing FreeBSD

[Seah Hong Yee <hongyee@polyscientific.com.my>]

On Thursday 25 September 2003 5:22 pm, Tze-Meng Tan wrote:
> On Wednesday, September 24, 2003, at 11:09 AM, Mukhsein Johari wrote:
> > Isn't running 'unknown' binaries risky for any
> > architecture though? An FreeBSD binary you did not
> > compile could just as easily be a security risk, no?
>
> correct,
> However there a very few sites which have FreeBSD precompiled
> application binaries though, I generally compile everything I use and
> my guess most FreeBSD users will do the same, a simple "make install
> clean" in the appropriate ports directory is all it takes ... I even do
> this with openoffice even though it takes 9 hours... I could download
> the precompiled binary in less than 2 hours .... its a culture thing :)
>
> If I'm not mistaken, many linux users download and install precompiled
> binaries.. common to have sites with RPMs or DEBs to download whereas
> it is very rare for sites to have FreeBSD binaries.....nvidia driver is
> one that comes to mind

There's another side to this. If you have apt-get and URPMI configured 
properly, dependencies are satisfied automatically rather than download them 
and compile separately.  I used to love the ./configure make && make install 
routine, but after discovering urpmi, I rarely use them unless there's a real 
reason for it.  I can't remember which was it,  I think freeBSD has some 
similar package management tools. 

>
> For FreeBSD users, the primary reason for having Linux compat it
> because either there are no sources (half-life server, oracle for
> example - this is very common) or the sources are very linux kernel
> specific and won't compile on FreeBSD anyway (this is rare...since if
> it won't compile, it probably won't run)..... I do this because this is
> the only way to do something
>
> > Again, FreeBSD is not bug-free but it still is damn
> > good. Linux specific bugs are there all the time - you
> > just patch your software/download latest build etc. I
> > still just seems like religious bias against linux to
> > me.
>
> no, thats not what I mean,
> yes, both FreeBSD and Linux has bugs ...all substantial software will
> have bugs :)
> just that if you run pure FreeBSD you are exposed to only FreeBSD bugs
> but if you run Linux compat you now add Linux bugs to the list ! Of
> course, some linux bugs may not have any bad effects on FreeBSD and
> conversely some benign bugs on Linux may become serious in FreeBSD
>
> > Well, you wouldn't put nonsense (like linux compat) on
> > your firewall anyway! We have better tools on FreeBSD
> >
> > :-) (eh...heh, did I say religious bias?)
>
> heheh
> Operating Systems are like cars
> Some people like to drive Mercs and BMW 7 series, some people prefer a
> Ferrari or Porsche...I like Volvos :)
> A well know FreeBSD user on this list prefers Bikes :)
> All personal preference :)

Generally, for firewall, either on openBSD, FreeBSD or some harden version of 
linux, you really want to strip it down to the absolute minimum and in fact, 
you may even want to compile a  specially patched kernel for it.  Firewall's 
main job is packet filtering, you may want to add something the mrtg to it 
but it will introduce additional risks and you definitely do not want to run 
something like an irc server or dsniff on the firewall. 


>
>
> ------------------------------------------------------------
> To unsubscribe: send mail to ossig-request@mncc.com.my
> with "unsubscribe ossig" in the body of the message


------------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message