[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] OS-discussion

> Date: Mon, 25 Mar 2002 11:12:11 -0800
> From: Jeff Lasman <jblists@xxxxxxxxxxxxx>

(snipping throughout)


> I'm glad it works for you.  RaQs, out of the box today, are very
> insecure.  Nothing to do with hacks.  (BTW, it works fine for me too,
> after we add a lot of security to it.)

...which is such a PITA.  A BSD machine is easier (for me) than
this so-called appliance.  Generating your own "release" speeds
things up even more.

Alas, I still have some Pentiums in service... so I must compile
twice ("-march=pentium" and "-march=ppro") if I'm interested in
making a package as efficient as possible.


> Most of us have our systems in colocation and don't have the luxury of a
> firewall to be behind.  Please let us know a bit about your

No reason why one can't insert a firewall between upstream and
switch.

Of course, a packet-filtering firewall does ZERO good against
malware exploits... IIS and BIND buffer overruns, malicious PNGs
being sent to OpenSSH with vulnerable zlib... packet filters
won't stop these exploits.  But it _is_ nice to flip a switch and
shut off services to the outside world while you patch.


> "sophisticated firewall", as I'd love to build one for our colocation
> customers to be able to use.

OpenBSD 3.0's "pf" is nice.  Building some firewall/VPN boxes
based on it for clients, as well as one for us.  I'm waiting to
deploy ECN until broken firewalls are beaten back, but one has
that choice.  Note that it can also use its own ISN generation to
help avoid spoofing attacks on machines with broken IP stacks.
Niiiiice. :-)

If you want ipf and CBQ traffic shaping, FreeBSD with HZ=1000 and
ALTQ works nicely.  AFAIK, OpenBSD and NetBSD don't allow one to
change HZ.

NetBSD, which I've not yet played with, seems to be a favorite
for R&D experiments.  Several good packages originate(d) there.


> Sun is no longer supporting Solaris 8 for Intel.

Nor will they release 9 for it.  Whether or not that's an issue
is a personal decision.


> > I don't like Solaris, i prefer AIX,
> > but i don't think those discussions should be discussed here.
> 
> This is exactly the place to discuss alternate operating systems for
> Cobalt RaQs.

I had an off-list discussion with someone from Sun Cobalt who
said that developers vehemently objected to the thought of
diverging from GNU/Linux on x86.  This surprised me, so I wanted
to see if there were others who thought the same way I did, or if
nobody else really gave a darn about anything beyond GNU/Linux on
x86.

Looks like I was wrong.  Looks like "Sun developers" love
G/L+x86.  They can have it... none for me, thanks.


>> If someone doesn't like Cobalt with Linux, why don't you buy
>> something else?  If someone prefers BSD, go ahead and set up a
>> machine with BSD, maintain your system by hand, go and find
>> the latest security-updates etc. and install them from
>> scratch, fix the problems between all the programs on that
>> machine and so on, if you like to waste time on that.

[ Responding to Joerg Jan Muenter -- yes, I'm umlaut-challenged ]

I can and do, and enjoy it.  I even generate my own packages;
it works great.  I hope to have my entire distribution in-house
soon.

Much faster than Cobalt updates... especially when one considers
how Cobalt regenerates config files, overwriting custom changes
if one is not careful.  I think that everyone on here knows the
fun involved with updating Cobalts.


> Most of us, including me, wouldn't consider that a waste of time, but
> rather time well spent.

Agreed.


>> Security is mainly a matter of the way you grant access to
>> your machine and the way you use your system or implement

[ Re to JJM, not Jeff, again ]

Including granting access due to security vulnerabilities.  If
one waits for Cobalt packages, and avoids doing things by hand...

Make no mistake, OpenBSD isn't the OS to end all OSes.  But look
at the work required to bring a RaQ to the same level of security
and reliability as OpenBSD.  (And, no, OpenBSD is not my overall
favorite OS.)

But go ahead if you like to waste your time on that. 8^)


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.