Date: Mon, 16 Dec 1996 18:12:59 -0700 (MST) From: Softweyr LLC <softweyr@xmission.com> To: Studded@dal.net Cc: softweyr@xmission.xmission.com (Softweyr LLC), questions@freebsd.org Subject: Re: FreeBSD stability, vs. ??? Message-ID: <199612170113.SAA29064@xmission.xmission.com> In-Reply-To: <199612162056.MAA04427@smtp.connectnet.com> from "Studded" at Dec 16, 96 12:56:18 pm
next in thread | previous in thread | raw e-mail | index | archive | help
>
> PreScript: Your answer on -stable vs. -current answered my question on
> the cron fix.
>
> On Mon, 16 Dec 1996 10:05:20 -0700 (MST), Softweyr LLC wrote:
>
> > FreeBSD is one of the most stable systems I've ever used, and
> >I used to crash and break UNIX systems for a living. ;^)
>
> Then perhaps I could pick your brain a bit? :) I am hoping soon
> to be starting a business that will involve setting up IRC servers for
> commercial clients. I am an IRC Operator on one of DALnet's servers, and
> we run FreeBSD 2.1.5R, and consistently outperform the other servers on
> the network. I have done some research on the various *nix os's in
> reference to my business, and basically have narrowed it down to
> recommending to my clients either NetBSD, or FreeBSD. I want to avoid
> Linux at all costs, unless I get some really hard info that it has
> advantages over the *BSD's.....so far I haven't seen that. :)
>
> My concerns are:
>
> 1. Security. This is huge. Not only from the standpoint of security
> going into their systems (which will likely be handled with a firewall),
> but also regarding denial of service attacks, spoofing, etc. I hate to
> say it, but at this point it seems that NetBSD has the lead in this area,
> and they seem to be agressively pursuing it, whereas the FreeBSD people
> seem somewhat lackadaisical about the whole
> thing. We have to run an anti-spoof system on our ircd because fbsd is
> trivially spoofable using a sequence number guessing strategy. This is
> not a good thing.
The OpenBSD folks, mostly Theo DeRaadt, have been pursuing security
issues, such as buffer overflows in servers and such, with great
ferocity recently. The changes they are making are certainly valuable
as far as they go, but have very little effect on an operation that
is already run in a secure manner. Let me elaborate:
Most of the security holes that have been bantied about on the *bsd
news groups this year have been exploits that happen only after your
security has already been compromised. I.e., the recent user who
reported in freebsd-security that someone was using his shell access
server to run a packet filter and grab passwords. Who cares if he's
grabbing passwords, he's *already gotten root access in order to do
this!*
If you run a reliable commercial ISP, you need to have your network
backbone protected from outside intruders. "Outside" includes
everyone on the planet that doesn't work for you -- your customers,
the rest of the internet, etc. You need to do this via routers and
firewalls that protect your critical systems from attack. You need
to design a network that presents the least opportunity for hacking
at all points. If you need to have a machine that is a boot server
for diskless workstations, make one, but keep it separate from the
mail server, the news server, the public login server, etc. This
way, you can configure each machine to carry *only* the essential
services and limit your exposure:
o Your diskless boot server must have bpf enabled to run rarpd, so
turn off telnet/rlogin/ssh access; only allow logins on the
console. This makes it very difficult to hack your way into it and
run a sniffer, spoof IP addresses, etc.
o Your network itself needs to be protected. You should not accept
packets from outside your network with "interior" IP address, or
vice-versa.
o Use separate mail servers to process inbound and outbound email.
For instance, users on your shell account machines should not be
allowed to send mail from arbitrary domains; your mailer should
always force their correct address into the mail. Incoming
mail should arrive onto a machine with no public login access,
and be checked thoroughly before being forwarded. Mail that
looks suspicious should be bounced to the originator, postmaster,
and postmaster at the originators domain.
I personall think too many of the people wanting to secure their
systems are just looking for somebody on the FreeBSD team to tell
them "It's OK, security is in there." This is never true; if your
system is attached to the net, it's vulnerable. Take the time to
learn how to secure it rather than relying on a placebo. If you
won't do this, just accept that you are going to get hacked sooner
or later. ;^)
> 2. Reliability. Obviously for commercial applications uptime is a major
> concern, not to mention the amount of time I have to invest in customer
> support once the installation is complete. I have no complaints from
> fbsd in this area, our system is solid as a rock. :)
Well, sandstone maybe. ;^)
I've experienced system hangs under 2.1.5 and 2.1.6 at the hands of
iijppp, but most other users do not seem to experience this. It may be
related to my el-cheapo Zoom modem; when I upgrade to 56K I'll do it
the smart way and use a real, live 16550 serial port with an external
modem.
Other than that, I've had no real problems with 2.1.x at any point.
I don't do any kernel hacking anymore, but I still use the machine
daily for light-duty software development, including emacs, gcc
native, and gcc cross-compilers for VxWorks on m68k and x86 systems.
> 3. Compatability. If things go as anticipated, I will be installing
> these systems in various businesses that have existing tcp/ip setups
> and/or internet connectivity. I need an os that can communicate
> reliably, with a minimum of hassle with other *nix's, OS/2 and Windows NT
> at a minimum, and Novell compatability is a given.
Connecting any UNIX and NetWare is a black art. NetWare sucks. I've
used the NetWare TCP/IP products to share files and printers between
NetWare servers and UNIX workstations, but the configuration is a
nightmare. Once you've navigated your way through their labrynth of
screens 47,386 times and have the product up and running, it seems to
be as reliable as any NetWare server (not very).
I've seen some here have problems between FreeBSD and Win95, usually
solved by turning off TCP/IP extensions on FreeBSD. I've not
experienced this myself, check the archives.
> Are there any other major considerations, or other comments you'd
> like to make? :) I realize that you are probably just as busy as I am,
> so please feel free to respond at your leisure, or not at all. :) One
> question though, would this type of inquiry be proper for one (or more
> than one) of the fbsd lists? I've been on several of them for a while,
> and being an experienced internet person I don't want to violate
> netiquitte, or piss anyone off. :) I was thinking of maybe the chat,
> questions, and/or isp lists for a post much like this one, any comments?
I think both questions and isp would be appropriate, you'll get a wider
range of answers, and differing sets of knowlege and prejudices. ;^)
I'll forward this response to -questions and let the gang start nit-
picking your questions and my answers. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.xmission.com/~softweyr softweyr@xmission.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612170113.SAA29064>