|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
Using OpenBSD directly without a router
Hi,
My router is an old Dlink DIR 600L. There is no firmware released by the company and its simply pathetic in terms of WAN security. https://www.cvedetails.com/vulnerabi...ware-2.05.html So I am connecting OpenBSD directly without a router, My ISP provides Internet using ethernet cable. Is there any risk ? Note: My router is in the unsupported list on DDWRT's page so cant use that. Last edited by bsd007; 10th October 2017 at 05:07 PM. |
|
|||
Any risk of what?
Getting hacked? Sure, if you misconfigure things. Hardware failure? Sure, if you have old hardware. Your house/apartment catching fire? Sure, if the wiring isn't up to code. Burnt toast? Probably not, you're not using NetBSD... |
|
||||
I think you have made changes from the default installation. But you aren't considering them to be changes.
A: Yes. For example, the install script will permit "unsafe" SSH provisioning to be used. This can simplify remote installation procedures. The astute admin will recognize this and revise the configuration after installation steps have been completed. Q: Does installing a package add risk? A: Yes. How much risk depends entirely on what packages are installed and how they are provisioned and used. Q: Can I do something that adds risk without being aware of it? A: Of course. Q: How can I get better at recognizing risks? A: Take a security class. Read books on computer security. Learn what your applications (and their dependencies) do, and how they do it. Quote:
|
|
||||
Quote:
Quote:
Quote:
|
|
||||
Quote:
Quote:
Quote:
But you do have applications installed which are powerful, complicated, and often difficult to operate securely. Such as Firefox, to pick one easy (and sometimes scary) example. Even an admin trying to be "as secure as possible" can easily make a mistake, unknowingly. |
|
||||
Firejail is a Linux-specific tool. There is no direct equivalent.
There are a number of risk mitigation technologies in OpenBSD. There is a short list of them articulated here. In addition, many applications are using the pledge(2) syscall restriction system. The Chrome browser, for example, is deployed with pledge() on OpenBSD. |
|
||||
You should take a look at this thread:
Learning to pledge() an application - a story Code:
man pf Code:
man pledge https://www.openbsd.org/faq/pf/config.html ----------------------------------------------- https://man.openbsd.org/pledge.2
__________________
My best friends are parrots Last edited by PapaParrot; 10th October 2017 at 07:57 PM. |
|
|||
|
|
|||
It's never too early to write your own sandbox tool and submit it to the project!
|
|
|||
Your original question was about how to connect to the Internet.
Quote:
This new question is about third-party software. Quote:
Many of us use these forums to search for information. Mixing issues in a thread can make it more difficult and time-consuming to find what we are looking for. Last edited by gustaf; 10th October 2017 at 11:24 PM. Reason: formatting, typos |
|
|||
Quote:
I use LEDE firmware which just released version 17.01.3 Quote:
Last edited by shep; 18th October 2017 at 03:06 PM. |
|
||||
Information security and privacy is a very large field. You are only considering one small corner of that field.
These types of tools are designed to partially isolate the application's processes and resources from other processes on the same system. It is laudable, and useful. But that is a relatively small fraction of the possible security issues any computer user may face. |
|
||||
Quote:
Okay point taken. I will create a new thread if asking about something else. |
|
||||
@shep
At the moment I don't want to spend cash on a new router. I guess OpenBSD is secure enough to connect to the Internet. I say this coz I read many articles saying the same. i double checked my router is not supported by DDWRT @jggimi Its just that I developed this habit of firejailing every internet facing app. I guess I can live without it. Thanks to both for replying. |
|
||||
Quote:
I actually only had FreeBSD laptops at the time but they use the OpenBSD pf firewall and the same basic ruleset I use on my OpenBSD box right now. I ran a pfSense FreeBSD based firewall/router for several years so I felt quite at ease connected directly to the net and have great confidence in the pf firewall. |
|
|||
Quote:
If you happen to have a spare system lying around, you can make your own OpenBSD router on the cheap. All you need is two Ethernet ports, an unmanaged switch, and this OpenBSD FAQ page: https://www.openbsd.org/faq/pf/example1.html (and you can ignore the WiFi parts if you don't want WiFi). I've even done it with a laptop with a dead screen and a USB->Ethernet dongle. And then you don't have to worry about bloaty impossible to not misconfigure desktop software. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
User rips OpenBSD as a router | jjstorm | OpenBSD General | 5 | 17th April 2016 11:27 PM |
OpenBSD 5.7 Router Issues | Peter_APIIT | OpenBSD General | 8 | 18th June 2015 06:31 AM |
OpenBSD Router & Wireless AP setup | chigurh | OpenBSD General | 14 | 7th April 2015 06:56 PM |
Replacing 3Com Router with OpenBSD | Dr-D | OpenBSD General | 55 | 28th June 2011 10:01 PM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |