I am setting up my firewall and was wondering which one to use for protection. Debian or OpenBSD. What are the pros and cons of both. I want to learn some linux and know that BSD isnt a flavor of Linux but will it allow me to still do alot of the same things that a Linux flavor would do? I am using a Pentium 200 mmx with 32 megs of ram for my firewall box. Is this a good setup?

What makes OpenBSD as your consideration?

>> I want to learn some linux

Just stick with Debian, you don't seem to be ready to challenge OpenBSD.

>> BSD isnt a flavor of Linux but will it allow me to still do alot of the same things that a Linux flavor would do?

Do what in particular?

>> I am using a Pentium 200 mmx with 32 megs of ram

This is not a setup. It's just part of your hardware specification.

I have read that OpenBSD is very secure and stable for this type of thing. I have used RedHat, Suse and Mandrake in the past so for me not to be ready to try OpenBSD you are wrong. I don't need to be insulted, I was just asking for some advice.

I'd say use OpenBSD. It is very easy to install and configure. Plus it hasn't had a remote security hole in over 3 years. I've tried installing Debian 3 times. I still can't figure it out.

freebsd, you seem hellbent on putting down people who want to try a *BSD flavor. You insult their UNIX skills and just seem to not want people to use BSD. If you for some reason think that only "1337" folks should use it for fear of dilluting the BSD user pool, get over yourself. In this post you infer that Debian is a baby OS because it's Linux, while OpenBSD is some huge UNIX moster to be feared. I have found it to be the other way around. Almost. You question their use of BSD over anything else. BSD isn't more or less suited to do things than any other OS (even windows!) Just be less critical of new users, and you'll seem to be less anal. :)

Originally posted by BioHaze:
I have read that OpenBSD is very secure and stable for this type of thing. I have used RedHat, Suse and Mandrake in the past so for me not to be ready to try OpenBSD you are wrong. I don't need to be insulted, I was just asking for some advice.

I don't really agree with freebsd, but in all honestly, the question you asked did sound very 'newbie-ish'. It's like asking, Slackware or Debian? RedHat or Mandrake? To a lot of system admins, that's a pretty newbie question because there are so many debates and discussions about it. What I would recommend is that you try both. Or, list the pros and cons that you feel are the most important for you and see if other people agree. An example for Slack/Debian, Slack is way more secured out of the box than Debian (Slack's Pro), but Debian has apt-get (Debian's Pro). Which one is better depends on what you use it for, server or desktop? Understand what I'm saying? You want to setup a firewall, that's a given requirement/condition. Now, help some of us by telling us which pros/cons Debian and OpenBSD has to solve this condition. We will explain why we feel this pro is better than that con, and you make the final choice.

Originally posted by manual_overide:
Plus it hasn't had a remote security hole in over 3 years.

First I don't think this is true any more, more like 5 or 6 months now (it was three years before an exploit found). Second it's no remote security exploit in the default install, not all the packages in OpenBSD. If you don't have network daemons installed, yea your going to have good luck at warding off remote exploits. That being said, OpenBSD is a good choice.

Originally posted by freebsd:
This is not a setup. It's just part of your hardware specification.

WTF?

setup - 2 a : the assembly and arrangement of the tools and apparatus required for the performance of an operation.

Well the operation is a firewall, and the assembly includes ram and a cpu. Got it?

BioHaze:

your box is fine for a firewall.

Definitely OpenBSD would be a better choice than Debian as far as firewalls go. Install the base system without X, turn off any unnecessary services, compile a new kernel with some additional tuning options, set up your ipf.rules and ipnat.rules and you have a firewall.

You could make Debian just as secure, but with a lot more effort. OpenBSD comes with OpenSSH (a major plus) while Debian does not. Whichever one you choose, be prepared to get frustrated often and learn a lot.

Just make sure you read up on this before you dive in head-first.

Originally posted by S0larfluX:
You could make Debian just as secure, but with a lot more effort.

Why would it take more effort, just do a base only install and only apt-get what you need for firewall duty, and ofcourse tools to compile a new kernel.

Originally posted by S0larfluX:
OpenBSD comes with OpenSSH (a major plus) while Debian does not.

Uuhhhhh looks like OpenSSH (http://packages.debian.org/stable/non-us/ssh.html) is in potato.

apt-get install ssh installs OpenSSH.

Technically, you are wrong, stiles. OpenBSD base install comes with OpenSSH while Debian base install does not. You still have to 'apt-get install ssh' to install the OpenSSH package, as well as all the other 'tools'. All you need to download is srcsys.tar.gz (needed to compile a kernel) for OpenBSD.

Compiling a kernel on any BSD is much simpler than in linux.

I don't hear too many people talking about their Debian firewalls, while OpenBSD is legendary in that aspect...

Hey, why doesn't someone do a firewall install and setup comparison between the two?

>> the question you asked did sound very 'newbie-ish'. It's like asking, Slackware or Debian?

Exactly.

>> I have used RedHat, Suse and Mandrake in the past so for me not to be ready to try OpenBSD you are wrong

manual_overide, if you read what I was referring to ">> I want to learn some linux", that tells me he is even new to Linux, so OpenBSD, with less GUI and require RTFM more often, is not suitable for him at this moment. Of course, he can choose OpenBSD or whatever he wants, nobody can stop him. I told him not to try OpenBSD simply to make his life easier.

>> Well the operation is a firewall, and the assembly includes ram and a cpu. Got it?

You probably were the smart *** who didn't get it. Just saying cpu and amount of RAM doesn't tell much. On top of setting it up as a firewall, BioHaze failed to provide further info, (i.e. server or desktop, what service will he be running). Anyhow, BioHaze should have asked "I am using a Pentium 200 mmx with 32 megs of ram. Is this capable to run Debian/OpenBSD to act as a firewall?"
Just telling others my first name starts with letter A and last name starts with letter B doesn't tell anything.

What do you mean that OpenSSH isn't included in the default install of debian. It certainly isn't true. I've done three installs of Potato on various machines and all of them had ssh and sshd running as soon as the install had finished.


Now as you can probably tell I am quite biased towards debian however in this PARTICULAR situation I would chose the other. Here's is why - stateful firewalling.


OpenBSD comes with IP Filter in its base install which is a stateful firewall. Now I know their has been debates about wether packet-filtering is better than stateful firewalls but personally I would chose
stateful.

{Edit -- it is only included if you select non-us as well as free in the apt configuration part}

[ 27 February 2001: Message edited by: debiandude ]

Originally posted by debiandude:
Now I know their have been debates about whether packet filtering is better than stateful firewalls but personally I would chose
stateful.


Stateful firewalls are also packet filters; they just do a better job of it.

I would never put anything but a BSD on a firewall (but my personal preference is freebsd, not openbsd)

Jeremy

Originally posted by S0larfluX:
Technically, you are wrong, stiles. OpenBSD base install comes with OpenSSH while Debian base install does not. You still have to 'apt-get install ssh' to install the OpenSSH package, as well as all the other 'tools'. All you need to download is srcsys.tar.gz (needed to compile a kernel) for OpenBSD.


Unless you are doing an install via another terminal I don't see how it could matter one way or the other (which I don't believe that you can do in either OS, but I could be wrong). That being said, if you so choose, you can install any number of packages from the "expert" install, including but not limited to OpenSSH (no apt-get install ssh required, same goes for any other packages you determine is needed). I'm not saying that I'm technically wrong or right, all I'm saying is OpenSSH is in Potato, how you install it is up to the individual.

Originally posted by freebsd:
You probably were the smart *** who didn't get it. Just saying cpu and amount of RAM doesn't tell much. On top of setting it up as a firewall, BioHaze failed to provide further info, (i.e. server or desktop, what service will he be running). Anyhow, BioHaze should have asked "I am using a Pentium 200 mmx with 32 megs of ram. Is this capable to run Debian/OpenBSD to act as a firewall?"
Just telling others my first name starts with letter A and last name starts with letter B doesn't tell anything.

That is so funny, all you did is reword exactly what BioHaze asked. You didn't add or change anything in how you think BioHaze should have asked his question. Of course the OS' was mentioned right off the bat by BioHaze, he gave some hardware specs, and asked if that was a good setup for being a firewall. If you want more info, don't be a jackass, just ask the man, it's not the hard. Even though you didn't add anything in your rewriting of BioHaze's original question, you managed to miracle the blank's in-between "A" and "B". Can we say myopic?

i know you get tired of hearing this and want concrete stuff to hold-on BUT i'll say it anyway: any rightly configured linux box (yes, even RH) is tight enough because a large percentage of crackers are just script kiddiez that take their cue from securityfocus and other bugtraq postings.

debian would do if you're the average guy who's new to nixes.

OpenBSD if you're paranoid because it's secure COMPARED to all the other nixes because they audit their software relentlessly.

anyway, just read the postings or howtos in making a secure box and you're on your way.

the weakest point in a firewall is the sysad who's lazy and just sets the box up and leaves (or plays CounterStrike or Diablo after :D) . be current in all bugs and exploits. being a cracker yourself ain't a bad advice.

a pentium? mine's just a 486-66 and it rocks :)

[ 27 February 2001: Message edited by: trauma ]