On 05/01/2008, Nick Holland <[EMAIL PROTECTED] > wrote: > > > <snip> > > Your PF rules would probably just block all incoming traffic and pass > outgoing traffic. Or if you want to make sure it is used only for your > desired app, block everything outbound 'cept for that traffic destined to > your desired locations (note: this is a lot of "fun" to maintain).
Yes I may consider only enabling the outbound locations, but probably will just block unsolicited incoming traffic. I once asked a bank for the list of urls they would use so I could whitelist them, but they said they couldn't give that to me. Strange how they claim to be concerned about security.. In order for your "general purpose" machine to impact your OpenBSD machine > you would need to be running some app on the OpenBSD machine that is > vulnerable to attack. So, in general, just don't add anything to the > machine you don't need, and in your case, "default install" is about > right. Thanks, this is what I thought. > 2: Space for the P3 is limited and I would like to remove its printer and > > print bank statements across the LAN on the main PC (running Linux, or > maybe > > FreeBSD in future) using CUPS. Does this introduce security risks? > > Some. Not much. If you end up (accidentally) running a poorly written > service on your OpenBSD machine, yes you could be attacked. Even if you > are initiating contact with a compromised machine, it *might* be able to > send something back at you that could choke your app and cause Bad Things > to happen. Choking the app is not so bad. Stealing passwords is the concern. I presume as password transmission is encrypted they can't be sniffed from somewhere else on the the LAN, so I guess it's down to whether CUPS (or some other app inside the PC) could be hacked somehow? I suspect this is such a remote possibility that I should stop worrying about it. The sad thing is you are being more careful with your system design than > your bank probably is. :-/ By the time you are running OpenBSD on your > banking computer, I suspect you have shifted the primary risk to the > other end of the wire...your bank is a bigger risk to your data than you > are. Agreed On 05/01/2008, Ted Unangst <[EMAIL PROTECTED]> wrote: > > > you may or may not find this helpful. you should consider how much > money you have, how many other people have that much or more money, > how many of those people only use a windows pc to do their banking, > and how many would-be thieves capable of infecting all those windows > machines would decide to spend the extra effort figuring out your > installation in order to exploit it instead of settling for only all > the money of all the windows users. > > i actually have a similar setup, but have no concerns about the > windows machine attacking the openbsd machines. > Yes I understand I'm being more cautious than 99% of the population, but as I'm retired there isn't a whole lot of money coming in to replace lost savings. Internet savings accounts pay enough over accounts available on the high street to make the effort worthwhile, and why should I take a risk if it's avoidable with a little good organisation? "you may or may not find this helpful" - I am grateful for your comments and those from others, thanks.
