* irix <i...@ukr.net> [2009-03-09 15:55]: > In www.openbsd.org wrote "Only two remote holes in the default > install, in more than 10 years!", this not true. I using OpenBSD > like customer, not like administrator. And my OpenBSD were attacked, > by simple MiTM attack in arp protocol. How then can we talk about the " > security by default" ???? > For example, FreeBSD is decided very simply, with this patch > http://freecap.ru/if_ether.c.patch > When this is introduced in OpenBSD, so you can say with confidence > that the system really "Secure by default" ?
yeah, that is a great patch. it breaks ethernet. it effectively makes arp static. great idea, great. move an IP to another machine and observe it not working (until the long-ish timeout expires). great eh. how about letting the one who knows about IP-mac relations decide. using arp(8). or fix the network from the beginning and make proper use of port security and vlans on the switches. yes, most ISPs don't do that. yes, most ISPs are stupid. you can work around that to some degree by using static arp and deal with the fallout, or get a decent ISP. they exist. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
