Replies

OpenBSD has an excellend track record for security. I haven't kept up with in the past 18 months or so, but as I remember they hadn't had a major release go out the door with a local root exploit in several years.

If not for their pactching/updating system, we'd use it in our enterprise. I tried to justify it once, and I simply couldn't bring that sort of burden on a production team. I use it at home though, and have two firewalls running "pf". One is transparent (NO IP addresses at all!) and one does NAT/PAT. They both run like a charm. I never touch them except to log IDS data (snort) and pf logs.

We've been leaning away from Red Hat and towards Debian and Ubuntu at work. Debian based OSes are just so much easier to set up and maintain. Red Hat gives me a headache every time I try to do something that's outside the realm of RPM, and then if we customize a Red Hat server, later there's always the chance that patching is going to change some aspect of the customization that we performed prior.

We had an instance not long ago where this happened. The default BIND 9.x installation on Red Hat expects that you're running the DNS server chrooted. But we are NOT. There was a BIND patch on this particular round, and it put the DNS server back to a chrooted environment. The guy patching didn't test far enough to discover that although the DNS server was running, it was fairly "brainless", and certainly had no knowledge of the dozen or so zones that we host. He did this at 0400, and by 0900 everybody was in a full blown panic, and he was unavailble by that time. I got to the bottom of it fairly fast once I was called, but still...this is the hazard of Red Hat and custom configs. :-)

...ah well. :-)