TLDR
-
A sysadmin hardening guide arguing FreeBSD’s base system ships insecure defaults across OpenSSH, Sendmail, PF, and package tooling.
Key Takeaways
-
FreeBSD patched HPN-SSH, tcp_wrappers, weak DSA host keys, and disabled-upstream ciphers back into OpenSSH, producing multiple CVEs unique to FreeBSD.
-
Sendmail stayed in base by default for 27 years until FreeBSD 14.0, with security fixes sometimes imported silently and no advisory published.
-
The bundled PF firewall has not synced with OpenBSD upstream since 2009; a subsequent invasive patch effectively forked it permanently.
-
No firewall is enabled by default out of the box despite three being included.
-
Both ports and pkg run extensive operations as root unnecessarily; the ports security team reportedly dismissed the concern.
Hacker News Comment Review
-
The piece is a recurring submission; a prior 2022 thread on the same content drew 91 comments and is the most substantive discussion available.
Notable Comments
-
@bell-cot: flags 2022 thread with 91 comments as the live debate worth reading.
Original | Discuss on HN
