Brett Lymn wrote:

>You forgot exporting file systems - it is more secure to export just a
>partition, no nasty traversing up the directories on the server fs if you
>export a subdir.  Or maybe using cgd to secure your data.
>  
>
Oh, oops, I did indeed forget :)
I still haven't tried cgd under NetBSD, and for exports I have -alldirs 
anyway (just easier) and export every partition except /var which makes 
no sense to export. I don't need much security against myself :) I'm the 
only nix-like user in the *area*, saying nothing of the local subnet 
which is the only one allowed, so it really isn't a problem.

But I'll keep that in mind for when I do set up truly shared servers.

I find security the most fun part of any system setup, and this is where 
the BSDs really shine. Just the feeling of research and refinement into 
our security tactics leading to a final "here's my IP, good luck :)" 
posted to a bunch of script kiddies and laughing as their Linux-oriented 
attempts fail. Okay, I've never done quite that, but still knowing that 
nobody's going to get lucky is good. You don't get this satisfaction 
with performance tuning, the 'other' part people sometimes spend a lot 
of time and effort on. "Yay - I boot 1 second faster and get a 3% higher 
bonnie block read score! And it only took three years and five 
reinstalls per week!" = stupid.