By running OpenBSD as a workstation you already made sure what 99% wouldn't connect with you /redditmode<p>This guide is partly Security 101, partly for a localhost admin. Things are different when you run an organization with a centrally managed catalogue. Or you are sane and have a clear picture of the attack vectors.<p>Least privilege? Yes, of course.<p>Drop inbound by default? Yes, <i>of course</i> and it's amazing how many self-titled Linux Administrators insist what the machine should be 'secure from start so no firewall is needed'. Also this guide implies a workspace which questions what exactly kind of malicious traffic a [single] OpenBSD machine in the network would receive.<p>Drop outbound by default? Yes and BTW it's pretty easy on Windows, because the <i>Windows Defender Firewall</i> (what a mouthful) is pretty capable to filter by an application, not just by IPs and ports, so you don't need this SOCKS ersatz app firewall.<p>> Live in a temporary file-system<p>Now this is just ridiculous. As other said this is Silk Road level of paranoia.<p>> Disable webcam and microphone<p>Don't connect them in the first place?<p>> Disabling USB ports<p>See the temporary file-system. Good luck finding a notebook with PS/2 <i>or serial</i> ports.<p>> auto-updating the packages and base system daily on a computer is the minimum that should be done everywhere<p>Oh god.<p>> 10.1. Specialized proxies §<p>> It could be possible to have different proxy users, with each restriction to the remote ports allowed, we could imagine proxies like<p>> Of course, this is even more tedious than the multipurpose proxy, but at least, it's harder for a program to guess what proxy to use, especially if you don't connect them all at once.<p>Now this is what bugs me most of this guide.<p>If you already allowed something to run on your machine then it is usually too late for security through obscurity exercises. Most of the things advised here would just make your life miserable and would lead to disabling or shortcutting them.