Slashdot Mirror

Use a proven firewall such as OpenBSD which can both act as a firewall and provide NAT dhcp etc for the LAN.

Unlike windows OenBSD has suffered "Only one remote hole in the default install, in more than 10 years!".

Oh and version 4.0 is due out tomorrow - see http://openbsd.org/40.html

I can't believe that anyone puts up with this nowadays. We need to tell people to get themselves over to http://openbsd.org/ftp.html (or whichever you prefer) and download a real OS, where you can do exactly what you want. I spent the weekend at NYCBSDCon and it was really exciting to be around people who could just do what they wanted with their software when they had a good idea. I can't believe anyone puts up with this shit anymore-- especially since we know the next version coming around is going to be even more of a PITA than we one we already have. I'm dreading walking back into work tomorrow and having to go through the same old litany of shit like "why can't I open Microsoft Works documents with Microsoft Word?" You can't because your OS wasn't designed with anything in mind except taking your money.

Imagine being able to have your music collection centralized at home on ONE MACHINE. NOT files strewn about all over the place, but one centralized location.

Blob! (mp3)

The OpenBSD Project has been warning about the dangers of binary blobs - security and otherwise - for years now. Indeed, binary blobs were the theme of the OpenBSD 3.9 release (as mentioned in the kernel trap article).

Perhaps people will now start to wake up and realise that these kinds of drivers are unacceptably dangerous, both for immediate system security and for future hardware freedom. Slimey vendors like NVidia, Intel and Atheros have been trying to shove this crap down our throats for some time now.

Free software users need to unite and say NO to binary blobs! Lets kick this crud out of our operating systems!

The OpenBSD Project has been warning about the dangers of binary blobs - security and otherwise - for years now. Indeed, binary blobs were the theme of the OpenBSD 3.9 release (as mentioned in the kernel trap article).

Perhaps people will now start to wake up and realise that these kinds of drivers are unacceptably dangerous, both for immediate system security and for future hardware freedom. Slimey vendors like NVidia, Intel and Atheros have been trying to shove this crap down our throats for some time now.

Free software users need to unite and say NO to binary blobs! Lets kick this crud out of our operating systems!

Here's the OpenBSD link Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place. Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment

One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them much...

> have my home e-mail server configured to reject all HTML messages. You'd be surprised how much spam that cuts out...

If you use spamd in greylisting mode, you will be even more surprised :-)

So how does this compare to OpenBSD's spamd, which does tar-pitting (and things like setting the TCP window size to 1 so you can really slow things down), but is designed for very low resource usage? This presentation by the spamd guys last year should, I think, address some of your questions about the long-term effectiveness of greylisting. In summary; spammers adapt, but so does spamd.

For those that have a problem with this, is it the cost or the principle of the matter? If it cost $50 instead of $500, would that change your mind?

Soytainly. A price of $50 per year for small businesses, including sole proprietorships, would be much more palatable. That's less than the price of a Windows OS license for two developer workstations over the three- to five-year life span of a Windows major release. It would be much easier for low-volume hardware makers to recover such a reduced fee from their customers.

If you care deeply about principles, you know where to find them.

Who do you think has more money for lawyers--an alleged spam outfit or a volunteer organization trying to perform what is essentially a public service?

A "public service" that they charge for, and that makes them little different than other companies offering blocking lists. You can _no longer_ download their list of blocked IP adresses unless you pay:

Revision 1.19 / (download) - annotate - [select for diffs] , Tue Jul 11 05:40:33 2006 UTC (3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE, OPENBSD_4_0, HEAD
Changes since 1.18: +1 -10 lines
Diff to previous 1.18 (colored)

remove the spamhaus SBL entry

SpamHaus no longer publish their SBL in a free, downloadable form
suitable for use with spamd. They obviously care more about
subscription dollars than really fighting spam - very sad.

ok deraadt@

i wish i had mod points to help the grandparent out, but he was a little off the mark

fix #1 here
fix #2 here
fix #3 here

...that Theo critizes OLPC & Red hat & friends for accepting to sign NDAS to write open source drivers.

Theo, like many others, thinks that accepting NDA is a sell-out.

I mean, isn't ironic that the guy that is saying this is the leader of a open source OS with a license that allows people to write propietary drivers not only without giving the specs, but without giving the source?

You really seems to be missing the point. One of OpenBSD goals is that "We want to make available source code that anyone can use for ANY PURPOSE, with no restrictions. We strive to make our software robust and secure, and encourage companies to use whichever pieces they want to."

For me, the Amiga philosophy was picked up more by MorphOS and Pegasos than this new so-called "Amiga".

Pegasos was supported on OpenBSD, but was dropped. Seems the Pegasos are made by a bunch of crooks.

Why, yes. :)

So what Theo is doing is grandstanding to keep his name in front of people.

OpenBSD is used on a lot of servers -- a fair number of those are firewalls. Do you have any idea how many of those machines are used as wireless servers to let users have secure wireless access *within* the trusted zone? A lot. OpenBSD + wifi + ipsec is a way better AP than anything you'll buy off the shelf at the local computer store. Also, how many OpenBSD users and developers out there do you think like to use their chosen OS on their laptops?

As for the defense that they could get fined by the FCC that's not necessarily Intel's motivation. Until Intel state that's the reason your post is idle specification. As Theo noted in his letter, numerous other companies *do* give out the documentation necessary and allow re-distribution of the firmware -- even some *gasp* wireless card manufacturers.

A far more sane security policy is to work with upstream to fix bugs then ensure you are always using the latest version of what's available. But this is not "the Debian way" so they won't ever do this,

OpenBSD does this, but there are still many patches. Many of them are related to the package system in various ways, but others should be fixed upstream, like this one, for instance.

A far more sane security policy is to work with upstream to fix bugs then ensure you are always using the latest version of what's available. But this is not "the Debian way" so they won't ever do this,

OpenBSD does this, but there are still many patches. Many of them are related to the package system in various ways, but others should be fixed upstream, like this one, for instance.

There's been complaints for years and years at Mozilla over the dubious quality of some of the Debian patches, not to mention the very large amount of them

There are many patches because they are needed to make the very bloated application work in the first place. All the distros and *BSD has many Firefox patches: OpenBSD patches

you can see how well BSD did with that.

Yeah, no kidding... I mean, there definitely aren't any successful BSD variants available and widely deployed. And there certainly aren't any other successful non-GPL projects out there. Yup, the GPL is definitely *the* only way to go if you want to make a successful open source project... assuming, that is, you're a single-minded zealot (or troll?).

They patched it almost 3 weeks ago

The soon-to-be released OpenBSD 4.0 (November 1st) should ship with "OpenSSL 0.9.7j (+ patches)" http://www.openbsd.org/40.html.
I hope they'll update it before launch.

Who doesn't use bash?

"Yeah well many of us don't like BSD licensing, not because it's not free (it is), but because it doesn't guarantee that source code will be made available."*

http://www.openbsd.org/ftp.html

Nice to see the FUDsters out in force.

*And before you open your mouth, I can think of a couple ways one can keep changes out of your hands. Some even legal.

Don't tell anyone, but I downloaded all the songs Plaid-Tongued Devils and Ty Semaka did for OpenBSD!

They still recommend that you keep your entire / partition within the first 2Gb. http://www.openbsd.org/faq/faq14.html#LargeDrive

You can get them from here ;)

OpenBSD is the new NetBSD?

perhaps you meant the old NetBSD? with 17 supported platforms (as opposed to 60) it aint king of portability.

Thus far, the most startling difference has been that people here appear to try to sell open source software, rather than making it available for free.

Are you really that surprised?

https://www.redhat.com/apps/commerce/
https://shop.mysql.com/
http://www.novell.com/linux/
http://www.cafepress.com/officialgentoo/1227454

etc...

And if you prefer the free approach:

ftp://ftp.openbsd.org/

To commemorate 10 years of OpenBSD the project is also selling an Audio CD with all the release songs from 3.0 through 4.0, also has some cool extras including a bonus track and a 11cm silver-on-clear die-cut wireframe Puffy sticker, for $15. OpenBSD Audio CD

Where's the new song?! (http://openbsd.org/lyrics.html) Usually it comes out before the new release, and I only have an OBSD 3.6 server which I never plan to have to upgrade, so an update to me means a new fun song!

In the past, when notable members of the BSD community have encountered difficulties with the status quo, they have taken the initiative to go out on their own. This has proven to be a successful path twice over: first with Theo de Raadt forking OpenBSD from NetBSD, and then Matt Dillon forking DragonFly BSD from FreeBSD.

Will we ever see Charles back up his rantings with a similar fork? The community won't take him seriously until he does at least attempt to rectify the problems he sees by creating his own fork of NetBSD.

Is Bill Gates planning an invasion of Canada? I know his "Trusted Computing" initiative is designed to eliminate choices, but will that junk really work?

I'm having excellent luck with OpenBSD's spamd blacklisting and greylisting. Haven't lost any important mail, but my SPAM has been cut by about 98%. It's truly amazing.

http://www.openbsd.org/spamd/

Why can't OpenBSD subsume NetBSD's prime feature: extreme portability?

OpenBSD is a lot more portable than most people think. That's not its primary focus, but definitely one of their stated goals:

Work towards a very machine independent source tree. Support as many different systems and hardware as feasible.

Why can't OpenBSD subsume NetBSD's prime feature: extreme portability?

OpenBSD is a lot more portable than most people think. That's not its primary focus, but definitely one of their stated goals:

Work towards a very machine independent source tree. Support as many different systems and hardware as feasible.

God help you if you're running OpenBSD with encrypted filesystems and a sticker of an armed Puffy on the laptop's lid.

It does, indeed, depend upon the application. However, for password hashing, I would recommend bcrypt. OpenBSD implements this in its passwording scheme, and, on the Linux front, there's Openwall GNU/*/Linux. Solar Designer also has what might be needed for application implementation here: http://www.openwall.com/crypt/

> I help Linux by purchasing and promoting Microsoft products.[/sarcasm]

Even better: http://www.openbsd.org/orders.html

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD ...

I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation far superiour.

Sit down to read the pf FAQ on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.

# cd /usr/ports/shells/bash && make install
# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf

Edit /etc/pf.conf using the home user scenario provided at the end of the 'pf FAQ'. Reboot and you're good to go.

You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.

$ cd /usr/ports && make search name=pf | less

Google for all the rest.

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.

You are displaying your ignorance (or are just trolling) - porting software exposes bugs. Most frequently these bugs are precisely things that work "by luck" on the platform on which the software originally ran because they depend on false assumptions. As the software is ported to another platform, the false assumptions are made visible. This applies doubly to something like OpenBSD, which goes out of its way to make bad assumptions visible, particulaly those related to memory management

OpenOffice is quite buggy, as porting it to OpenBSD shows that OpenOffice has many stupid bugs

And you can get the patch for Ubuntu here.

and just to flame myself:

even better patches here:

http://www.openbsd.org/ :)

Yes, because Linux == KHTML. That's all Linux is. And KDE doesn't run on any other platform but Linux. Those stupid Mac users, how can they hate Linux when the rendering engine of one of the browsers for their OS is Linux!

(Here's a small sampling of platforms that KDE either runs on or is being ported to.)

You really should give credit where credit is due.

FreeBSD got the driver they use from OpenBSD.

OpenBSD folks have been campaigning against blobs, and specifically have been hounding the wireless folks to open up specs and documentation for a while now.

The FreeBSD folks... not so much.

If the exploit really works on any OS

Don't worry, it doesn't.

The Atheros exploit shores up OpenBSD's stance on binary "blob" drivers perfectly. EVERY OS using these binary drivers are vulnerable. OpenBSD refused to include blob, reverse engineered the drivers and wrote their own secure drivers.

End result? OpenBSD is secure while most other OSs out there are at the mercy of Atheros.

"Can somebody please tell me, why are we still having this discussion?"

MOD PARENT UP!!!!

I've been hearing about buffer overflows almost all of my long life! Let's have the OpenBSD (secure by design) people write one routine for buffer handling for each language and make everyone use it. Save people from boredom and frustration.

Very much more.