Slashdot Mirror

We don't need anymore forks of our favorite BSD projects. They're complete and perfect on their own, thank you! One of the classic benefits of BSD was that there were very few systems to choose from. The uniformity of the systems and cooperation within the projects was legendery (with some exception). All of these spinoffs of FreeBSD are making me nervous. I don't want it to go all linux on me. :-/ I have a hard enough time as it is distro hopping. When will the madness end?

Mandrake 9? I wouldn't expect that to be online very long before getting owned by a script. Have you looked at your logs lately?

Here's a quarter, kid; get a real operating system. Personally my favorite is OpenBSD, with Debian GNU/Linux at a distant second.

However... Anything that uses RPM, I cannot approve of.

I'd recommend an OpenBSD solution, more for the elegance of pf's route-to command for load balancing incoming and outgoing connections. CARP is good for multiple machines acting as a single gateway, but not for one machine with multiple links. Route-to is what I use for simple multi-provider load balancing installations, where one provider offers a small netblock (typically a /27 or /28), and the other providers are just ADSL/Cable with a single static IP address. BSD also offers OpenOSPF, so you can quickly failover if a link goes down.

You can achieve similar results with Linux and multiple route tables, but your failover will not be as instantaneous as you might hope. The patches will help, but multiply weighted routes, NAT, and IPtables makes troubleshooting and maintenance a nightmare.

If your company really, truly, wanted a reliable internet connection, they would invest in the time and effort to obtain a /24 netblock and an AS number. Then you would have to find two or more providers willing to provide full BGP feeds, but it isn't all that difficult (well, maybe in backwards ARIN countries :-). They should also consider putting their important internet facing servers (web, mail relay) in a dedicated hosting centre, probably much cheaper than keeping the boxes physically on your premises.

the AC

Sounds to me like you want to use OpenBSD's carp. Nice, open-source, easy to configure firewall fail-over solution.

You can't be serious.

Try using a secure operating system, then we'll talk.

Isn't the quote, "They that can give up liberty to obtain a little temporary safety, deserve neither liberty nor safety." My source is the OpenBSD 3.0 Release Song... but hey, it's still a good point. Another good point the song brings up is, "During these hostile and trying times and whatnot, OpenBSD may be your family's only line of defense."

Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

GREYTRAPPING
Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

GREYTRAPPING
Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

GREYTRAPPING
Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

Here's a few you might have heard of:

1. Mac OS X (duh)
2. FreeBSD
3. NetBSD
4. OpenBSD
5. Yellow Dog
6. Fedora (RHL)
7. Debian
8. Gentoo

9. MS Windows

I shall respond to your points using the order in your post, as follows:

If your first comment is intented as humour, it fails to amuse. Having experienced the joy of a freshly infected Windows XP box firsthand, I find it hard to acquiesce to your terse dismissal, especially given that my statement is essentially irrefutable. Connect a "stock" Windows XP box to the Internet (and we can argue about the semantics of "stock" as much as you desire, but I am, for these purposes - given that it forms the majority of machines that we are considering - specifically Windows XP 5.1 sans SP1 and SP2), and it will get infected with a speed that is quite disarming. I must say when I first witnessed it myself, I was more than a little surprised. Could Windows really be this shit, I thought? The swiftly-delivered answer was, as the savvy will realise, "Yes, of course it can."

Of course, you will retort - validly - with the point that if a firewall is enabled before connecting, no such problem will arise, but given that most users* haven't got a fucking clue what a firewall is (and more to the point, why should they have such a clue?), how do you expect them to enable this feature. In any event, I have a particularly low opinion of user mode firewalls in any event, but I will detail that below.

(* i.e. the ones that become spam zombies because they don't secure their machines, because they don't know how, because it's not easy or because it's a hassle...)

Your point about active virus checkers is valid and hence mine about the cost to system resources is partially retracted. However, the financial and temporal costs of purchasing, installing and configuring a virus checker remain, and it is important not to forget that definitions subscriptions are kept up-to-date.

I would disagree with the suggestion that enabling a firewall is commonsense procedure on anyrequire the use of a firewall. Out of the box, there are no services enabled on Mac OS X; Linux obviously varies from distribution to distribution, but the same pattern is followed. Perhaps we might credit the nice people over at OpenBSD for their efforts.

The issues with firewalls should, of course, be obvious, but if we allow in this case that "stock" means Windows XP SP2 or more recent, the main problem is one of complacency developed by users. Firewalls restrict legitimate traffic, and as such, inevitably encourage the user simply to allow all traffic, either through prompting or by disabling the firewall itself. Far better, surely, to built a bucket without holes than to ask the user to do a job of patching it up.

You say that you do not consider anti-spyware software necessary. In fact, of course, you will either have to install Mozilla Firefox or a spyware checker, although given the software which prevails on the web today, it would be prudent to install both. It is worth nothing that the default browsers that both Linux and Mac OS X include are not subject to the same "feature enhancements" that is Internet Explorer.

As to patches, I will say only that Windows XP has had far more and that they are in some cases of a ridiculous size (consider SP2, for example).

Moving on...

Actually I could quite happily use XP. There's little functional difference between the two and, if anything, 2003 requires _more_ tweaking than XP to get it into a usable state for a desktop machine.

As to this, you are going to have to make up your mind. You made it clear in your previous post that you would run Windows 2003 over Windows XP, but you now seem keen to suggest the latter. You will forgive my confusion, but I consider the point important and feel you should clarify.

Your point about non-admin accounts betrays a disturbing lack of knowledge about actual Windows usage. If you have ever tried to actually use non-Microsoft software on a non-admin account, you will perhaps understand

It runs in SMP mode on the i386 and amd64 platforms.

OpenBSD is updated every three or four months

A new release of OpenBSD is made available every six months - no more, no less. Each release is supported for 1 year. Although 3.4 and 3.5 still seem to be receiving patch support in some cases.

One factor that mars OpenBSD's fair weather is its primary developer, Theo de Raadt. This individual is known to be highly unstable and even destructive at times ....... snip, snip, snip, snip, snip ....... Though excellent for network equipment, developers may wish to remain wary of this platform and its creator.

I hear this a lot but I don't understand this argument. If by "developers may wish to remain wary of this platform and its creator" you mean developers who want to contribute to the OpenBSD project itself then sure, you will deal with Theo. If by developers you mean, people who are going to use OpenBSD as a development platform, then who cares whether Theo has an attitude problem? You're just using the fruit of their (OpenBSD developers) labour. What you do with the source is your business and you don't have to get approval from them or something. I'm not a fan of the uber geek attitude like Theo's but his behaviour has opened more doors for Open Source when it comes to hardware manufacturers releasing documentation. The other BSD projects, and some Linux developers, for that matter seem to be fine using binary drivers and firmware. Atleast someone is taking a stand where this is concerned.

Evidently they do or there wouldnt be much of a market for higher preformance gaming routers with 200mhz processors and 32MB of ram ...

Different routers for different needs. What does this have to do with needing a white box PC to make a router?

Embedded hardware has come a long way - more power with less consumption. Why not take a commodity operating system like Linux and turn it into a routing platform if you have the horsepower to do it? Its easier than making special embedded hardware to run on something less powerful.

You're deluding yourself, pushing the amount of packets you can over a decent broadband connection preforming address translation, and any kind of moderatly sophisticated firewalling or queueing is pretty intensive, the load can be minimized by using ASICs (and in the future linksys being now a subsidary of CISCO we may see this) but were talking a commodity embeded processor, and not very fast ones at that (the gaming routers are of course better but still no match for a full blown microprocessor)

No, you're deluding yourself. I've done NAT on a 386 on my DSL line. What are you smoking? NAT is a very simple process. Do you actually know anything about this stuff or do you just repeat some garbage you heard somewhere else? Firewalling is deadly simple. It doesn't take horsepower to not respond to packets. Queuing is really simple too. We aren't talking about doing anything special or complicated here.

its not an *emebeded* microprocessor though, with lower clock speeds, less cache, granted they are optimized for lower power consumption and heat there is no such thing as a free lunch.

Jesus christ man, we're talking about rewriting packets! Why do you need buttloads of cache? You're not going to be requesting the same data over and over again.

Please, take a computer architechure class before spouting off this nonsense.

You can install a harddrive ? or do you like burning out flash drives/cards quickly ? I speciffically mentioned caching ... lots of writes. And TFA is about FreeBSD, linux in my experiance has subpar firewalling and queuing features see: http://www.openbsd.org/faq/pf/index.html

Non seqitur. If you want harddrives, you're not building a router.

I've used both and I have preferred iptables.

We have 5 very heavy computer users sharing a standard cable link, not once has anyone complained about slowness, even with 3 of them playing MMORPGs and two of those same idiots also using various P2P apps.

Good for you. I'm doing the same thing with my WRT54G that doesn't suck down unneeded power and is friendlier to the environment. I also don't have to worry about the harddrive crashing since it doesn't have one.

>lol what? a simple home router doesn't need that horsepower or memory.

Evidently they do or there wouldnt be much of a market for higher preformance gaming routers with 200mhz processors and 32MB of ram ....

>we're talking about very meager amounts of data, very little CPU usage, and very little buffering.

You're deluding yourself, pushing the amount of packets you can over a decent broadband connection preforming address translation, and any kind of moderatly sophisticated firewalling or queueing is pretty intensive, the load can be minimized by using ASICs (and in the future linksys being now a subsidary of CISCO we may see this) but were talking a commodity embeded processor, and not very fast ones at that (the gaming routers are of course better but still no match for a full blown microprocessor)

>what do you think your $100 pentium II machine is? its mass produced too.
Sure its mass produced that was a poor selection of words on my part, its not an *emebeded* microprocessor though, with lower clock speeds, less cache, granted they are optimized for lower power consumption and heat there is no such thing as a free lunch.

>considering that linksys routers run Linux, there isn't anything you can't do with one of those that you could do with your stupid electricity hog, in terms of routing.

You can install a harddrive ? or do you like burning out flash drives/cards quickly ? I speciffically mentioned caching ... lots of writes. And TFA is about FreeBSD, linux in my experiance has subpar firewalling and queuing features see: http://www.openbsd.org/faq/pf/index.html

I use what was at some point a HP pavillion with a
second generation celeron, running @ 500mhz with 256mb of ram saved from the trash (free) and a couple of intel 10/100 nics.($0.99 on ebay, shipping was $8) It has a 100 watt power supply, the chip has no fan on the heat sink the tiny power supply fan keeps it very cool, it has a harddrive a 4500rpm plain old ide harddrive. I would be willing to wager that it draws only slightly more power than one of those linksys gamming routers, and is at least twice as fast to boot. We have 5 very heavy computer users sharing a standard cable link, not once has anyone complained about slowness, even with 3 of them playing MMORPGs and two of those same idiots also using various P2P apps.

Here you go:

http://www.openbsd.org/faq/pf/queueing.html

Yes I'll be here all week, even on Gatilsday. You see I've found my one true purpose in life, and you can view it here

Will you be here all week? :) If so, you might enjoy this link.

And if it's another link you want to click on, may I suggest you do it here.

And if it's portable OS you want, May I suggest you get it here?

May I suggest you get it from the source?

* OpenBSD is focused 100% on security. They very tightly audit their code and control what goes in the distribution. In theory it shares code with FreeBSD, but in practice it lags behind (ie: last I knew it doesn't even have multiprocessor support because of security complications).

* NetBSD is designed with portability in mind. It runs on 17 different CPU families and over 60 different machine architectures. I've a feeling that the embedded systems folks love this OS. Because of the multiplatform focus it does lag somewhat in single-platform features.

* FreeBSD is the "mainstream" BSD distribution. It supports a range of modern x86-32 and x86-64 hardware with multiprocessor support (and has ports to some other supported CPUs where things like multiprocessor may not work), and enjoys features like a Linux compatibility layer (so you can run Linux x86 binaries, including 3D accelerated games like Unreal Tournament 2004). For it's users, the FreeBSD Ports Tree is the greatest software repository and distribution method in the know universe (eg: "cd /usr/ports/somesoftware" make; make install; make clean" to download source code, apply any BSD-specific patches, compile and install the binaries). FreeBSD is also used by some large companies for webhosting due to it's mixture of security and performance. For example, Yahoo has always been hosted on FreeBSD, and they're only the #1 and #4 most visited website on the internet (source).

* OSX is Apple's custom version of FreeBSD that only runs on Macs. The focus here is a friendly, hugable user interface slapped over the Unixy FreeBSD core. The concept is a bit like Microsoft Bob but without making you want to kill yourself quite so badly, the implementation is not terrible. I would say more, but I'm tired of people saying how "great" OSX is then pointing to the shiny UI. A shiny UI does not a great OS make, although it certainly is no worse or better than Windows XP when it comes to running applications (provided applications are available for it).

If you're not sure which one to try, install FreeBSD with the Gnome desktop. It has the potential to be an interesting afternoon's learning experience and there is a lot of documentation to guide you if something goes wrong. Get FreeBSD from the official site or via BitTorrent (and always check the MD5's from the official site after downloading).

I really like FreeBSD - however, I'm now officially tired of messing with my computer for the sake of messing with my computer. Linux and FreeBSD have both worn out their welcome in favor of Windows XP with it's autoupdate feature. Hey, Windows XP runs Firefox AND all my games.

Just for the record--though not entirely to the point, perhaps--one correction: OpenBSD supports SMP on i386 and amd64. Granted, it's only done so since 3.6. Supposedly work is ongoing to support SMP on SPARC and (I believe) PPC.

Parent is a Linux troll.

BSD is renowned for having better documentation than Linux. Unlike on Linux where the man pages are a half-arsed effort, an after-thought, brief, confusing and full of errors, on BSD they're done properly, with skill and expertise.

They leave nothing to chance, they explain everything simply and easily, with plenty of intuitive examples and useful explanations. Yes, with BSD, you know exactly where you are and what to do.

Some of the Linux developers might think that documentation is for losers (or lusers as they like to call the people who use their software), but on BSD they realise that people might not necessarily know everything about their system, every command, every option or every file, so they treat the user with respect, explaining things which need explaining. This means that BSD is easier to use and configure, a great user experience.

So the next time you're frustrated trying to fix Linux, and the IRC channels tell you to RTFM, the newsgroups call you a Microsoft shill, and you wonder why TFM is so poor, or why no-one cares, remember that just around the corner is an operating system where the user comes first. BSD.

Here are some useful links:
http://freebsd.org/
http://openbsd.org/
http://netbsd.org/

OpenBSD is another Free Open Sourced BSD OS, one of its bigest points is its security, it has only had 1 remote exploit in 8 years. its very fast to install, very easy to use, super secure, perfect for a router box or a server.

If I were you then I would contact Theo to see how you can get the box to a developer. By the way, no matter who you end up donating it to, it's an awesome gesture on your part. Good on ya.

If I were you then I would contact Theo to see how you can get the box to a developer. By the way, no matter who you end up donating it to, it's an awesome gesture on your part. Good on ya.

If I were you then I would contact Theo to see how you can get the box to a developer. By the way, no matter who you end up donating it to, it's an awesome gesture on your part. Good on ya.

ohh great another dead OS for competition. No wonder Linux does so well.

Yes.

XFree86 changed their license last year, and this is the reason several *BSD and Linux distributions changed to X.Org. Xorg is based upon the latest unencumbered Free (just before XFree86 4.4), and developed from there.

Most users won't see much difference, yet, but XFree86 alienated many (most?) of their developers .

OpenBSD care more about free licenses than most, and they where less than pleased with the XFree86 license change; enough to include it in their release song

Why is Sun coughing up four-figure servers to Drupal, a CMS with less installed user base than Slashcode, when there's a lot of Sun hardware listed as donation requests on OpenBSD donation request page??

openBSD may be the most secure of them all (Linux, BSDs, Windows).

As the website advertises: Only one remote hole in the default install, in more than 8 years!

Look at the keyboard in Theo's rack.

Anyone know where I can find a keyboard like that? Been looking for one just like it for months now.

Given the amount of equipment in Theo's server room and given the importance of this equipment to the project, why not construct a thermal shutdown device? How about a machine with a number of temperature probes around various points in the room, and when they all agree that the temperature is hot, they initiate shutdown+power-off procedures on the machines in the room? Now, I realize that some of the machines in the rack are older and may not have self-power-off abilities but it seems likely that enough of them could power down to make a difference.

It's unclear how exploitable this bug is with OpenSSH. Just to be sure, apply the patch, recompile zlib, then relink and reinstall ssh.

If you don't want to go to the trouble of doing that right now, a quick fix would be to disable compression in the sshd_config file ("Compression no") and restart sshd. In fact, zlib has had a string of several security bugs recently, so it may be best to just do this anyway.

For the undead crowd out there:

OpenBSD is affected, and was patched on the 6th of June
FreeBSD is affected, and was patched on the 6th of June
NetBSD base system is not affected, but a zlib from pkgsrc is, and was patched on the 8th of June

Linux security books?

That's like asking for Ehiopian cookbooks, man.

OpenBSD, daddy-o.

I run OpenBSD stable, and some belligerent asshole stays up all night worrying about the best possible response to the latest threats. Sure, I will buy a CD http://openbsd.org/items.html#37.

And Theo, thank you for being a belligerent asshole for the good guys.

• 3.3 - Sun refuses to release full documentation for the UltraSparc III processor.
• 3.4 - OpenBSD loses funding after no-strings-attached grant turns out to have strings attached limiting freedom of speech
• 3.5 - Cisco attempts to assert patent rights on IETF standards (VRRP)
• 3.6 - "Free" software projects becoming less free
• 3.7 - Open wireless drivers and free firmware (OpenBSD is now the only free BSD. Ironic, no?)

As a poster has already noted, "it's the drivers, stupid."

Micro$oft has a monopoly because they get chipset docs years in advance of Linux, the BSDs and others (/if/ the others /ever/ get docs.)

http://www.openbsd.org/lyrics.html#37

Just read about the OpenBSD people's problems.

Other OSes could come and wipe out the duopoly of Windows and Linux, but not until hardware manufacturers document their fucking hardware.

Any idea of how difficult it is to write an OS? Compound that by a million times when you can't make it run on any hardware. Ooops, an OS /must/ run on /something/...

When the evil hardware makers wake up and document their stuff, other OSes will become viable alternatives.

"If you don't have tripwire to verify nothing was trojaned, you should probably wipe your hard drive and reinstall."

Wiping your hard drive is very Windows.

Maybe so, but in this situation it's also very right. If you have no way to verify any executables, you can't trust them.

BTW, it's easier to start with something that's already locked down. ;)

Not so easy, eh?

hehe way to broadcast your ignorance

http://plan9.bell-labs.com/plan9/

No listing at nVidia.
OS developers have worked out graphics cards in single head mode, no nForce support.

http://www.openbsd.org/

Not listed at nVidia.

Supported hardware section reports : nForce/nForce2/nForce2-400/nForce3/nForce3-250/nFo rce4* (SATA controllers are not supported)
Graphics support via X.org drivers

before you say "well there you go, you can use your specialised OSs" remember that my point was that it is all well and good for nVidia having a team of in house devs writing drivers for their hardware if one runs Windows or Linux. The rest of us have to reverse eng. and cobble stuiff together which would be solved by releasing a few docs.

they are on the right track and I support them in this fight against Intel. But it's only the first step in a fight against abusive business practices and monopolies.

For example, I fail to see how AMD is genuine about fair and open competition when it does nothing about Microsoft's monopoly. The anti-trust case against Microsoft was a joke. Not a single mention of how Microsoft has exclusive access to hardware documentation.

As the OpenBSD project notes in its page for the release of OpenBSD 3.7 (song lyrics section), Microsoft receives documentation on chipsets and such years in advance. Not only that, but Microsoft will often be the only receipient of documentation.

Microsoft has a monopoly on "consumer" desktop operating systems because an OS that can't drive the latest gadgets and other hardware gets no support in the mainstream market. OS/2 was far superior to Microsoft DOS, but it died because of the dearth of device drivers.

While AMD is at it with the Intel anti-trust lawsuit, let's see AMD support manufacturers who release programming interface documentation for their chipsets, PCI cards, graphics accelerators and so forth.

The people in suits who run the tech companies need to understand that developers having programming interface docs is not the same as giving out circuit schematics.

Dennis Ritchie tells me of his experiences with Plan 9 development: even with good support from company X, a lot of documentation was flat out wrong. We've got no hope with unavailable or wrong docs.

Let's see graphics cards, sound cards, USB devices, memory controller chipsets, PCI and USB chipsets, scanners, digital cameras, and everything else documented WITHOUT the requirement for ridiculous NDAs.

Let's also see Phoenix Technologies relieved of its cozy little monopoly on BIOSes. LinuxBIOS is far superior to their junk, with one board going from power-on to Bash prompt in just 3 seconds.

How is it that AMD whinges about Intel when they are in bed with Intel and others in the Trecherous Computing scandal? How is it that they do not pressure VIA to release chipset documentation? How is it that they ignore Microsoft's monopoly while harping on about Intel's monopoly and business practises?

It is SHAMEFUL that the Linux and FSF developers either sign NDAs or encourage other developers not to cooperate with those seeking documentation or those pressuring companies to release documentation:

http://www.openbsd.org/lyrics.html#37

How can we end Microsoft's monopoly with free software and open source developers turning their backs on everyone else, and with AMD complicit in supporting Microsoft's monopoly?

Isn't your name "de Raadt", not "de Raabt"? See http://www.openbsd.org/art4.html , for example. Did you lose your Slashdot password, or are you impersonating the real Theo?

So I guess you haven't bothered yourself about the dozens of security advisories for OpenBSD over the past 2 years?

Look, he's building a firewall for lab full of servers, not a dormroom experiment. Don't waste your time with "an old cheap pentium or something". Do it right.

Here's my recommendation:

Find two reliable, server-class machines. Take a look at this list and get two good gigabit NICs for each machine. (Why gbit NICs? Better performance, even on 100bT, due to better buffering).

Next, install OpenBSD 3.7 on both machines and finally, read this HOWTO and build yourself a redundant firewall with failover using pf, pfsync, and CARP.

Good luck!

Chris

Look, he's building a firewall for lab full of servers, not a dormroom experiment. Don't waste your time with "an old cheap pentium or something". Do it right.

Here's my recommendation:

Find two reliable, server-class machines. Take a look at this list and get two good gigabit NICs for each machine. (Why gbit NICs? Better performance, even on 100bT, due to better buffering).

Next, install OpenBSD 3.7 on both machines and finally, read this HOWTO and build yourself a redundant firewall with failover using pf, pfsync, and CARP.

Good luck!

Chris

Look, he's building a firewall for lab full of servers, not a dormroom experiment. Don't waste your time with "an old cheap pentium or something". Do it right.

Here's my recommendation:

Find two reliable, server-class machines. Take a look at this list and get two good gigabit NICs for each machine. (Why gbit NICs? Better performance, even on 100bT, due to better buffering).

Next, install OpenBSD 3.7 on both machines and finally, read this HOWTO and build yourself a redundant firewall with failover using pf, pfsync, and CARP.

Good luck!

Chris

You always has OpenBSD that comes with pf (packet filter), CARP (redundancy) and pfsync (firewall synchronizing)

You can find an example here