Slashdot Mirror

You always has OpenBSD that comes with pf (packet filter), CARP (redundancy) and pfsync (firewall synchronizing)

You can find an example here

You always has OpenBSD that comes with pf (packet filter), CARP (redundancy) and pfsync (firewall synchronizing)

You can find an example here

You always has OpenBSD that comes with pf (packet filter), CARP (redundancy) and pfsync (firewall synchronizing)

You can find an example here

I went to a local used PC store, bought a small form factor DELL desktop GX110 i think (for $40), put an old cd-rom drive that i had lying around (for convenience only), and two 3com 3c905c ethernet ($10-$15 each) cards in it, (although i've installed it just fine on new/cheap netgear cards), which matched the onboard chipset, and installed OpenBSD on it.

There are numerous web pages on how to setup OpenBSD as a very good firewall, plus plenty of documentation on openbsd.org's FAQ: http://www.openbsd.org/faq/pf/index.html.

I first ran a firewall on FreeBSD 4.4, then decided to try out OpenBSD and pf, and was very pleasently surprised at the ease in setting up a powerful and easy to maintain firewall box.

OpenBSD with PF,

FreeBSD with either PF IPFW,

pretty much any Unix variant OS with IPFilter,

Linux with IPTables

OpenBSD with PF,

FreeBSD with either PF IPFW,

pretty much any Unix variant OS with IPFilter,

Linux with IPTables

As you would know, Theo, there isFree music available. The lyrics are even about Freedom, so you don't have to have anything to do with Non-Freedom.

Like a one-shot su.

(Quoted from Shades66 above):
---
Here's a BSD file to have a look at...

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch /mac68k/mac68k/machdep.c?rev=1.116&content-type=te xt/x-cvsweb-markup [openbsd.org]

do a search on that page for 'belong'

hey everyone you better leave BSD as it has a stupid comment as follows.. /* Does this belong here? */
---

> I agree with TFA that someone submitting code
> and asking in the comments whether this even
> belongs there speaks for itself about the
> quality and the overall design of the code.

and since it's open bsd and linux that has it (and probally both free and other bsd's) that means they're all bad quality code right?

*chuckle*

I find it humorous that TFA called his own os's code crap basically. Open mouth insert foot no?

Then why is there an open-cobol tar.gz file on the OpenBSD site? http://cvsup.de.openbsd.org/mirrors/ftp.openbsd.or g/snapshots/packages/amd64/

if documentation is important to you, check out openbsd's documentation. their reputation for having the best docs in the open-source world are well-deserved.

if documentation is important to you, check out openbsd's documentation. their reputation for having the best docs in the open-source world are well-deserved.

Here's a BSD file to have a look at...

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch /mac68k/mac68k/machdep.c?rev=1.116&content-type=te xt/x-cvsweb-markup

do a search on that page for 'belong'

hey everyone you better leave BSD as it has a stupid comment as follows.. /* Does this belong here? */

lets all leave and go to

OpenBSD. Seriously, this isn't intended as a troll. I'd gone through a few Linux distros on my Thinkpad too, as well as FreeBSD 4.* and 5.*, and OBSD has consistently remained the easiest to get up and running over several versions. I also love how relatively lightweight it is.

Use floppyC37.fs since that's tweaked for laptop installs. You can also reference the list of supported hardware and check for any particular known oddities in various laptops. The OBSD FAQ is a fine set of documentation with most likely all the info you'll need to get your install going.

-the real Urocyon
AC 'cause I'm too lazy to set up an account :)

OpenBSD. Seriously, this isn't intended as a troll. I'd gone through a few Linux distros on my Thinkpad too, as well as FreeBSD 4.* and 5.*, and OBSD has consistently remained the easiest to get up and running over several versions. I also love how relatively lightweight it is.

Use floppyC37.fs since that's tweaked for laptop installs. You can also reference the list of supported hardware and check for any particular known oddities in various laptops. The OBSD FAQ is a fine set of documentation with most likely all the info you'll need to get your install going.

-the real Urocyon
AC 'cause I'm too lazy to set up an account :)

OpenBSD. Seriously, this isn't intended as a troll. I'd gone through a few Linux distros on my Thinkpad too, as well as FreeBSD 4.* and 5.*, and OBSD has consistently remained the easiest to get up and running over several versions. I also love how relatively lightweight it is.

Use floppyC37.fs since that's tweaked for laptop installs. You can also reference the list of supported hardware and check for any particular known oddities in various laptops. The OBSD FAQ is a fine set of documentation with most likely all the info you'll need to get your install going.

-the real Urocyon
AC 'cause I'm too lazy to set up an account :)

OpenBSD. Seriously, this isn't intended as a troll. I'd gone through a few Linux distros on my Thinkpad too, as well as FreeBSD 4.* and 5.*, and OBSD has consistently remained the easiest to get up and running over several versions. I also love how relatively lightweight it is.

Use floppyC37.fs since that's tweaked for laptop installs. You can also reference the list of supported hardware and check for any particular known oddities in various laptops. The OBSD FAQ is a fine set of documentation with most likely all the info you'll need to get your install going.

-the real Urocyon
AC 'cause I'm too lazy to set up an account :)

Personally I'd suggest trying the FTP install. Once. If you like it then by all means support a good project and buy the discs.

> Not to mention that he has own problems to
> contend with.
>
UMM, ok... When have (do) we ever seen a linux _local_ *anything* fixed, in a similar timeframe?? Remind me please...!

http://www.securityfocus.com/bid/13977
> Published: Jun 16 2005 12:00AM

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net/ip_output.c
> Revision 1.169.2.1 / (download) - annotate - [select for diffs] , Tue Jun 14 02:10:03 2005 UTC (4 days, 4 hours ago) > by brad
> Branch: OPENBSD_3_7
> Changes since 1.169: +20 -2 lines
> Diff to previous 1.169 (colored) next main 1.170 (colored)

> MFC:
> Fix by markus@

> getsockopt(): allocate a mbuf cluster for large ipsec credentials
> fixes kernel panic from pr 4252; Stefan Miltchev

> ok deraadt@ markus@

dig dig dig.....

Actually you are way off bat here, if you read misc@ (The OpenBSD mailing list) you'd soon realise otherwise especially when users cannot be bothered to read documentation (http://www.openbsd.org/faq/index.html) or use tools availble to them: http://www.yahoo.com/ http://www.google.com/ http://marc.theaimsgroup.com/

The software (kernel, tools, etc.) are no better, just the packaging.

I'll bite.

From http://www.openbsd.org/security.html:

As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do.

* strlcpy() and strlcat()
* Memory protection purify
o W^X
o .rodata segment
o Guard pages
o Randomized malloc()
o Randomized mmap()
o atexit() and stdio protection
* Privilege separation
* Privilege revocation
* Chroot jailing
* New uids
* ProPolice
* ... and others

Yeah because only these people use it. Nobody must use it at all.

As for pf :
pf.conf
pf FAQ

As for pf :
pf.conf
pf FAQ

As long as iptables functions as it should (which it does), there's always a way to deal with the syntax issue.

You don't get the point. The OpenBSD pf firewall and its configuration syntax are superior to anything out there including hardware boxes. Check out the man page or this benchmark if you don't believe me.

Time to switch again...

Here's your documentation on applying patches:
http://www.openbsd.org/faq/faq10.html#Patches

AFAIK, OpenBSD doesn't contain obscure libraries in it's base system - at least, not by my understanding of obscure.

Do you mean that you installed a package or a port, and need to compile dependencies when you patch that software? Well that shouldn't be too surprising.

It sounds like your main gripe is that OpenBSD doesn't aggressively maintain its package database with security fixes like Debian. This part is somewhat true. They do maintain the tagged versions of ports in cvs, and I believe they release upgraded packages too. But I don't think they monitor it as well as a large group like Debian.

OpenBSD's strength is in its core, and that's why people choose to use it.

"You know what I found? Right in the kernel, in the heart of the operating system, I found a developer's comment that said, 'Does this belong here?' "Lok says. "What kind of confidence does that inspire? Right then I knew it was time to switch."

It's fairly simple to get rid of the problem.

1. Download ftp://ftp.openbsd.org/pub/OpenBSD/3.7/i386/cd37.is o

2. Burn the image to a CD

3. Load into your primary CD drive on the infected PC.

4. Reboot

5. Follow the instructions on the screen

If the public internet cafe you are using allows external computers to connect to their lan, such as bringing in your laptop, then try ssh tunneling to protect your content. Google defines ssh tunneling as "The process of taking any networkable connection between two hosts and channeling the information through the SSH session by encapsulating the private data inside of ordinary (usually encrypted) TCP/IP SSH packets. These connections may be arbitrary TCP/IP ports, X11 connections, or even email, allowing for features like encryption and compression for normally unsecure communication." To setup your own ssh server, install OpenBSD(http://www.openbsd.org/ or get OpenSSH for Windows(http://sshwindows.sourceforge.net/). A good ssh client is PuTTY(http://www.chiark.greenend.org.uk/~sgtatham/ putty/). Another, easier alternative is to use an encrypted vnc connection, such as RealVNC(http://www.realvnc.com/ and just use your home computer from on the go. This would allow you to use your home computer from another computer to get past a packet logger on the internet cafe's lan. If the internet cafe doesn't allow external computers on their lan, the only way to keep your data secure for sure is to not access any sensitive material when using their computers, such as everyone else has already said.

Is downloading the installation file sets from an FTP mirror "Do Everything From Scratch"??

Read again: http://www.openbsd.org/faq/faq4.html

Documentation is very easy to find and readily available for the BSDs:

NetBSD packages
OpenBSD packages
FreeBSD packages

DragonFly uses FreeBSDs ports at this time as per the FAQ

Also see FreshPorts

Firefox was updated 6 days ago to 1.0.4 for the 3.7 branch.

http://www.openbsd.org/cgi-bin/cvsweb/ports/www/mo zilla-firefox/Makefile?rev=1.21.2.1&content-type=t ext/x-cvsweb-markup

http://www.openbsd.org/cgi-bin/cvsweb/ports/www/mo zilla-firefox/Makefile

If you want better wireless support, try OpenBSD. I recently switched both my access point and laptop from Linux to OpenBSD, and the wireless works so much more reliably on both! Plus I don't have to build any kernel modules, it's all in the generic kernel.

Long live OpenBSD!

Mrmf, why must everything on Slashdot devolve into a flame war?

No, you're not imagining the PegasosPPC, but I covered that under Category 1, "Random little boards like the AmigaOne". If you think that the PegasosPPC has significant marketshare, you sure as hell are imagining it. I know a lot of computer geeks who collect weird and interesting hardware. Hell, I've even got a non-Mac PPC system sitting in my basement (IBM RS/6000 workstation). I've never met someone who owns a Pegasos system.

(Not even NetBSD and OpenBSD will run on the Pegasos--for interesting reasons--and they'll run on anydamn thing.)

The point I'm trying to make is, you can't go down to your local computer store and pick up a CHRP motherboard. The vast majority of people who have a computer of some sort have an x86 PC; the vast majority of people who have a computer but not an x86 PC have a Mac; the remainder probably have mostly things like Sun workstations, 68k Amigas, and their old Apple IIgs that's still chugging along like a trooper. I'm sure there are four or five people out there using a CHRP system as their primary computer, but I would be utterly shocked if said people didn't have a PC or a Mac sitting around as a backup machine.

So, do you honestly not see the difference between the hundreds of millions of x86 PCs out there and the four or five non-Apple, non-IBM, non-embedded PPC machines out there, in terms of impetus to get OSX running on them?

Throw enough bored computer geeks at a problem like this, and they'll crack it. The set of computer geeks with a spare x86 that they'd like to run OSX on is several orders of magnitude larger than the set of computer geeks with a spare CHRP system that they'd like to run OSX on.

And, for the record, OpenDarwin runs on standard x86 PC hardware, but it doesn't run on non-Apple PPC hardware.

What it means is that a new copy of sshd is exec'ed for each connection after the master sshd fork()s to handle the connection. Previously, the forked sshd would just handle the whole session. It starts off as a literal copy of the address space of the parent and stays very similar throughout its life.

Now should there be some kind of vulnerability in sshd, an attacker can connect, get a new fork()ed copy of the master sshd and attempt to guess whatever they need to successfully exploit it. Should they guess wrong, their sshd will likely crash, but they can just connect, get another (identical) copy and try again.

Some systems (eg OpenBSD and PAX-based Linuxes like Adamantix) shuffle various things up (library offsets, stack location, ProPolice canaries, whatever) at exec() time. In the case of sshd, re-execing after the fork() means that instead of being able to linearly scan through the possible values needed to conduct the attack, the attacker has to guess the right ones for their current connection. Basically, instead of multiple shots at a stationary target, the attacker is now faced with an environment with lots of moving targets, all of which must be hit in order to conduct a successful attack. This should make it much harder to conduct the exploit.

For a look at those moving targets, see Theo de Raadt's Exploit Mitigation Techniques paper.

What it means is that a new copy of sshd is exec'ed for each connection after the master sshd fork()s to handle the connection. Previously, the forked sshd would just handle the whole session. It starts off as a literal copy of the address space of the parent and stays very similar throughout its life.

Now should there be some kind of vulnerability in sshd, an attacker can connect, get a new fork()ed copy of the master sshd and attempt to guess whatever they need to successfully exploit it. Should they guess wrong, their sshd will likely crash, but they can just connect, get another (identical) copy and try again.

Some systems (eg OpenBSD and PAX-based Linuxes like Adamantix) shuffle various things up (library offsets, stack location, ProPolice canaries, whatever) at exec() time. In the case of sshd, re-execing after the fork() means that instead of being able to linearly scan through the possible values needed to conduct the attack, the attacker has to guess the right ones for their current connection. Basically, instead of multiple shots at a stationary target, the attacker is now faced with an environment with lots of moving targets, all of which must be hit in order to conduct a successful attack. This should make it much harder to conduct the exploit.

For a look at those moving targets, see Theo de Raadt's Exploit Mitigation Techniques paper.

What symmetric cipher, that ssh uses, even supports 4096 bit encryption? I thought bits that high were only supported for public/private keys but not the symmetric ciphers themself. According to the ssh manual page, it seems like the supported symmetric ciphers only go up to 256 bits.

If you use public-key authentication (and users don't have r/w access to the ~/.ssh/authorized_keys file, you can put restrictions on what each key can forward to.

The sshd manual page has a section named "AUTHORIZED_KEYS FILE FORMAT" that has details on the format of what goes in $HOME/.ssh/authorized_keys and what options are supported.

A distribution is a collection of pieces of software, mixed together, to form an operating system. Each piece of software is maintained separately.

That's what GNU/Linux distros are: they all start with practically the same kernel (Linux) in the bowl, put some GNU and BSD utilities, add water, mix together and serve.

BSDs on the contrary, are entire operating systems where each component is developed ad-hoc for the OS. They doesn't share a kernel and add some random utilities. Each of them maintain a PUBLIC source tree of the whole operating system. Everything is in the same place developed from a single tree.

Take a look at the CVS tree if you are curious.

Thanks to the freedom of the license, all of them share code which redounds on benefit of the users.

Give it to Theo and friends.

http://openbsd.org/donations.html

"No remote exploits."

One, actually. And to say that OpenBSD will *never* have another exploit again is kind of silly. I love OpenBSD, and I use it at home on my server and laptop, but that doesn't mean I just sit around and pretend like everything is okay.

Checking the Errata and Package Updates once a day (or at least twice a week) never hurt anyone--especially if you have multiple users on your box. I'm paranoid--nobody uses my box to begin with.

Anyways, long story short: just because something seems secure, doesn't mean that anyone should be relaxed about security. If anything, the more secure something seems, the more attention one should be spending to security. Once someone does find an exploit or problem, it's going to spread like a wildfire, and if you're caught with your pants down... good luck.

With all of that being said, I feel comfortable using OpenBSD. It hasn't let me down yet, and I can only hope it keeps that reputation up with me. However, I treat every update/patch (as small as it may be) as if it were an exploit waiting to be abused by every script kiddie out there--then I'm just pleasantly disappointed when it isn't.

"No remote exploits."

One, actually. And to say that OpenBSD will *never* have another exploit again is kind of silly. I love OpenBSD, and I use it at home on my server and laptop, but that doesn't mean I just sit around and pretend like everything is okay.

Checking the Errata and Package Updates once a day (or at least twice a week) never hurt anyone--especially if you have multiple users on your box. I'm paranoid--nobody uses my box to begin with.

Anyways, long story short: just because something seems secure, doesn't mean that anyone should be relaxed about security. If anything, the more secure something seems, the more attention one should be spending to security. Once someone does find an exploit or problem, it's going to spread like a wildfire, and if you're caught with your pants down... good luck.

With all of that being said, I feel comfortable using OpenBSD. It hasn't let me down yet, and I can only hope it keeps that reputation up with me. However, I treat every update/patch (as small as it may be) as if it were an exploit waiting to be abused by every script kiddie out there--then I'm just pleasantly disappointed when it isn't.

It's cool in a way: very William Gibson-esqe or something. A new battlefront. I've moved my servers to OpenBSD due to their incredible security record, and I'm going to be moving my desktops/laptops to Mac/Linux soon. I don't want to be part of the problem.

Fantastic! I just bought a new system at lunch today and now Slashdot has an article about CPUs :(

If anyone cares, here's what I picked up:

• AMD Athlon 64 2800+ CPU
• ASUS K8N-E Deluxe motherboard
• Corsair CMX1024-3200 RAM module
• Maxtor 250G SATA Ultra 16, 7200 RPM harddisk
• CoolerMaster Centurion case

The system will be running OpenBSD 3.7.

Assuming I don't fry the mobo, bend pins on the CPU or squirt thermal compound all over the place, I should be good to go. Just to be sure, I'm going to pet my cats for luck :)

Use OpenBSD's spamd then; works great on wasting the spammers' time

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd &apropos=0&sektion=0&manpath=OpenBSD+Current&arch= i386&format=html

The best reason of all :

http://openbsd.org/policy.html

Most of Linux is subject to GPL style licensing terms and therefore can not be included in OpenBSD.

I just installed OpenBSD 3.7 on Sunday. I have a 120GB SATA drive with an 80GB Windows partition. So I used OpenBSD's fdisk to allocate 20GB for OpenBSD *after* the Windows partition. I marked the wd0a partition (OpenBSD) as active, rebooted, and it worked just fine. I now need to figure out what boot manager I'm going to use, but that's a different story! :)

If you're still experiencing those kinds of issues, the cause is likely to do with an outdated BIOS or other hardware issue rather than a deficiency of OpenBSD.

I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA [tmda.net]) I just don't care. I give anyone my email whenever they want.

Greylisting is a very powerful spam reduction technique that works transparently. The OpenBSD spamd daemon has a greylisting modus, and has reduced my spam to a trickle.

Challenge/response can be quite irritating, in particular when someone post to a public mailing list and uses C/R. Any C/R request goes to my trash folder.