Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 3.0 Release, Interview with Theo

Posted by michael on from the wuftpd-not-installed-by-default dept.

mvw writes: "Here is an interview with OpenBSD's Theo de Raadt. Interesting is his comment on Soft Updates and the comparison to the rivaling Journaling file systems technology. Further he links to a very interesting paper by some Soft Updates researchers." And although OpenBSD 3.0 has an "official" release date of December 1 for whatever reason, it seems to be available by FTP or CD already. Lots of changes since 2.9.

15 of 307 comments (clear)

  1. This is a very good thing! by InterruptDescriptorT · · Score: 3, Informative

    SECURITY FIX: fix buffer overflow reading queue file in lpd

    For those running OpenBSD, especially as a gateway/firewall/NAT box, this is an important fix. I am running 2.9 with this patch added, and my snort logs tell me (judging from the number of attempts) that this exploit is a fairly commonly tried one. In November alone, there were at least 30 lpd overflow attempts on my machine. Granted, not most people have lpd open to the world, but I can imagine a few people might want to do remote printing from work, etc.

    --
    Karma: Excellent Birds (mostly as a result of listening to Laurie Anderson)
    1. Re:This is a very good thing! by Greg+W. · · Score: 3, Informative

      1) logging to paper; so the cracker can't totally erase his trail

      That doesn't require lpd. Just add the line printer's device name as an additional target in syslog.conf.

      Or run a teletype console, and log everything important to the console. (I've actually seen a setup that used that. In production. In 1996.)

      Even if you do use the Unix print spooling subsystem on your firewall, you should not have the lpd port (515/tcp) open on the public network interface(s).

  2. Fixes by jeriqo · · Score: 3, Informative

    Actually, OpenBSD 3.0 was available for download since nov 25th, and a few patches (security fixes) are already available.
    Here is the list: http://www.openbsd.org/errata.html

    Don't forget to update to OpenSSH 3.0.1

    -J

    --
    Alexis 'jeriqo' BRET
  3. The origin of OpenBSD by Gopher · · Score: 5, Informative
    As I sit here waiting for my copy of OpenBSD 3.0 to arrive, I've been reading the exchange of emails between Theo and the NetBSD core team, which is a history of how OpenBSD came to be.

    If you haven't read them before, it's quite a read, and a good lesson of how personal politics can fragment a collaborative project.

    Here's the link: http://zeus.theos.com/deraadt/coremail

  4. pf : an excellent packet filter by chrysalis · · Score: 5, Informative
    The big new feature in OpenBSD 3.0 is pf.
    • Interesting stuff in pf over ipf : the configuration file accepts a very similar syntax, but with very handy shortcuts, especially expansion. For instance you can write { pop,smtp,imap } in a rule to specify a list of ports, instead of creating multiple rules. It also accepts macro substitutions. You can easily write very clean configuration files.
    • Interesting stuff in pf over ipfw/ipfiler/iptables :
      • scrub : just give an interface name, and pf will "normalize" everything coming to this interface. Packets will get cleaned up and reconstructed : your local network will only see clean packets, nothing that could be dangerous for badly written IP stacks.
      • tcp state modulation : this feature dynamically remaps tcp sequence numbers, to give the excellent entropy of OpenBSD stack to all your traffic. It means that servers running Windows, badly configured Solaris or older FreeBSD versions can be protected from session hijacking, even through their stack has weak sequence randomization.

    pf seems to be very stable so far. Just don't forget to apply the related errata if you're planning to use IPv6.
    Another great feature of OpenBSD 3.0 regarding network filtering/routing is the integration of AltQ, that brings quality of service to your IP traffic. It basically has the same (but very flexible and efficient) algorithms and class system that Linux has. But it's very nice to see it in OpenBSD.

    --
    {{.sig}}
    1. Re:pf : an excellent packet filter by chrysalis · · Score: 5, Informative

      * For NAT:

      OpenBSD 3.0 has a transparent ftp proxy called "ftp-proxy". You have to run it through inetd (or any super server. I use it with tcpserver) . It listens to a local port, and you just have to redirect outgoing traffic for port 21 to the local ftp proxy port. It allows active and passive connections to NATed internal hosts.

      If it can help, my /etc/nat.conf file is :

      rdr on vr1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
      nat on vr0 from 10.1.1.0/24 to any -> 195.132.209.36

      I start ftp-proxy like this :

      /usr/local/bin/tcpserver -H -R -q 127.0.0.1 8081 /usr/libexec/ftp-proxy &

      *WARNING*
      ftp-proxy has a nice security feature to only accept anonymous sessions (-A). But don't trust it : clients can bypass the restrictions with some buggy servers (the flaw works with proftpd and ncftpd. it doesn't work with pureftpd) .

      * For firewalling (without NAT) :

      You have to explicitely open some ports for active connections. For the minimum number of ports : choose at least twice the max number of simultaneous sessions you need. Open them on the firewall. Then, force your FTP server to only use these ports. On Pure-FTPd, it's with '-p :', example :

      pure-ftpd -4 -p 50000:51000 &

      (don't forget '-4' for OpenBSD) .


      --
      {{.sig}}
  5. ISO download by Syberghost · · Score: 5, Informative

    As Theo says himself in his interview, people who don't like his model of selling the ISOs are free to make their own. This will hopefully quiet the stupidity that usually follows this announcement:

    As usual, ISO images here.

    1. Re:ISO download by ralmeida · · Score: 2, Informative

      It is illegal to distribute the ISOs because Theo has the copyright on the CD's layout, although the software is BSDed.

      --
      This space left intentionally blank.
  6. Re:file systems by mvw · · Score: 5, Informative
    Some links:
  7. Re:As much as I by Anonymous Coward · · Score: 2, Informative

    I understood the article that part of the repair work can be done after mounting the soft updates fs.

  8. Re:When I installed... by Anonymous Coward · · Score: 1, Informative

    what about a quick search on the jargon file?

    http://www.tuxedo.org/~esr/jargon/html/entry/whe el .html

  9. Re:file systems by WasterDave · · Score: 3, Informative

    In the beginning were file systems. A file system took what you wanted it to write and put it on the disk for you. And it was good.

    But the users moaned "speed, we must have more speed" and indeed their call was echoed by the admins. So write ahead caching was invented so the users calls would return sooner, and once again all was peaceful with filesystems.

    But then one day someone tripped over the power cable and the OS died. On recovery it was discovered that the filesystem was completely borked (due to some of it being in the write ahead cache when the power died) and lots of data was lost. There was much wailing and gnashing of teeth so the journal was invented. A journal writes a list of things that the file system will do when it gets around to it, but writes this list to the drive so it doesn't get lost when the power is lost. Because the list is all in one place the journal is fast and once again there was peace.

    Over the years slowly everyone, even Microsoft and even the Linux kernel made themselves journals but the BSD hackers (Greg Lehey?) realised you didn't really need one if you were careful about the order in which you wrote to the disk. And hence softupdates were invented, and are (arguably) very slightly faster. But mostly just different. Like Reiser, but that's another story entirely.

    Gottit? Synchronous writes good, but slow. Async writes bad, but fast. Journaled writes good, and fast. Softupdates good and fast without a journal.

    Dave

    --
    I write a blog now, you should be afraid.
  10. The reason for the early release: by snake_dad · · Score: 3, Informative

    was that the cd's were available earlier than expected, according to this message from Theo at the OpenBSD Journal.

    Btw, the headlines from this site are available as a slashbox, just check the box in your /. preferences.

    Snake_dad (who runs Linux, Winedose, Novell 3.12 and ... OpenBSD :-)

    --
    karma capped .sig seeking available Slashdot poster for long-term relationship.
  11. Re:Donations have slumped? by Anonymous Coward · · Score: 1, Informative

    Does Theo frequently act immature online ... sure. But clearly Theo is at least no worse than he was in the past (actually, I think he's matured a bit), and his .. uhm .. social graces aren't exactly a big secret. It makes little sense to reason that this accounts for fewer donations to the project.

    It is too bad that OBSD lists/newgroups are often frequented by impressionable Theo-wanna-be's that are under the misimpression that it is cool to be rude. Theo acting alone would just be a curiousity ... Most of the OBSD core developers are generally pretty civil.

    As to the lack of SMP support, the OBSD core group's reasoning is pretty sound. They feel that it will introduce security complications, and isn't a big advantage in the roles OBSD generally serves (e.g. firewall; basic web-server; OBSD enthusiast desktop). Since security is their priority, it is ridiculous to critize them for slow progress in SMP support. I believe the official line is the unreligious statement 'if you truely need or want SMP, look elsewhere for now'.

  12. Re:file systems by Dom2 · · Score: 2, Informative

    softupdates were first invented as theory by Ganger & Patt and the idea was published as a paper. Kirk McKusick then took their idea, and coded it for *BSD.