Custom OpenBSD 3.0 with IPFilter From Darren Reed

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

Happy to see this.

[einer]

ipfilter is so much easier to use than netfilter/iptables ... Any word on whether the licensing issues have been re-thought or resolved?

Security still number one?

[aridhol]

OpenBSD's main tenet is that security is the most important part of the distribution. This rogue distribution is using OpenBSD's name (is this allowed? Anyone?); is it still following OpenBSD's strictures regarding security, such as a full source audit before release?

Re:Security still number one?

[2Bits]

As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

Re:Security still number one?

[BigBir3d]

That is what Lindows must have been thinking.

Re:Security still number one?

[xonker]

I think that you mean the ISO/CD-ROM image layout. From the FAQ:

Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.

I don't think that the layout of the filesystem itself (/, /etc, /home, and so forth...) is under copyright.

The actual name would be under trademark, and I would imagine that someone else would be unable to use the trademark to distribute a derivative of OpenBSD. Linux is the name of the kernel for Linux distros, bsd is the name of OpenBSD's kernel. The use of Linux as a trademark should technically be approved by Linus or whomever manages that for him.

I guess this would be OpenBSDarren...

Re:Security still number one?

[Mad+Marlin]

As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

Stangely, OpenBSD does not appear to be registered with the US Patent Office (check in TESS). Note that this is unlike Linux, which is:

Word Mark LINUX
Goods and Services IC 009. US 021 023 026 036 038. G & S: computer operating system software to facilitate computer use and operation.
FIRST USE: 19940802.
FIRST USE IN COMMERCE: 19940802
Mark Drawing Code (1) TYPED DRAWING
Serial Number 74560867
Filing Date August 15, 1994
Published for Opposition June 13, 1995
Change In Registration CHANGE IN REGISTRATION HAS OCCURRED
Registration Number 1916230
Registration Date September 5, 1995
Owner
(REGISTRANT) Croce, William R. Della, Jr. INDIVIDUAL UNITED STATES 33 Snow Hill St. Boston MASSACHUSETTS 02113
(LAST LISTED OWNER) TORVALDS, LINUS INDIVIDUAL Assignee of FINLAND 5774 CANNES PLACE SAN JOSE CALIFORNIA 95138
Assignment Recorded ASSIGNMENT RECORDED
Attorney of Record ROBERT T. DAUNT
Type of Mark TRADEMARK
Register PRINCIPAL
Affidavit Text SECT 15. SECT 8 (6-YR).
Live/Dead Indicator LIVE

Re:Security still number one?

[gmack]

For no other reason then the fact that some dumbass registered it a few years back and tried to demand payment from everyone using it. The resulting lawsuit had it transfered to Linus. That record even shows who it was.

(REGISTRANT) Croce, William R. Della, Jr. INDIVIDUAL UNITED STATES 33 Snow Hill St. Boston MASSACHUSETTS 02113
(LAST LISTED OWNER) TORVALDS, LINUS INDIVIDUAL Assignee of FINLAND 5774 CANNES PLACE SAN JOSE CALIFORNIA 95138

Re:Security still number one?

[BdosError]

It may not be registered, but that is not required for copyright (Besides, you showed a trademark). Trademarks don't require registration either, it just makes them stronger.

And since OpenBSD is based here in Canada, the above (NAL) summarized US rules don't necessarily apply, other than through treaties on Intellectual Property. It is not a registered trademark in Canada either, as you can check here.

Re:Security still number one?

OpenBSD *is* an OS, Linux is *not* an OS. Linux is a kernel hence the reason for over 288 various fragmented Linux distro's (last i checked).

blah, glad I don't have to fuss over a multitude of distro's when using a BSD needed for the right job.

Re:Security still number one?

[Mad+Marlin]

It may not be registered, but that is not required for copyright (Besides, you showed a trademark). Trademarks don't require registration either, it just makes them stronger.

And since OpenBSD is based here in Canada, the above (NAL) summarized US rules don't necessarily apply, other than through treaties on Intellectual Property. It is not a registered trademark in Canada either, as you can check here.

I guess it isn't that strange that its not regestered at the USPTO then, I forgot all about the whole ``Blame Canada'' thing. It is kind of strange that it isn't registered in Canada though. It can't cost that much to register something.

Re:Security still number one?

Wow, mod points seem to be abundant for those willing to post the obvious today. There should be a mod point filter option in slash.

Good.

[rainer_d]

Especially for people who don't want to migrate.
I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

Not that PF is bad - you just can't do everything together ;-)

cheers,
Rainer

Re:Good.

[rifter]

I thought pf was rules-compatable with ipf?

Re:Good.

[danimal]

No, it is close however. Converting rules from ipf to pf is very easy.

Re:Good.

[DaveTerrell]

Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

You will have to change your rules. OpenBSD made several modifications to IPF that darren never included upstream (interface names in place of IP addresses, for example). I also recall some controversy involving patches to support ipf on the bridge. I don't know if those are supported either.

You're welcome to experiment I suppose. Good luck. But I'd strongly recommend not installing this straight onto your production system.

Re:Good.

you can certainly do a filtering bridge with pf. i dont know if it was an option in 3.0-release, but it surely works now. both in and out, i may add, are supported directions.

as for a gui. port it to libdnet (see sourceforge) and you can migrate rules around easily. supports ipchains, iptables, ipf and pf style setups in its firewalling builder/reader components.

Re:Good.

[rainer_d]

Uh.
But I didn't think of migrating to 3.0 on the production box anyway.
As it works under VMware, extensive test can be made
very easy.
I didn't know the syntax had been changed - I just thought the code had been, well, "improved" ;-)

cheers,
Rainer

Ego dramma

[JDizzy]

I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.

Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.

Re:Ego dramma

[rifter]

Actually, the reason FreeBSD can use it is that it uses an unmodified ipfilter. Ipfilter was originally written for FreeBSD, IIRC. But while FreeBSD uses ipfilter in userspace, OpenBSD always used a heavily modified form which lived in kernel space. The problem was that Darren and Theo got in a pissing match and Darren put a clause in his license that said he had to approve any release of ipfilter. Theo responded by dumping ipfilter, now Darren is trying to counter by creating his own OpenBSD.

While this is legal, the problem is that the whole point of OpenBSD is the security audtnig the OpenBSD team does. The version Darren is pushing is essentially a patched version of what they are putting out, but any security auditing of his patches is likely going to be done by him alone. I don't think this is a way to go, frankly.

Re:Ego dramma

[illusion_2K]

Where did you get that from?

The issue that the OpenBSD guys had with IPF was that the license wasn't 100% BSD compatible as it stood when they decided to ditch it. I can't recall exactly what the issue was, but there's historical posts in the misc@openbsd.org mailing list. (Searching for Theo De Raadt and IPF should be enough - he's explained his position at least a half dozen times). Afterwards. Darren decided to change the license so that the other BSD's wouldn't ditch IPF in favor of PF too.

All in all, one of the things I respect most about the OpenBSD guys is how they do stick to their principles, as they did in the IPF fiasco.

Re:Ego dramma

[hollow_man]

Where did you get that from? Theo got his knickers in a twist about a test release of IPF (aimed at Solaris of all OSes!) and challenged Darren. Funnily enough, (after being threatened (although some debate can be had about what constituted a threat)) Darren then decided to clarify his IPF license (which for release versions hadn't changed for yonks) so it was not quite compatible with the goals of OpenBSD. Hence the split. Darren has cordial relationships with FreeBSD and NetBSD core and as such things never get as out of hand as with Theo.
With the regards to the "design problems" someone else posted about earlier, IPF is designed to be a crossplatform package (we use it exclusively on Solaris here) and as such it will never be as taylored for OpenBSD as pf is.
I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.

Re:Ego dramma

[kan]

> while FreeBSD uses ipfilter in userspace
Absolutely incorrect. Get your facts straight.

Re:Ego dramma

[jazman_777]

I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.

Which cause? Being nice and warm and fuzzy with everyone? Or putting out a solid secure OS? I think his temperament works just fine for the latter, he weeds out the chaff who think his goal should be the former.

Re:Ego dramma

[Tuzanor]

The thing is Theo never really got all THAT upset. He essentially just said "give us BSD rights to this thing" while darren said, "if you beg and suck up, maybe".

Theo just decided to hell with it and just announced that ipf is leaving OpenBSD. He never called anybody names or anything. he just sorta unexpectantly removed it.

Re:Ego dramma

Actually, the reason FreeBSD can use it is that it uses an unmodified ipfilter.

No, Darren Reed maintained ipfilter for FreeBSD before this whole mess began. He can't very well sue them for allowing him to work on their project.

Ipfilter was originally written for FreeBSD, IIRC.

No it wasn't, it was written for Solaris first.

But while FreeBSD uses ipfilter in userspace, OpenBSD always used a heavily modified form which lived in kernel space.

The only thing from ipfilter that runs in userspace is the logging mechanism, ipmon. Everything else is in the kernel, regardless of what OS you happen to be running it on.

You are a retard.

Re:Ego dramma

Where did you get that from? Theo got his knickers in a twist about a test release of IPF (aimed at Solaris of all OSes!) and challenged Darren. ... Darren then decided to clarify his IPF license (which for release versions hadn't changed for yonks) so it was not quite compatible with the goals of OpenBSD.

The OpenBSD team had wanted to make changes to ipfilter for long time, and Darren hadn't been accepting them into the package, so they were going to split, then Darren 'clarified' the licence.

(IPFilter was first written for Solaris.)

Retard.

Re:Ego dramma

[cicadia]

I'm not sure who modded this 'informative' (I know I'm going to /.-hell for saying this) but it's pretty far from it.

I've heard the same thing about ipfilter; that is, that it was developed for FreeBSD, for use in userspace, and was adopted by the OpenBSD team and subsequently modified to operate in kernelspace.

That is why I couldn't just get the OpenBSD 2.9 from FTP and install ipfilter from Darren Reed's site (to fix the traceroute bug). It requires quite a lot of patching to get it to work with OpenBSD.

So do you have any more information on _why_ the above poster was incorrect? I'm quite interested.

Re:Ego dramma

[rycamor]

Well, for starters, any time you want to run ipfilter or ipfw in FreeBSD, you have to recompile the kernel. That should be kind of a tip-off.

Re:Ego dramma

[hollow_man]

Perhaps. The frustration of the OpenBSD team at Darren backporting patches from other people into his codebase is well documented. Whether it would warrant a fork or not is debatable, either way if the license would have allowed it, it would have been a codefork rather than a rewrite. The clarification determined it to be a rewrite rather than a fork. Also I fail to see why the fact that IPFilter was first written for Solaris would make me a retard. The version where Darren changed his license was announced with "I've put the changes, to date, against 3.4.17 into a "beta release" (if you like) which I'd like people who've had problems in the past to report back about whether or not it makes things better or worse (especially for Solaris). ".

Re:Ego dramma

[hollow_man]

I don't think he should be nice and warm and fuzzy with everyone, but the public spats first with Darren Reed and then with Dan Bernstein could have been avoided (well I hope so).I fear these things hurt OpenBSD than it benefits it.
Being a system engineer I know I would have great difficulty convincing my boss to bring in OpenBSD on a big scale if he knew the arguments that have come to pass. FreeBSD and NetBSD are havens of peace compared to OpenBSD. :)
You could of course say that my boss is an idiot then, and I wouldn't argue that with you. But it's his decision and it isn't solely based on technical merit.

Re:Ego dramma

[hollow_man]

Well, I only have Darren's word for it of course (his postings on deadly.org), which is why I said it's debatable what constitutes a threat ;)

Re:Ego dramma

ipfilter contains significant kernel components in addition to the userland parts. It works essentially the same way in FreeBSD as it does in OpenBSD.

that's where the previous poster was incorrect.

Re:Ego dramma

[kiwipeso]

Don't forget that OpenBSD started after Theo got pissed off at someone on FreeBSD and then got removed from #2 submitter to mere code contributer.

OpenBSD started because Theo got hacked by a FreeBSD programmer who didn't want Theo to have email copies of this demotion.

I don't know Theo personally, but I think he's allowed to have a competitive personality if he does the great work he does.

Personally I'm working on a brand new BSD, KaosBSD based on OpenBSD. I want to use existing encryption for now until I get my cryptoscheme going.
The goals of KAOS is Speed, Security & Simplicity. I am willing to contribute most of my work back to OpenBSD, NetBSD and FreeBSD.
BSD can support another fork, especially if it brings in cutting edge technology that no other system has yet.

Re:Ego dramma

You really think a person can avoid public spats with Dan Bernstein?

Re:Ego dramma

[hollow_man]

well if you put it that way ;)

I have to say DJB would try my patience as well. But credit where credit is due, some of his software is pretty impressive.

Yeah

[^BR]

It seems that it's a plain OpenBSD 3.0 with IPFilter integrated, somethin that you could do yourself but Darren is nice enough to provide a compiled version.

No worry there, it's still OpenBSD, the whole point of the OpenBSD philosophy is to permit derivative works.

and headlining todays issue of duh

[r00tarted]

conflict surrounding the openbsd project
next story please.

Re:and headlining todays issue of duh

next story please

Is Linux ready for the corporate desktop?

Re:Getting a taste of his own medicine

[easter1916]

Theo de Raad, not Raat. Or was that mistake intentional?

This release will include ISOs as well

[bconway]

One important thing to note (and left out of this announcement) is that Darren will be including bootable ISOs with his releases. This is a great move, as I've always run into trouble with the hacked together OpenBSD unofficial ISOs. I'm also not too keen on using a 6-month-old firewall with who knows how many fixes needed in the future, and am glad IPF is back in the game with a OpenBSD-alike release that I can grab and run with. Good job to everyone involved!

Re:This release will include ISOs as well

[John+Whorfin]

Methinks we will soon see if Theo's ISO image layout copyright hold, no?

Re:This release will include ISOs as well

[Null_Packet]

How is it good that Darren Reed will be including ISO's? Looking at the thread this seems to be a cut towards the openbsd team by undermining their primary fund raising activity- selling cd's.

Besides, I have to wonder how resourceful someone is who doesn't know how to find OpenBSD ISO's via Google.

This isn't a troll, but this strikes me as counter-productive to Open Source in general, and it seems even sillier that one needs to distribute an entire ISO for such a small package.

Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.

Re:This release will include ISOs as well

It's not the same image if he's changed the packages included, dipshit. Think before you speak next time, okay?

Re:This release will include ISOs as well

Darren never changed his license, and it's still included in both FreeBSD and NetBSD because it is free software. Let's re-evaluate who's being the dickhead, shall we?

Re:This release will include ISOs as well

Aw, did you drip cum from your ass on your pillow again?

Re:This release will include ISOs as well

Very clever, John Whorfin. Try again, okay? It's not too tough to see who's posting when you're controlling the cookies.

Re:This release will include ISOs as well

You stupid faggot, he changed it at least three times. "changed" == "Oh, well, I could tell you what it is, but I'll just keep that to myself, mkay? Today it means X, but if you piss me off, I'll make it Y and take my ball and go home." Darren is a shitheel, and this latest move only confirms that. Long live PF!

Re:This release will include ISOs as well

[Geekboy(Wizard)]

I've never needed the ISO's. The net install works rather well, and you can do it over HTTP or FTP, as well as the other standbys (NFS, local, etc).

I've lurked on the misc@openbsd mailing list, and seen what Darren says. He seems "shady" (best as I can describe it). He seems to do his best to piss people off, and whenever pf doesn't work as expected, he says "IPF does that". Even if the poster was using the wrong syntax.

The firewall age isn't an issue, it's infancy happened on the -current tree. I'm rather happy with pf, and will keep using it whenever possible.

Re:This release will include ISOs as well

[psxndc]

Here's an idea: Pay the $40 and get a newly released official ISO and support the project. Supporting Open Source doesn't mean you have to be a cheap bastard, especially when you're complaining about unofficial ISOs. Don't agree with OpenBSD's policy on IPF? Don't use OpenBSD.

psxndc

Re:This release will include ISOs as well

[jazman_777]

Here's an idea: Pay the $40 and get a newly released official ISO and support the project. Supporting Open Source doesn't mean you have to be a cheap bastard, especially when you're complaining about unofficial ISOs. Don't agree with OpenBSD's policy on IPF? Don't use OpenBSD.

The stickers are good (hard to explain them very well to children, though), and the song on the second CD this time was a pretty good throw-in, RMS loved it I'm sure.

Re:This release will include ISOs as well

Pay 40 bucks every 6 months or else you have a system that's out of date and insecure? That's $80+ a year. No thanks. I'd rather pay Microsoft $99 every 3 years.

Re:This release will include ISOs as well

[psxndc]

And spend thousands of dollars on damages and man hours resulting from their crappy security policies. I see your logic.

psxndc

Re:This release will include ISOs as well

Try a net install on an Alpha. I dare you.

Re:This release will include ISOs as well

[Dehumanizer]

A 4 years old OpenBSD release is still more secure than a patched Windows 2000 or XP, you troll.

Re:This release will include ISOs as well

Troll. Why don't you go outside while it's still sunny? Your mom's gonna make you go inside and do your homework for the night soon.

Re:This release will include ISOs as well

[Geekboy(Wizard)]

sure, send me an alpha and we'll talk....;-)

Re:This release will include ISOs as well

Ugh, talk about a troll... Don't trolls ever look in the pirror???

Re:This release will include ISOs as well

[uservoid]

Been there, done that. OpenBSD on Alpha XP900 ..
Don't blame others, if you lack the clue to do things the right way.

Re:This release will include ISOs as well

[Dehumanizer]

What's a pirror?

Transition to PF should be painless

[the_olo]

Just installed OpenBSD 3.0 today.
The new Packet Filter' syntax is somewhat backwards-compatible with IPFilter, the most significant difference being that with PF you now must specify protocol when specifying ports, so for example if with IPF you had:

block in on fxp0 from any to any port = 137

with PF you have to change it to:

block in on fxp0 proto { udp, tcp } from any to any port = 137

And you place the default donfiguration in /etc/pf.conf, not /etc/ipf.rules.

Re:Transition to PF should be painless

[Geekboy(Wizard)]

block in on fxp0 from any to any port = 137

still works.

so does

ext_if="fxp0"

block in no $ext_if from any to any port = 137

and does:
protocol_rules="proto { udp, tcp }"
ext_if="fxp0"

block in on $ext_if $protocol_rules from any to any port = 137

I don't think Theo will have a problem with that..

[^BR]

The whole point of OpenBSD being permitting any derivative work, something that the IPFilter licence don't provide (anti-GPL clause, not necessary a bad thing but not as free as the BSD licence).

Why I love Open Source

[BetaRelease]

Dude,

You don't want to include my program with your distribution?

Fine, I'll just include your distribution with my program!

'nuff said!

Re:Why I love Open Source

[Luke]

Just remember that this is only made possible with the BSD license.

Remember, Theo said that it was fine by him to use OpenBSD for whatever reason you want.

Had the OpenBSD kernel been GPL'ed, Darren would have had to make ipfilter work in OpenBSD userland.

Re:Why I love Open Source

[TheAwfulTruth]

As long as he's the only one. Can you imagine 10 companies doing this? 100? Of course they'd never all be in sync or anything either... And eventually the software will of course only work on HIS distribution. One version of the OS for every piece of software you use? There's an inner circle of hell we can all do without.

Re:Why I love Open Source

[Syberghost]

Had the OpenBSD kernel been GPL'ed, Darren would have had to make ipfilter work in OpenBSD userland.

Where did you come up with that bit of rubbish?

All he'd have had to do is make the source available for any modification he made to the kernel. He could still have created his own distribution.

Re:Why I love Open Source

As long as he's the only one. Can you imagine 10 companies doing this? 100? Of course they'd never all be in sync or anything either... And eventually the software will of course only work on HIS distribution. One version of the OS for every piece of software you use? There's an inner circle of hell we can all do without.

Dude, didn't you just describe linux?

Re:Why I love Open Source

[ejungle]

Funny, I was thinking the same thing. =)

Re:Why I love Open Source

[kiwipeso]

He's not the only one, I'm forking OpenBSD to work on KaosBSD which has a totally different kernel structure and application system.
the good thing is all of OpenBSD works under it sort of like OS X and FreeBSD.

I'm planning to release some of my custom software to OpenBSD and Java2 later.

BTW, you just described linux. Why didn't slashdot moderate you to troll?

Re:Getting a taste of his own medicine

[marsvin]

Ehm... are we reading the same article?

So what do you call...

a fork of a fork?

This will certainly make migration of firewall rules easier. You can stick with the same filtering system.

Of course, this will piss off Theo. Hell, you can run QMail and IPF under OpenBSD and REALLY torque him off!

Re:So what do you call...

DJB already does (look at server information on main page). talk about ego's running rampant. all things aside, DJB writes damn good, clean code. so does OBSD. so does Darren. a match made in heaven for the end users, but you could PPV the ruckus between Theo, DJB, and Darren if they ever met up in the ring.

Re: ipfilter easier to use than netfilter/iptables

[Koim-Do]

How exactly is iptables easier to use than ipfilter ?
Personally, I find the pseudo-natural language rules a bit confusing, but it`s probably a matter of taste.
Also, I wasnt aware that the official OpenBSD features the (linux-only) netfilter packet-filter.

BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?

please lay off the crack smoking

[jslag]

Theo is now losing control of the OpenBSD project

Note to impressionable youngsters: there is no basis in fact for this statement.

Re:please lay off the crack smoking

[bark76]

You mean *BSD isn't dying? ;)

Amusing

[hettberg]

OpenBSD team wants to get changes incorporated into IPF. Darren no respond.
Ask again -> No respond. Darren coder supreme.
OpenBSD decide to make changes, but only in OpenBSD source tree. Darren hears, gets angry! Decides: "LICENSE NO ALLOW!"

Insert Flame War.

OpenBSD team decide to switch to different packet filter under BSD license. Because Project Goal: Every user should be able to make changes to source tree. IPF license bad!!
Darren try get back: says, NetBSD, FreeBSD allowed! MUAHAHAHAH!!!
Theo say: no care, pf much better than ipf!
Darren changes mind: changes license. But OpenBSD will not change back to ipf. Darren even much more bitter.
Darren so bitterbitter. Decides: I'LL GET BACK BY FORKING OPENBSD AND RELEASING MY OWN VERSION. HEHEHEHEHE.

Conclusion: Open source, closed minds.

I find this very amusing.

Re:Amusing

[Rostoff]

It's Theo's child. If he wants to huff and puff and not put ipf in, that's his choice. If you want ipf that badly, roll your own kernel with it. Problem solved.

Re:Amusing

[S.+Allen]

Goddamn, this is funny and insightful. Curse the moderating system that will not allow me to mod this up further!

Perhaps after 5, each mod point should count for half. Too many 5's getting handed out these days. It's not as much the mark of distinction anymore.

Re:Amusing

That's some good thinkin'. There are many more comments now than when the moderation system was designed, and it shows - 6 points aren't enough any more. Double it at least, and I like the curve idea - make moderation logarithmic, where the given mod points x reflect as y in the post by y=lnx. (perhaps a base other than e though)

Re:Amusing

[jazman_777]

Goddamn, this is funny and insightful. Curse the moderating system that will not allow me to mod this up further!

Perhaps after 5, each mod point should count for half. Too many 5's getting handed out these days. It's not as much the mark of distinction anymore.

Why do they cap at five? I'd like to see no limits; then we could see a top-twenty highest-moderated posts. Stuff in the 100s. It would surely make me cry, laugh, and think deep thoughts. And this being Slashdot, inspire me to hate MS even more!

Re:Amusing

hehehe, that's pretty much it alright. Except, Darren changed his mind about his unclear license a few times during this process. I'd say he changed it about as much as people change their underwear.

PF vs IPF

[don_carnage]

I've been running an OpenBSD firewall for about a year and a half now using IPF. Now that 3.0 is out and includes PF, I've already migrated most of my rules over and really like some of the features that come with it (like variables). Most of the IPF rules are similar to the PF rules, so there really isn't much of a learning curve for migration.

I don't have a bias for one or the other (IPF vs PF), but will probably stick with PF since it's included in the default OBSD 3.0 installation.

Is there any reason why I should keep using IPF? Isn't it still included in the ports if I really needed it? Doesn't this sound like a political move?

Re:PF vs IPF

[Syberghost]

Doesn't this sound like a political move?

More like a political countermove.

I notice, however, that he isn't getting flamed for offering ISOs. Curious, that, since putting a link to ISOs in my sigline has gotten me flamed here at least a dozen times.

Re:PF vs IPF

[don_carnage]

More like a political countermove.

True. I read through the Theo rant before and it seems like a lot more politics than I would care to deal with.

But the OS is pretty good, eh? ;^)

Re:PF vs IPF

[Tet]

I notice, however, that he isn't getting flamed for offering ISOs.

Actually, I'm flaming him. Offering an OpenBSD with IPF is one thing, but offering bootable ISOs is another matter entirely. It's a direct attack on OpenBSD's revenue stream. Granted, the license has always allowed that, and relied on the goodwill of the users to buy the official product, rather than creating bootable ISOs. But Darren never offered them before his falling out with Theo, and starting to do so now really doesn't show him in the best light... At one point, I considered making bootable CDs myself, but decided that it wouldn't be in the best interests of the OpenBSD project (and hence, indirectly, myself) to do so.

Re:PF vs IPF

relied on the goodwill of the users to buy the official product

Moral of the story: If your business relies on your users' goodwill, don't get into very public flamewar pissing matches with them.

Re:PF vs IPF

[Dehumanizer]

Anyone can make and offer ISOs.

What you CAN'T do is this: buy or borrow the official CDs, make ISOs of them, and distribute.

Re:PF vs IPF

[Dehumanizer]

"Moral of the story: If your business relies on your users' goodwill, don't get into very public flamewar pissing matches with them."

Actually... I've never really *needed* the OpenBSD CDs (could have installed by FTP, for instance), but I've bought all of them since 2.7 anyway.

Gives me a warm feeling. The donations I gave also put my name on the cover. And, most of all, THE STICKERS! :)

Re: ipfilter easier to use than netfilter/iptables

[John+Whorfin]

> BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?

It's simply called pf and it's custom to OpenBSD.

IPFilter: Any advantages over pf?

[Frater+219]

I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

Re:IPFilter: Any advantages over pf?

[mewsenews]

as far as I know, pf is only a year old, while ipfilter is much older. this makes ipfilter more mature, but not necessarily superior. I can't talk about other differences because I haven't used pf :)

Re:IPFilter: Any advantages over pf?

I've used both. pf and ipf are pretty close in terms of functionality and stability, and pf has some nice incremental features over ipf. If I had to choose, I'd use pf.

Re:IPFilter: Any advantages over pf?

The one reason I'll stick with pf:

Multiple PPTP sessions through the box, using PAT. IPF doesn't allow that.

Re:IPFilter: Any advantages over pf?

Age has nothing to do with maturity.

Look at slashdot, i'm sure everyone here is over 5 years old, but very few are more mature than the average five year old.

Re:IPFilter: Any advantages over pf?

[IcePic]

Also, at the time when PF got usable, it had less
lines of code, than all the combined #ifdef/#endif-
lines in IPF.
Of course it's no conclusive "evidence", but it sure
makes you wonder if someone else can read the code
like it is going to be run when looking for a
possible bug in your favourite OS+IPF.

Re: ipfilter easier to use than netfilter/iptables

[whirred]

It's called packet filter - just pf, rather than ipf. It was developed by the OpenBSD team, and has some features they wanted to add but never could due to the restrictions on the IPF license. That's what Theo claimed in an interview I read, anyway.

It's the file system speed improvements that really make an upgrade to OpenBSD 3.0 worthwhile, though..

Free as in... fascism?

[dfeldman]

This move represents the latest step that Darren Reed has taken to attempt to gain control over open source operating systems that incorporate his packet filter. He has expressed the belief, on many newsgroup postings, that he deserves a place on the *BSD teams (as at least a committer) because of the way that his product has increased market share for the BSDs. And he continues to attempt to hold those distributions hostage until they bend to his will. His eventual goal is to release a closed-source BSD that incorporates his filter, because he cannot stand to give the public the right to modify and redistribute his precious code.

Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.

Darren, listen to your users - change your license or perish.

df

Re:Free as in... fascism?

[imp]

IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security

Except that isn't true. there have been a number of issues with the way that iptables/netfilter in linux interacts with some systems. A number of problems related to timers in the state engine have come to light and do cause real problems for some systems. Also, 2.4 was relatively recent in history, so all the problems and issues with iptables/netfitler cannot be known yet. To assert otherwise is to ignore the history of software. All software has a hype cycle: The latest thing is always the best, then experience shows that it doesn't handle this or that right, followed by the disillusionment phase followed by the adopting another product that's in the hype phase. ipfilter is much farther along in this process and is maturing nicely. We have not had the history to know yet if iptables/netfilter will be the same.

If you don't believe me, go back and look at the press that each new Linux release gets. Then look at how people talk about that release 3-6 months later, and then 1-2 years later. It takes time for problems to be diagnoised and understood.

Re:Free as in... fascism?

[Frater+219]

IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

iptables :
iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

pf:
block in proto tcp to any port ssh
pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.

Re:Free as in... fascism?

[prisonernumber7]

A very good, and insightful comment. It truly shows the simplicity at which OpenBSD 3.0's packet filter rules work.

I myself have been using OpenBSD for some time now and was very pleased with the way ipf dealt with things.. and I like the 'new features' aswell: Now pf will also take care that any hosts behind the firewall, even if they are the originators of a connection do not get hit by malicious packets who happen to have the right sequence number - just with this one statement "scrub all". Beautiful. And that ability to define variables with, say, lists of different IPs as in " hosts_that_want_to_do_us_bad="{1.2.3.4, 1.2.3.5}"? Great, this one really increases the maintenanceability of your firewall rules.

Otoh, I have just had the task of setting up a Linux server, directly exposed to the Internet, which obviously had to have a few packet filtering rules. I ran bastille, configured the box really quickly and fired up my nmap, which in turn showed great default results. It's just that until I got the time to look at the scripts this animal created for me, I did not really have a clue on what bastille did. ;-)

Re:Free as in... fascism?

[lamj]

Why -o tcp in iptables? Your output network interface called "tcp"?

Re:Free as in... fascism?

[Frater+219]

Whoops. That would be a typo.

Re:Free as in... fascism?

[Sircus]

The point would be valid if there weren't a more readable way to configure iptables:

iptables --append firewall --source 10.11.0.0/16 --proto tcp --destination-port ssh --jump ACCEPT
iptables --append firewall --destination-port ssh --jump DROP*

This seems both readable and easy to follow to me. I maintain a large and (necessarily) complex firewall using iptables (and DNAT, SNAT, mark-based routing, etc.) I've never found it to be especially difficult to follow the config files, nor awkward to read.

I don't deny things could be just as simple as pf, possibly even easier, but I don't think complexity of configuration is a valid criticism of iptables. On the contrary, I'd have to say I find the example you gave a little counter-intuitive - it's necessary to think for a little too long about whether that's "to any" or "to any port". That's probably just me, though - in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste / how accustomed each person is to the syntax - neither of the syntaxes are (IMHO) intrinsically better.

* The second line's unnecessary if your input/forward chain policy is 'DROP', which would be the case for most sane firewalls I can think of...

Re:Free as in... fascism?

[geekoid]

Syntax aside, which one is better? by better I mean maintain security, smallest hit to bandwidth?
that should be the first concern. If the one that is least intuitive provides more reliable secutity, then go with it and write yourself a script take input in a way thats intuitive to you, and spits it out in the correct format.
of course, IF all things are equall, the go with the one thats easier to set up and maintain.

Re:Free as in... fascism?

[jelle]

Agreed, and if you want a different syntax, who's to stop you taking perl and writing a translation script. Ease of configuration is a 'yeah, whatever'-issue, the firewall admin shouldn't care, because a firewall doesn't need constant reconfiguration.

Really, for a firewall all that matters in the end is, which is more secure, reliable, and faster, for which there is no simple answer.

Re:Free as in... fascism?

[jayed_99]

in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste/how accustomed each person is to the syntax

Exactly!
A standard slashdot argument is: "I use XYZ and it is easier/better than ABC."

The reason that it's "easier/better" is that you're more familiar with it. People make judgements based on what they have experience with.

Sure, I think that BSD is better than Linux. I think that the *BSDs firewall syntax is better than the Linux firewall syntax. I think that the *BSD ports/package system rocks compared to any Linux solution (yes, even apt). But I think these things because I use *BSD all of the time! If I used Linux all of the time, I'd look at BSD and say, "What are these stupid disk slice things? What is this disklabel crap? Can't I just make some partitions and go?"

You can draw examples from every facet of the computer world on this subject. Emacs and vi, anyone? Perl versus Python? C++ versus Java? Generally, "better" means "the thing that I know how to use the best."

Some things have a more difficult learning curve than others -- does that make them better? Maybe; but that shouldn't be your only criteria for judging.

We're more prone to see things as "better" when we've invested time in learning them. And when we do compare things, we often use a suboptimal example for the thing that we don't know well -- because we don't know it well.

Re:Free as in... fascism?

[UU7]

hush up retard, go tweak your X
hahahaha

Re:Free as in... fascism?

tard, who's to stop you from rewriting it, YOUR way.
haha typical linux attitude.
I like to USE it not twek it all day, remember, some of us actually work.

Re:Free as in... fascism?

[jelle]

"I like to USE it not twek it all day, remember, some of us actually work."

Tweak all day? Some of us can create such a script in minutes... I suggest learning perl, it will save you a bundle of time.

Re:Tutorials

Nice tutorials. Specific enough for the newbies, but "free flowing" enough for a veteran to scan over. Nice work.

Oh Great. Not another story...

[dperkins]

that will surely bring out a heated discussion about which OS is better, Linux, xBSD, win95, etc...
In the immortal words of some character from Monty Python and the Quest for the Holy Grail, "No, please! This is supposed to be a happy occasion!
Let's not bicker and argue about who killed who..."

childish acts...

Darren, grow up :)

Why not just create a port for OpenBSD ?

Re:childish acts...

[Rostoff]

You don't need to. Compile a new kernel with the necessary modules, compile the utility binaries, create ipnat.rules and ipf.rules as necessary. reboot!

Maybe I just don't understand...

[XaXXon]

But why doesn't he just 'fix' the licensing on his code? It seems silly that the whole thing has gone this far in the first place.

Re:Maybe I just don't understand...

[pdqlamb]

But why doesn't he just 'fix' the licensing on his code?

He did, but not until Theo's group had almost completed the replacement pf. See the "Amusing" post above for a pretty good summary.

It seems silly that the whole thing has gone this far in the first place.

I think it's more sad than amusing, but silly's a good description too. In (supposedly) adults.

ipfilter isn't Open Source

So basically this is about someone bundling openbsd with a popular non-open-source product, and distributing the result. Not generally news, except that many people thought that ipfilter was open source and therefore a great flame war arose when it was clarified to be otherwise.

Re:ipfilter isn't Open Source

[Aknaton]

Mod that up! HA HA HA!

OpenBSD ISO

[sethadam1]

I thought you couldn't distribute any form of OpenBSD as an ISO?

Re:OpenBSD ISO

[zendeath]

No no no...

you *can* distribute OpenBSD however you like.

The original OpenBSD CD *layout* is Copyrighted by Theo.

Nothing stops anyone from downloading everything off of the FTP servers, and creating your own ISO image.

Re:OpenBSD ISO

[xonker]

From the OpenBSD FAQ:


Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.

I guess if you want to distribute an ISO you need to make sure you build it yourself and make sure that it is different from the CD-ROM's.

I think it's kind of silly to say that the layout is copyrighted, but no sillier than Amazon having a patent on "one-click" shopping...possibly less.

It's a shame that Theo has to resort to this kind of thing to get people who are using the OS to actually buck up a few dollars for CDs.

Re:OpenBSD ISO

[Syberghost]

I thought you couldn't distribute any form of OpenBSD as an ISO?

I can see why you'd think that. Because after all, the official FAQ says you can, and the discussion comes up on Slashdot about once a month in some other story, so of course you'd think it wasn't allowed.

WTF moderated that up?

Re:OpenBSD ISO

[pdqlamb]

Can you *call* it OpenBSD, or does Theo have a trademark on that?

Anybody remember the brouhaha over openssh.org last year?

Re:OpenBSD ISO

Could it be because OpenSores Lusers are a bunch of cheap bastards?
I THINK SO!!!

Re:Getting a taste of his own medicine

[Phork]

actually, it is The de Raadt.

Re:*BSD is dying

[Rostoff]

because a loser is a loser....

Re:Getting a taste of his own medicine

[fuzzyping1]

Ok, one last time... it's Theo De Raadt!!!

-J.

incorrect url

please note that the above url is not correct. it should be:

http://openbsd30.ipfilter.org/?darren%20is%20an%20 idiot

i think the following is correct too:
http://openbsd30.ipfilter.org/?let%20the%20flame%2 0war%20begin%20now%20showing%20theo%20vs%20darren

Re:*BSD is dying

[ChetPan]

Why can't you moderate to (Score: -1, Retarded) ?

Re:Getting a taste of his own medicine

[rifter]

If what I have read onthe mailing lists is any indication, it is unlikely Theo will lose control (well, of teh project anyway :) ). Most seemed to agree that this kind of stunt is exactly what Darren was trying to pull when he put the offending clause in the license in the first place. And regardless of how people feel, it seems the "Official" OpenBSD is still more trusted.

NetBSD out of business? What? Are you smoking Moderator crack, Mr. Troll? Besides, Theo was locked out of the NetBSD project and waited almost a year (holding the only Sparc port BTW) before coming out with OpenBSD. It is not the same situation.

It's the same technology....

[SpookComix]

...that is in this software that makes Windows XP more secure.

I use it all the time. No unsecure sockets!

--SC

Re:Oh Great. Not another story...

[whirred]

I wouldn't worry about it, but *you're* the one bringing it up...

I think there is a lot of truth to the statement that linux is for people who have microsoft, and *BSD is for people who love unix. They are different tools for different jobs.

I run OpenBSD for anything that requires constant stability and security. If I want to play around with multimedia and know that all my drivers are supported and goof around with random software, I use Linux.

In short, I use Linux for most workstations and OpenBSD for servers. Once FreeBSD can really utilize multi-procs I'll probably start using it more often. I use XP as well, mainly for Photoshop and games.

Computers are a tool. Linux is not the best tool for every job, and neither is OpenBSD. Microsoft is more of a toy than a tool to me, but it could certainly do a lot more than some of the people here give it credit for.

If you really want to start a flame war, let's talk licenses. I think the BSD license is the best, and I'm really not in to the GPL license. But that's just me..

Re:Getting a taste of his own medicine

[danimal]

Ok, one last time... it's Theo De Raadt!!!

nope, it's Theo de Raadt. see his website.

ClosedBSD

[peter303]

Not such animal as "own" release of "Open"BSD.
The two terms are incompatible.

Re:*BSD is dying

[whirred]

I actually feel a nice sense of relief when I read this Troll. It just wouldn't be a slashdot *BSD story without him.

And since he was so late today, I was actually concerned that he was the one who had died, rather than BSD.

Re:Getting a taste of his own medicine

[Score+Whore]

Raadt.

Parent is the best summary

[poemofatic]

of what happened to date.

You can read the original mix of hurt feelings, screams of piglethood, and resentment here

Re:Getting a taste of his own medicine

[aussersterne]

Theo losing control of NetBSD?

NetBSD out of business?

Too much crack?

Removed for licensing issues? LOL

So now there are two releases for the same code base. Imagine if this happens with 10 other software components aso we have 11 distributions and permutations there of. This is the kind of crap that gives open source a bad name in data centers. No customer-centered organization would pull this kind of customer-punishing tantrum. Despite their significant missteps in security, pricing, and anti-trust law and rapcious power plays and mediocre, even Microsoft isn't stupid and arrogant enough to try this pouting puerile behavior--at least where custoemr alienation is a stake. Now I am sure my anti-M$ OS, OSX, was the right choice. These guys put the BS in BSD. LOL. Simply unbelievable.

Re:Removed for licensing issues? LOL

[alga]

Hey wait, I can make my own release of OpenBSD too, but there's little chance it will catch on and cause trouble to the data centres. I believe it won't as well happen with ReedBSD. It's just a sad joke of the day...

Who would use this?

[evilviper]

The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.

I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.

While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.

Re:Who would use this?

[jsimon12]

I have to disagree with you on this one, "almost everyone" on the OpenBSD list might have loved PF, cause it was now their own little baby. But take a look at other lists (ip-filter), people were not happy with PF, last time I tried PF it was NO WHERE near as robust of IPF, as for ease of use, I would disagree there too, the syntax is similar, and IPF ALREADY was damn easy to use (compared to rulesets for CheckPoint or IP Tables or whatever). So step off dude, PF needs work before it can compare with IPF.

Re:Who would use this?

haha, thank you moderators..

dumb trolls ..

Re:Who would use this?

I agree, without crushing dissent of it's cult of personality, OpenBSD would never have achieved the resounding popularity that it enjoys today.

Re:Who would use this?

[epine]

Just this morning I upgraded two of my OpenBSD machines to 3.0, along with the machine I built over the weekend from scratch.

I've used IPF since 2.6 and IMHO it wasn't nearly easy enough to use. Each line of the file is simple, but managing conceptual changes to your firewall is a royal pain in the Perl script. So far I've just read some of the new PF documentation and skimmed the PF list from time to time. I have no doubts that PF will mature rapidly, if it isn't already. I can't believe some of the new changes to the syntax weren't made years ago.

I've been working on the IP protocol stack for a couple of years, mainly looking at some of the latency problems with TCP/IP in signal contention networks (aka cell phones). TCP was designed to handle path contention networks and it doesn't handle signal contention at all well. The packet structure of IP is not rocket science. The TCP/IP stack is a much worse beast than what PF requires, especially if you add in all the IPv6 changes (substantial). I was reading this code yesterday. It's written clearly enough, yet hard to analyse case by case.

What matters for the new PF implementation is making correct syscalls and handling all the error returns correctly. The OpenBSD people know all the pitfalls from years of fixing other's mistakes. If you get the syscalls right, the remaining stability issue is largely semantic. The semantics are easily demonstrated by building rulesets that work.

The third area of concern are the efficiency tricks. I think will take another iteration at least to perfect. This area was probably neglected while the effort focussed on functionality, stability, and correctness. Try not to forget that the OpenBSD people have complete access to the IPF source code to guide them through the tricky spots.

Theo doesn't control OpenBSD, he just controls one tree. I wasn't at all unhappy that OpenBSD chose to write PF from scratch. They've done a good job on OpenSSH, which I regard as a more challenging problem. I also regard IPv6 integration as more challenging the PF. IPv6 and IPsec are a scary beast.

My next task is to start playing with new PF on all the new 3.0 boxes I've just configured. I'm not expecting any anguish. If my expectations are off base, I'll post again eating humble pie. I'm not saving my appetite, I don't think I'll need it.

Re:Who would use this?

Sure, it's an improvement, but it's a new one. This is the first release. Who wants to run new code? If I wanted to run new code, I would run Linux 2.4 or Windows XP, not OpenBSD.

I'll be happy to use pf ... next year. Until then, I'll let someone else find the bugs. OpenBSD is for production, not testing.

Re:Who would use this?

[evilviper]

You're right... Just the very fact that PF is in OpenBSD means that it has been thoroughly tested.

This is not the Linux world... Everything is extensively tested by a huge number of people before the release even takes place. That's the problem with releasing a new kernel every week, you can't even get close to OpenBSD's 6 MONTHS of extensive testing.

As for XP, it's nearly as old as BSD itself. XP is based on the same underlying system as Windows NT 3.XX. So don't hold your breath, it's not getting any better.

Re:Who would use this?

haha tard

Re:Who would use this?

[uberdood]

Might I ask when you last tried PF? I'd enjoy an example of something than can be done in IPF that can't in PF.

There are already examples of the reverse - namely:

1) scrubbing
2) variables
3) listed elements allowing one line to do what takes many lines in IPF
4) inbound and outbound rules on bridges

Politics, flamefest, and egos aside, I simply believe PF is technically superior - based on the above things that PF can do that IPF can't - in addition to the common features of both - until proven otherwise.

Re:Who would use this?

Currently I'm running OpenBSD 2.8 with IPF as a corporate bridging firewall and I'm building another one for our production environment so I wanted to go with OpenBSD 3.0 and PF.

I liked the variables in PF etc but what made me go back to IPF (at least for now) is the fact that I can't do this in PF:

count in on fxp0 from 10.10.10.10 to any
count in on fxp1 from any to 10.10.10.10

for traffic accouting purposes.

Re:Getting a taste of his own medicine

[aussersterne]

Oops. Rhetorically ironic question should read: "Theo losing control of OpenBSD?"

I had too much crack as well.

so true ...

....

Whoaaaaaa !

[frost22]

Whoaaaaaa ! ROTFL !

Pissing contest, part 17. Darren vs Theo again. Folks, that's the stuff legends are made from.
Expect flamewars of mythic proportions, and formation of the DarrenBSD Project within 6 months.

Rumour has it that the DarrenBSD Mascot will be some fish eating animal.

Someone bring popcorn !

Re:Whoaaaaaa !

[Anonymous+DWord]

What the hell would eat a blowfish? Besides the Japanese, and I don't think you can use them as a mascot.

Intresting.....

[jsimon12]

Whoever is Moderating replies on this sub, seems quite slanted towards PF. Oh well so much for unbiases media (like that EVER happens anyway anywhere). Guess I will get Trolled for this one.

What a Colossal Asshole.

Sure, it may be legal under the BSD license, but it's still not cool to fork off for something as stupid and trivial as this. Nice way to piss off an entire community of OBSDers. Does he think his packet filter crap is the CENTRE of OpenBSD? That's like buying a forked version of Windows that ONLY has WordPad, not Notepad. Big deal. Not enough to base a distro around. What an assholio.

And how long does Reed think this will last, splitting up the 7000 or so OpenBSD users? What a fucking goof. He's probably just trying to hurt Theo's distro financially in retaliation for Theo not liking Reed's "Fucked up Licensing Scheme"(TM). GAY. What a waste of time. That's the opensource disadvantage- Microsoft wouldn't let shit like this happen.

And what's up with you fucking Linux script kiddie retards worshipping Apple all of a sudden? Don't you remember the fucking GPL? Was that all talk until you could get a pretty fucking GUI?
Sellout bastards. You disgust even me.

As you can tell from my language, I'm a BSD user.
OpenBSD, Closed Ports. Eat Me.

_Monkeyman X_

Yeah, mod me as a troll. "Mod up moderate contemporary comments that promote the status quo, mod down extreme or abrasive comments that force the truth on an unwilling herd."
You can't handle the truth. Die, mods, die.

Re:What a Colossal Asshole.

i completely agree, its foolish move and foolishness is something which dosent go well with security.....but i think his move will have almost no impact....we happy oBSD;ers would never install a
'custom' 'md5' marked crap code from someone you can t trust.....

and b y the way the security of oBSD has never and will never be something that can be reduced to packets filter implementation....

Re:What a Colossal Asshole.

Does he think his packet filter crap is the CENTRE of OpenBSD?

Well, most OpenBSD advocates are always going on about how it makes such a super secure firewall, and that would make the packet filtering a very important , if not the most important application for OBSD users.

Re:What a Colossal Asshole.

Ummmmm, You can get good packet filtering on Windows 95. If that's all you need, use Win95. It's easier.

OpenBSd isn't famous for their IPFilter, it's famous for it's CODE AUDITING and OVERALL ATTITUDE towards security. What they use for a firewall or whatever else isn't important, as long as it's been code audited as well. Just ask Theo. He seems to have gone on without Reed's app just fine. It's REED who keeps trying to keep the issue open by pulling stuff like this. He's a publicity hog.

I agree with monkeyman. If Reed cared about OpenBSD he would be mature enough to leave their little community in peace and not cause any more division over a lame issue like this. We're not hearing about any of the OTHER 100+ apps Theo dealt with regarding incompatible licensing... just this one, over and over and over....because Reed wants to have his cake and eat it too, licensing-wise.

Gloucester

Re:What a Colossal Asshole.

Exactly.

Open Source is supposed to be about choice. Then when Theo does a license audit (as he bloody well should), Darren starts whining and saying "I'll get you for that! You can't do that!".

Yes he can. It's open source.

If Darren doesn't like it, he can go start his own distro (like he's *threatening* to do, and that's what this is, a threat). Nobody's gonna buy it (Darren doesn't have the cred Theo has), and like that swearing monkey guy says, it's a bitter, crappy thing to do to spite OpenBSD, and no good can come of it, but hey, it's a free world. Have a blast wasting your life putting together a cheap rip-off of OpenBSD, Darren. When you grow up you'll realize it's been a waste of time, and you should've gone to work for Apple, or written a book, or started a band, or wrote a kick-ass cross-platform FPS. Instead, you're copying Theo and trying to follow in his footsteps. Like the world needs another ultra-secure BSD distro. Yeah.

Mark Donaugh Simpson

fawking trolls!

Jesus d00d, get back under your rock. Theo would only "lose control" if all the other OBSD team members said that they weren't going to listen to him and that they'd start following Dickweed Darren (who, by the way, is a fuckwit and a lousy coder). QUIT POSTING SHIT ON SLASHDOT AND SUPERSIZE MY FRIES!

This is just Darren being a prick

He doesnt allow peopl to modify IPF, and thus its not an "Open" license. Secondly, he has not suite tested IPF the way OpenBSD has, so he has no justification releasing an entire "OpenBSD" set with his non-free, non-checked junk bolted to it.

This isnt about more secure OS and packet filtering, its about Darren boosting his huge ego and trying to tweak Theo's nose.

Darren, you are a prick.

so buy the fucking official disks

And what do you mean "trouble"? When I'm feeling reaaaalllly lazy and cheap, I can get a perfectly good ISO for x86 (I'm not going to tell you where, becuase I don't want to hammer the guy's bandwidth). Even an ounce of google searching would lead you in the right direction. If you use some niche hardware platform like alpha or ppc or sparc, then $30/40 is a cheap price to pay for a top-notch OS on your oddball arch. Compare this to the cosr for even the hobbiest license of tru64 or openvms on alpha, or (gag) macos on ppc, or ... In other words, you're a fool or a troll or both. NOW GO SUPERSIZE MY FRIES, YOU STUPID FUCK!

IP issues

[mdubinko]

So, IPFilter was removed because of IP issues?

why stick with backwards compatible?

[StandardDeviant]

PF has a fair number of nice features IPF doesn't have, such as variables and sets. Using them you should be able to make your new rules a lot cleaner. And, when you write something from scratch, odds are you'll do it better the second time by virtue of greater experience with the domain... PF is a Good Thing.

PF mangles ports using NAT??

I came across an obsd mailing list thread a couple of months ago indicating that PF manipulated the ports an IPsec/IKE VPN client used when making outbound connections when used behind NAT with PF (specifically the Nortel client). This caused the connection to fail.

Does anybody else have experience with this?? Does IPF do this properly??

Thanks,
Glenn

ISO's

[skyhook]

I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
How the hell hard can it be to do the following?

mkdir ~/obsd30
cd ~/obsd30
[use favorite method of obtaining all files from OBSD Mirror]
cd ..
mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
cdrecord [your options] obsd30.iso

(NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)

I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.

I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.

License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)

If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.

Re:ISO's

[Balp]

> mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30

You could een better use the cdrom30.fs, and there are bootable iso from OpenBSD on the net. Just that that isn't Offical OpenBSD images.

I suggested this years ago for netscape.

[hawk]

It was the obvious solution to M bundling browsers with operating systems: netscape should have responded by including an operating system with the browser.

lot's of engineers for wine would have been nice, too, but bundling netscape, a bsd (or linux), and the (then) personal use version of staroffice, and they could have kicked a good chunk of the low-end clean out from under microsoft.

hawk

Re:I suggested this years ago for netscape.

[rodgerd]

Actually, they already had. The JVM environment in Nav 3 was supposed to make the operating system redundant. Netscape trumpeting this was one of the reasons that MS got so heavy on browsers around that time.

Re:I suggested this years ago for netscape.

[Doctor+Memory]

netscape should have responded by including an operating system with the browser.

Yeah, like Emacs!

Re:I suggested this years ago for netscape.

[nusuth]

Were you sober at that time? Linux even now is barely usable for desktop, it sucked hard back then. And who in their right mind would install an operating system just because they wanted to use a particular browser? I didn't do that when my bank disallowed anything but IE for online transactions which we use quite often. why would anyone do the opposite?

And did netscape suck! Windows port crashed every hour, linux port crashed every fifteen minutes. It was by no sane definition of the word usable. At least linux port didn't take the whole system with it.

Don't get me even started on staroffice single desktop and centuries of loading time.

Re:I suggested this years ago for netscape.

[kiwipeso]

Good idea, AOL may do this.
AOL has been rumored to want RedHat and now they are suing microsoft.
If AOL start releasing free CDs of RedHat linux with netscape / mozilla built in for AOL access and staroffice, they take on microsoft for free in the OS and office areas microsoft can't afford to make free.

This is a good tactic to use as it is microsoft's standard plan for dominance in a place where they can't use it.
BTW, it's also part of my personal plan for KaosBSD. The OS is almost free, but the selling point is the killer apps that are a free part of the system.

The unique way KAOS apps run is the big advantage, the apps can't crash.
Can anyone say the same for microsoft or apache?

Re:I suggested this years ago for netscape.

[hawk]

>Were you sober at that time?

:)

Yes. Netscape 3 rarely crashed on linux. The separate windows (and lower memory requirements) were one of the reasons I continued using StarOffice 3 even into the 5.0 era.

It wouldn'thave been so much installing an OS to usethe browser, but starting with the OS in the first place and not having a need forwindows.

hawk.

Re:Getting a taste of his own medicine

[Kirruth]

Well, you know, secure systems that aren't designed by obsessive control freaks aren't secure systems.

Only the paranoid survive and all that.

typical slashdot

You people are pathetic.

I wonder how many of you mindless drones have actually coded a real project? Why don't you people put your money where your mouth is and show Darren how its done - write your own, from scratch, on your own time, for free.

He said the license applies to the development version, thats it.

Get over it.

Darren Reed's latest license for IPFilter

[kjj]

Copyright (C) 1993-2002 by Darren Reed.

The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.

Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.

The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

I hate legalese, don't you ?

Ironic that this relatively short license which is somewhat BSD style is actually copyleft or "viral" in nature. Look closely at the section before the diclaimer boiler-plate. Maybe it should be called the DPL (Darren Public License) BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?

Re:Darren Reed's latest license for IPFilter

[Kevinv]

I think the arguments against this license are the opposite of those BSD people make against GPL.

GPL is disliked by BSD because it forces developers to release derived software under GPL.

BSD people dislike the above because it doesn't allow relicensing.

The BSD license allows derivative software to be licensed anyway the developer of the derivative software wishes (even as proprietary).

Re:Darren Reed's latest license for IPFilter

[JudTaylor]

I like it a lot when very important documents, destined to survive for eons by riding code that will serve for all time, include typos.

why theo being a prick is a good thing (tm)...

[psxndc]

I think it's great that Darren released his own version of OpenBSD. I hope that many people will in fact use it and love it. I however will not be one of those people. See, to me, Theo and his attitude are good for the OS. Theo wants things his way(tm) or the highway. This means that only software that _he_ wants to run and use will be included. Would you write software that you wouldn't trust or use? Given that the rest of the OpenBSD team checks Theo's work too, I trust that the OpenBSD product will be a robust, secure OS. Darren's porduct AFAIK will only be audited by himself. This to me is not as secure or as desireable as the official OpenBSD product and therefore won't be used by me for the whole reason of using OpenBSD: security. I've never met Theo, and from what I understand he can be a real ass, but something about his analality (??) helps me sleep at night not worrying about my home network getting haX0red.

psxndc

Re:why theo being a prick is a good thing (tm)...

I agree. I like the idea of Theo and company sticking to their principles and not looking the other way when it came to the ipf license. Ahem.

I also trust and respect the work that the OpenBSD team does.

I cannot say the same for Reed. In fact, have a look at the Jan 02 openbsd-users mailing list, Reed was asking for help compiling obsd. How much would you trust his distro?

AC

XAUTH authentication through FTP proxy

Help, I've mailed the maintainer of the FTP proxy in PF, but I didn't get an answer.

Is XAUTH authentication through a FTP proxy possible? I need this for WS-FTP automated uploads.

see:
http://false.net/ipfilter/2001_05/0378.html for full discription

J.Kobierczynski

Re:XAUTH authentication through FTP proxy

dude, ws-ftp sucks. use leechftp, or cuteftp if you really don't feel happy about using zero cost software...

not "as viral"

[hawk]

It doesn't attempt to control linking and inclusion. Viral (gpl) means that if you use A, which is any license, and B, which is GPL, under many (not all) circumstances, your final output must be GPL.

This lets the two pieces, mix, match,mate, link, whatever without trying to control the output.

hawk

Re:not "as viral"

[Dehumanizer]

"Viral (gpl) means that if you use A, which is any license, and B, which is GPL, under many (not all) circumstances, your final output must be GPL. "

For "use", read "use code from", of course.

Re:not "as viral"

[hawk]

>For "use", read "use code from", of course.

no, of course not.

also "link to", and in certain circumstances, "distribute with."

hawk

Re:not "as viral"

[Dehumanizer]

Yes, "link to" is right. But I've never heard of a "distribute with" requirement.

Anyway, what I mean is that there are no restrictions on "use", like installing and running.

Re:Getting a taste of his own medicine

[mirabilos]

I'm not sure whether
Theo de Raadt
or
Theo deRaadt

I've seen both, and the latter being used
more oftenly.
The "de" is a Sir's predicate (I don't know
the exact English expression for it) and in
several countries it's separated,
but it also can count as part of the name.

Please enlighten me, Theo ;)

By the way: I call OpenBSD's version of
The Daemon (beastie ;) Theo.
Check: http://www.openbsd.org/images/newhead.jpg

I just installed OpenBSD 3.0 yesterday....

[Malor]

I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.

On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case :-) )

I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.

Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.

I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original. :-)

Custom OpenBSD 3.0 boxes

Imagine a Beowolf Cluster of THESE!!!

A clarification

[Srin+Tuar]

BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?

In that sense, the BSD is just as viral as the GPL. What they whine about is different:

BSDites are under the illusion that they may one day want to close access to the source and become the next SUN. (This is exactly what Bill Joy did)

They feel that if they use the GPL they wont be able to commercialize in the microsoft sense, which is true unless they own all contributions.

Although they make alot of good server and security code, the BSD programmers have a really uptight and clannish community.

Re:A clarification

BSDites are under the illusion that they may one day want to close access to the source and become the next SUN. (This is exactly what Bill Joy did)

They feel that if they use the GPL they wont be able to commercialize in the microsoft sense, which is true unless they own all contributions.

Bollocks. Is it so hard to understand that we're just giving away our code? No agenda, we just want people to use it with the only condition being that our names remain on the source?

Freedom. For people to use, or abuse, and unenforced by us. The difference between BSD and GPL.

Re:Getting a taste of his own medicine

[Theo+DeRaadt]

To settle this once and for all, my name is Theo DeRaadt. Happy?

I'm sticking with 2.9, but only for a little while

[jet_silver]

This story made me laugh my bag off.

TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).

I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.

This is a shame for Opensource

[lamj]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.

By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.

Re:This is a shame for Opensource

[befletch]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

Yes, there were lots of childish comments. However, doing a code-weighted-average in my head, it seemed like the OpenBSD group was pretty calm and considered about the whole thing. Not that I'm completely unbiased, I guess.

A more important point is that aside from the fact that pf was pretty much a fait acompli when Darren changed his license, Theo had a very good reason for not going back to ipf - the license change is still not open enough for OpenBSD to include ipf in the kernel.

Theo et al want OpenBSD to be usable by anyone for anything, which means that Darren's, "you can't change the license terms," clause is still a problem. (See item #2 on OpenBSD's goals page.) As far as Theo is concerned you are fully welcome to fork OpenBSD (along with pf) and license your version under the GPL, if that is your desire.

If you don't share or value that goal, fine. But criticising Theo and/or OpenBSD for maintaining these goals is a little harsh.

Re:This is a shame for Opensource

[uberdood]

another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to
the license

I'd leave your troll alone, except for the upmodding it has received from some idiot.

*NOTHING* prevents you from downloading IPF and compiling it into OpenBSD. There are *MANY* packages that aren't a part of the distribution. There are even more source tarballs that aren't part of the distribution. You want it, add it. What is so hard to understand about this?

I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing.

And OpenBSD believes in that. If one looks at the license of IPF, one realizes Darren doesn't believe in that in regards to his changing license on IPF (changing from vague to strict to loose).

By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

And that's a bad thing? Should software only go through one audit?

As I mentioned in a prior message, PF adds some new features (which I greatly appreciate) that I didn't have with IPF.

Being a security consultant

Welcome to the /. crowd. We'd offer you the secret handshake but we don't know your public key.

but I would wait a bit before PF

What's a bit? How long is long enough? How do you know someone didn't hack Darren's distribution? Have you run MD5 sums on all files in Darren's release to make sure that except for his changes, the code is still true OpenBSD? Did you audit his source code? How do you know he didn't inadvertantly introduce a flaw into OpenBSD?

Re:This is a shame for Opensource

[lamj]

I'd leave your troll alone, except for the upmodding it has received from some idiot.

I am sorry if I was trolling but that really wasn't my intention.

I understand that nothing is preventing people from using IPF on OpenBSD. I am sorry if my original statement is misleading. What I really meant was since IPF was scraped they were already heading straight to PF, even if IPF changes the license to suite OpenBSD, they would never forget about PF and just take IPF back.

Please understand that I am not taking sides on this matter, just presenting my thoughts about Opensource. I do not know why you have your frame mode on, but if I offended you, Sorry. I apologize.

I have taken a brief look at PF myself, like you said there are features that would be great for all of us. We should always appreciate when another new tool comes up.

For PF, I would wait till some more sites start using it and then I will test it in my testing ground before taking it out to the field, I would stick with IPF for the time being. I really have nothing against using it when it gets mature.

another chapter in the *BSD soap opera

[Tassach]

Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.

These *BSD pissing matches serve no constructive purpose. Being an obsessive control freak can at times be a good thing, but when you let it get in the way of accomplishing your stated goals, you need to step back and take a deep breath.

I

Re:another chapter in the *BSD soap opera

[__past__]

*BSD pissing match ... obsessive control freak...

Funny - I never saw a page listing "BSD-compatible licenses", nor did I realize BSDers acting like the spanish inquisition when someone doesn't play to their rules, like some others do.

Re:another chapter in the *BSD soap opera

That's a pretty cool signature. The Rock was on tv the other night, though it was pretty poorly edited. Don't worry, you almost look clever, though!

Re:another chapter in the *BSD soap opera

Yet another one of the ongoing *BSD pissing contests. Their ship is sinking, and instead of bailing water, they blow more holes in the hull.

All which leads one to ask so why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shround over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:Getting a taste of his own medicine

[jazman_777]

It is ironic, yet just desserts, that Theo is now losing control of the OpenBSD project, to a man with whom he has had many personal spats in the past.

Darren Reed wresting control of OpenBSD from Theo? Are you serious? Did Theo wrest control of NetBSD from whomever? No, he just started his own BSD. From what I can tell, NetBSD is chugging along just fine. Darren can do the same, create "OpenBiggerEgo" or something; if it ends up better, great.

Re:Shit

That was you? Damn, that stunk.

Wrong and wrong

[Arker]

He's definately changed it.

The first version said "Redistribution and use in source and binary forms are permitted provided that this notice is preserved and due credit is given to the original author and the contributors."

Everyone had assumed that use included modification. Darren got pissed at Theo and started claiming that it did not. To quote Darren at the time: "Yes, this means that derivitive or modified works are not permitted without the author's prior consent." He claimed that this was not a change to the license, but it was certainly a change from the way everyone using it had thought it was to be read. This was what provoked OBSD to remove his package. If the other BSD teams were true to their principles they would have removed it too, at this point, and actually they might have if Darren hadn't lobbied them heavily and agreed to change itfor them. Which he eventually did. If he's still claiming that he never changed the license then he's just exposing himself as a shameless liar - the first case it sort of made sense to claim he wasn't *changing* the license but only clarifying (although he's on record earlier that it amounted to "public domain" - his words - which shows that he was really lying even then - his reinterpretation was definately novel even in his own mind, even if he wouldn't admit it. But the new license actually changes words in the license itself, it's not just a "clarification" by any stretch of the imagination. The license on the versions he's distributing now says "Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors." It also has a viral clause prohibiting it's incorporation into anything under a different license, such as GPL or BSD. This was not a part of the original license.

For comparison:

The original license, for example from the ip_fil.c in NetBSD 1.5, is:

/*
* Copyright (C) 1993-2000 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors. */

The complete LICENSE file, as included with NetBSD 1.5 and the original ip_fil3.4.17 source distribution, is:

/*
* Copyright (C) 1993-2000 by Darren Reed.
*
* The author accepts no responsibility for the use of this software and
* provides it on an ``as is'' basis without express or implied warranty.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
* I hate legaleese, don't you ?
*/

Pretty much the same license, the second just has some disclaimers added. This was the license he first described as "public domain" (search for my comments on past articles on this and you should find a link to where he stated that" - and then "clarified" at a later date to prohibit modification.

Now, the license on the version he is distributing today, with an explicit allowance for modification, and the new viral clause:

Copyright (C) 1993-2002 by Darren Reed.

The author accepts no responsibility for the use of this software and provides it on an ``as is'' basis without express or implied warranty.

Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors.

The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied, in part or in whole, and put under another distribution licence [including the GNU Public Licence.]

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

I hate legalese, don't you ?

Theo's legendary patience

[discogravy]

Given Theo's legendary patience and understanding, i'm sure that Theo and Darren can find a compromise they can live with and work this out.

Serious conspiracy.

[rice_burners_suck]

This particular conflict concerning the fine OpenBSD operating system is not as simple as it seems at first glance. As a matter of fact, I believe this is a huge conspiracy by Darren Reed and his organization to eventually distribute an operating system nearly identical to OpenBSD, but with one slight modification: Darren Reed's version will include IPFilter.

A little more investigation on your part will reveal that this is more or less what's actually going on, rather than what we're being told.

Re:Getting a taste of his own medicine

[LiquidPC]

So uh how is this taking Theo's control away from
OpenBSD, and when did NetBSD go out of business?
I suggest someone read everything he types before
he hits the submit button.

Re: ipfilter easier to use than netfilter/iptables

He said 'ipfilter' is easier to use than iptables/netfilter, not iptables is easier than ipfilter. Re-Read it again. ;-)

I'm sticking with Theo and the boys.

[grub]

If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.
It has likely taken him way longer to set up his own installer and layout than if he had just grown up and listened to reason.

No thanks, I'm sticking with the official OpenBSD CD sets.

hrm.. does Reed's come with a cool music track like OpenBSD 3.0 had on CD 2? :)

Go Theo!

Re:I'm sticking with Theo and the boys.

[The+Finn]

If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.

s/Darren Reed/Theo de Raadt/

a little courtesy on both sides could've gone a long way. Theo truly brings out the best and worst in people.

dfeldman does not understand.

[mr]

Looking at the actual licence:
server# pwd
/usr/src/contrib/ipfilter
server# cat IPFILTER.LICENCE
Copyright (C) 1993-2001 by Darren Reed.

The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.

Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.

The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]


There is the licence. Now, what part of with or without modification == "he cannot stand to give the public the right to modify" ?

Oh, thats right. This is slashdot. "Let not facts get in the way of promoting all things Linux." From your post "IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4," All that 'ass kicking' must be why the 2.4 series is The kernel of pain Your anger is that the fine code of IPFilter can't be GPLed is all.

Re:Getting a taste of his own medicine

[Score+Whore]

I'd mod you up (+1 Informative, but useless information.), but I posted.... :(

reply to anon coward post:

[Srin+Tuar]

Bollocks. Is it so hard to understand that we're just giving away our code? No agenda, we just want people to use it with the only condition being that our names remain on the source?

The point at hand was not "why choose the BSD", but rather "why are BSDer's typically so GPL hostile?"

Ive got nothing against someone slapping a BSD on a piece of good code- that is something to be admired. Especially because I can combine it with GPL'd source and distribute the product.

What im talking about is things like the SSLeay licence: a BSD license with a nasty clause saying that it cannot be combined with anything GPL as a special (annoying) tack on. (which remains in openssl till today)

The above may explain the creation of the GNUtls project to an extent, and thats the kind of thing Im talking about.

Re:reply to anon coward post:

[Dahan]

The point at hand was not "why choose the BSD", but rather "why are BSDer's typically so GPL hostile?"

'cuz GPL advocates love to trumpet how GPLed software is so free, when its viral nature puts restrictions on that freedom, making it less free than BSD licensed software. Nobody wants to catch a nasty virus... Public domain is more free than BSD, which is more free than GPL.

Re:reply to anon coward post:

[ejasons]

I see a purpose for both licenses. I think that something that is expected to be extended, like gcc, is much better off with the GPL. Libraries and such I would prefer to be BSD.

On the other hand, how much good has it done us (the community) for the Linux kernel to be under the GPL versus BSD, when anything "interesting" can just be built as a kernel module? Take Tivo as an example.

And in terms of "freeness", consider that BSD code may be used in a GPL program, with the results still under the GPL. The reverse is definitely not true!

pf - packet filter details

[CrudPuppy]

I have recently installed OpenBSD on my home
router-firewall-workstation after running
2.6 - 2.9 and lemme tell ya, pf ROCKS

with less than 10 lines changed across 4 files in
/etc I was able to get the following configured
for my network:

-firewalling (enable pf in /etc/rc.conf and put
4 rules in /etc/pf.conf)
-full nat (enable ip forwarding in /etc/sysctl.conf
and put 1 line in /etc/nat.conf)
-full port forwarding with ip header rewriting (put
2 lines in /etc/nat.conf)

so simple, so powerful, and BUNDLED!

'nuff said

???

[HiThere]

Re:Removed for licensing issues? LOL

What's wrong with lots of distributions? Seems like a good idea to me. People use whichever one they want. You trust Theo, you use OppenBSD, you prefer someone else, you use another version. Isn't that what OpenSource is about? Isn't what people like about BSD over Linux that you're even allowed to close the source? (I don't think that's such a good idea, but I don't use it, so that's fair.)

Is there some reason that there shouldn't be multiple distributions? Some will be more popular, others will slowly fade. Perhaps all will, but there's certainly a better chance if there are multiple sources.

The only thing that's too bad about this is the acrimony. Pity. But then I've known people who enjoyed that. I don't know the participants, but judging from the commentary, these might be some of them. In which case no problem.

Are you worried about what the newspapers will say? I can almost guarantee that they'll totally ignore it.
.

IPF NOT in ports

[John+Whorfin]

In a move I certainly don't agree with it was deemed that there would be no IPF in the ports tree.

While I think that Darren needs to seek serious psycological help, banning IPF from the ports tree was dumb.

Re:IPF NOT in ports

[don_carnage]

I stand corrected. Thanks for the clarification.

No port of IPF

[John+Whorfin]

Personally I'd probebly never use IPF over PF but oddly, IPF has been banned from the official ports tree.

Yeah, a port could be made, but there will never be 'cd /usr/ports/security/ipf && make install'

Re:No port of IPF

[Balp]

Seems like everything that modifies the kernel is banned from being a port. Main reason seams top be that today there is not possibility to biuld a packet of a shuch port that chould be installed on other hosts.

Re:Getting a taste of his own medicine

[Tony-A]

Designed?
Designed. Tested. Audited. Coded. Used. Abused.
Only the paranoid stand a chance.
You find one bug. You get all his friends and relations.

That's why I don't use BSD...

Some guy disagree with something and there you have it: a new version pops.

Us, Linuxers, we got a pretty good coders (Linux, Alan et al.), very skilled, that create a solid, monolithic kernel.

Ah, if only they had a little more centralization instead of this anarchy...

Have a nice day!

Re:That's why I don't use BSD...

By they, I meant the BSD folks, hmmmkay?

Just to make things clear.

Have a nice whatever you have where you are.

Re:That's why I don't use BSD...

Yeah and Alan has is own kernel and Redhat has is own kernel and the mac68k folks and patches here and patches there and...

See http://linux.html.it/articoli/rik_van_riel_en1.htm
and learn something.

Great. I know what is coming next....

[oobeleck]

Slashdot Headline: Custom OpenBSD 3.0 With djbdns/Qmail From Dan Bernstein

# dmesg|more
OpenBSD 3.0 (I_HATE_THEO!!!) #1: Thu Oct 18 14:48:27 MDT 2001
djb@cr.yp.to:/usr/src/sys/arch/i386/I_HATE_THEO!!!

Where will the insanity stop?

BSD logo

[MobyTurbo]

Now BSD's logo will need four prongs on the pitch-*fork* instead of three. ;-)

Id love to see pf in FreeBSD

[ChocoboKnight]

Does anyone know of plans of porting pf to FreeBSD?

Re:Id love to see pf in FreeBSD

He has decided not to port it, because after some preliminary study he has determined that *BSD is dying.

Picking a Firewall (was: Free as in... fascism?)

[Frater+219]

Syntax aside, which one is better? by better I mean maintain security, smallest hit to bandwidth? that should be the first concern. If the one that is least intuitive provides more reliable secutity, then go with it and write yourself a script take input in a way thats intuitive to you, and spits it out in the correct format. of course, IF all things are equall, the go with the one thats easier to set up and maintain.

Believe me, there are other measures involved in picking a firewall besides its security (where there are a lot of decent entries) and its cost in terms of latency. (It isn't likely to hit bandwidth unless it's overloaded, btw.) The factors that I see involved in picking firewall kit shake out into two categories: technical and social, as follows.

Technical factors:

• Transparency. For design reasons, we need a bridging firewall, not a routing firewall. (In network jargon, Layer 3 inspection, Layer 2 operation.) That is, the firewall must not appear as a hop in a traceroute; it needs to act like a filtering switch, not a filtering router. Among other things, this makes it harder for an attacker (or a disgruntled user) to know where the firewall is, or how it works.
• Security. This is the "no-brainer" of the bunch. A firewall that is itself at any avoidable risk of compromise is simply out of the running. Moreover, a firewall should be as preëmptively secure as possible: it shouldn't need a lot of maintenance to keep it that way. This leads into ...
• Reliability. I need a system which is not going to fail or fall over, and which is not going to need a lot of ongoing administration for the underlying system. Ideally, it should (for instance) be able to go for months without needing to be patched or upgraded. (Needless to say, it should be a minimal system.)
• Versatility. I'd like to be able to do more than just "block this host" or "allow that host to receive nothing but SSH sessions". Being able to easily plug in things like application proxies, tunnels, and other security enhancements is a significant plus. Of course, being sure that these things will work correctly in bridging mode (see above) is essential.

Social factors:

• Documentation. I need to be able to bring the other staff up to speed on this system quickly and comprehensively. Complete -- and complete-sounding -- documentation is a must. HOWTOs with sections that say "(Need to finish writing up such-and-so a feature)" do not inspire confidence, in either the firewall itself or in the security administrator pushing that firewall. Moreover, see under "boss-proofness" below.
• Ease of use ... for our definition thereof. Since we don't have the funding to beef up our security staff, most of the people who will be doing network monitoring here are Unix sysadmin types. They don't like GUIs and Web interfaces of the sort that commercial firewalls-in-a-box offer. They like vi. They like languages that are easy to edit in vi, and which conform to their (okay, "our") Unix-biased idea of how languages should work. (Hint: pf supports shell variables. That's a plus.)
• Boss-proofness. My boss's first idea when I mentioned we needed a new firewall was to the effect of, "Let's just do that on our Cisco routers. I can always hire a CCN* if you quit." He's fond of "standard" systems, "supportable" systems, and things he thinks he can easily hire new staff to maintain in the event that current staff might not be around forever.

  The next best thing to "You can hire someone with thus-and-so certification, and you're guaranteed they can write new rules for this right away" is something like "This system is so straightforward that anyone who knows Unix can pick it up in an hour and write new rules for it. Oh, and here's the complete documentation -- and I can assure you that there are ...

• ... No surprises." 'Nuff said.

I'm not saying OpenBSD is the only system that can meet these goals. (After all, I'm still waiting on the OpenBSD 3.0 CD to show up so I can set up a testbed to prove it's a better choice than more Cisco gear.) I'm saying it's not quite as easy as "pick whatever works and doesn't eat the network, and wing the rest."

Re:Custome OpenASS 3.0 with hetero filter...

[Dragnet]

The funny thing here is that some poor moderator gave this +1 Insightful, LOL!

Re: ipfilter easier to use than netfilter/iptables

> Due to the restrictions on the IPF license.

That's not it at all.

It was because the code was so damned hard to get
around in. PF, in its simplicity, is MUCH easier for us to design in the features we've wanted to implement over the years.

The license was briefly an issue, and it was enough to motivate us to start over...

6-mths old firewall? BAH!

6-mths old firewall? BAH!

Re:More stuff?

[kiwipeso]

You want your own release?

I'm writing my own BSD pretty much from scratch. Put that in your | and smoke it.

*BSD isn't dying ;)

[kiwipeso]

Considering that OS X is based on FreeBSD and there is a new fork in progress (my KaosBSD) that has stuff no other system has yet.

A rewrite of most of the OS should help speed things up a lot but security should be kept a goal.

Re:CD-ROM problems with FreeBSD

[kiwipeso]

This is good timing, I've been wondering what was wrong with the OpenBSD install on my HD.
It's a Slave IDE HD so I guess that's the reason the partition isn't working.

BTW, glad to hear from someone else in the Wellington region BOFH.
Incidently, 10 July is my birthday and 9 July is my cousin's. If I had known that in 1998, I would be far further in my KaosBSD project by now.

Moderators on crack (the cheap stuff)

The author misrepresents the licence, (lies) and yet gets modded UP.

Wow.

Re:CD-ROM problems with FreeBSD

[The+BOFH+Troll]

I am no Wellington person, I am Canadian!

Re:I'm sticking with 2.9, but only for a little wh

[uberdood]

> Theo sells what Darren is giving away

And what would that be? Theo gives away OpenBSD. Check your favorite mirror. *sigh*

Wait all you want. IPF will *always* be older than PF. That's the nature of birthdays.

From reading various upmod'ed anti-PF comments here from people who seem to lack a clue [1]
I can't help but go into conspiracy mode and wonder if there's a FUD campaign against PF.

[1] by seem to lack a clue, I refer to several posts:

A) "I've not run PF lately"

Well, guess what, it's not beta any more.

B)"less-proven packet filter, from Theo"

Less-proven is only changed when more people give it a try. Oh, and Theo didn't write PF.

Why not try PF instead of insinuating it is crap? Take a non-production machine and install it. Hit it with various tools - nessus, SATAN, nmap, . See how it stands up to attack. But please refrain from spreading FUD about it being untried and immature. You do a disservice to PF and OpenBSD. Think about it. You like Theo's operating system. Do you really think he's going to include a POS critial tool in his release?

[Please notice I've not called IPF crap, nor insulted Darren.]

"derivative of this code"

[Per+Abrahamsen]

Both the GPL and the Darren Copyleft depend on what the law will consider "a derivative of this code". So there is no legal difference in how viral they are.

Either both or neither let you mix, match, mate or link.

It might be less restrictive than what the FSF claim of the GPL, but in that case it is becasue FSF is wrong about the GPL.

Re:"derivative of this code"

[hawk]

there is that :)

I went deeply into the GPL a couple of years ago for LyX. I still couldn't quite figure out exactly what it meant (and I *am* a lawyer, and also hold a Ph.D. in economics & statistics . . .)

I *am* sure that it doesn't say what the FSF claims--and now that you mention it, the static linking bit is FSF rather than GPL, isn't it?

Darren's doesn't seem to have a distributable-as-a-whole under the licence requirement, however.

hawk, esq.

Are you for real?

Gee, Mr. T DR (all caps) your web site http://theos.com, doantions page (http://www.openbsd.com/donations.html) and Offical CD (make out cheques to) all say T d R.

So here is a simple test.
Fill in the missing part
_____________ *
___laughing__
___much more_
___/dev/null_
_____kicks___
____ canada__
___Never_____
___Welcome___

easy for the creator, just a little more for a fakir.

hahaha

darrenr is awesome, that's about all i have to say.