Slashdot Mirror
Custom OpenBSD 3.0 with IPFilter From Darren Reed
rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.
Just installed OpenBSD 3.0 today.
/etc/pf.conf, not /etc/ipf.rules.
The new Packet Filter' syntax is somewhat backwards-compatible with IPFilter, the most significant difference being that with PF you now must specify protocol when specifying ports, so for example if with IPF you had:
block in on fxp0 from any to any port = 137
with PF you have to change it to:
block in on fxp0 proto { udp, tcp } from any to any port = 137
And you place the default donfiguration in
Note to impressionable youngsters: there is no basis in fact for this statement.
I don't have a bias for one or the other (IPF vs PF), but will probably stick with PF since it's included in the default OBSD 3.0 installation.
Is there any reason why I should keep using IPF? Isn't it still included in the ports if I really needed it? Doesn't this sound like a political move?
Wooden armaments to battle your imaginary foes!
> BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?
It's simply called pf and it's custom to OpenBSD.
It's called packet filter - just pf, rather than ipf. It was developed by the OpenBSD team, and has some features they wanted to add but never could due to the restrictions on the IPF license. That's what Theo claimed in an interview I read, anyway.
It's the file system speed improvements that really make an upgrade to OpenBSD 3.0 worthwhile, though..
So basically this is about someone bundling openbsd with a popular non-open-source product, and distributing the result. Not generally news, except that many people thought that ipfilter was open source and therefore a great flame war arose when it was clarified to be otherwise.
No no no...
you *can* distribute OpenBSD however you like.
The original OpenBSD CD *layout* is Copyrighted by Theo.
Nothing stops anyone from downloading everything off of the FTP servers, and creating your own ISO image.
ceci n'est pas une signature
From the OpenBSD FAQ:
Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.
I guess if you want to distribute an ISO you need to make sure you build it yourself and make sure that it is different from the CD-ROM's.
I think it's kind of silly to say that the layout is copyrighted, but no sillier than Amazon having a patent on "one-click" shopping...possibly less.
It's a shame that Theo has to resort to this kind of thing to get people who are using the OS to actually buck up a few dollars for CDs.
If what I have read onthe mailing lists is any indication, it is unlikely Theo will lose control (well, of teh project anyway :) ). Most seemed to agree that this kind of stunt is exactly what Darren was trying to pull when he put the offending clause in the license in the first place. And regardless of how people feel, it seems the "Official" OpenBSD is still more trusted.
NetBSD out of business? What? Are you smoking Moderator crack, Mr. Troll? Besides, Theo was locked out of the NetBSD project and waited almost a year (holding the only Sparc port BTW) before coming out with OpenBSD. It is not the same situation.
of what happened to date.
You can read the original mix of hurt feelings, screams of piglethood, and resentment here
When in doubt, have a man come through a door with a gun in his hand.
I think that you mean the ISO/CD-ROM image layout. From the FAQ:
/etc, /home, and so forth...) is under copyright.
Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.
I don't think that the layout of the filesystem itself (/,
The actual name would be under trademark, and I would imagine that someone else would be unable to use the trademark to distribute a derivative of OpenBSD. Linux is the name of the kernel for Linux distros, bsd is the name of OpenBSD's kernel. The use of Linux as a trademark should technically be approved by Linus or whomever manages that for him.
I guess this would be OpenBSDarren...
Stangely, OpenBSD does not appear to be registered with the US Patent Office (check in TESS). Note that this is unlike Linux, which is:
Best Slashdot comment ever
Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.
You will have to change your rules. OpenBSD made several modifications to IPF that darren never included upstream (interface names in place of IP addresses, for example). I also recall some controversy involving patches to support ipf on the bridge. I don't know if those are supported either.
You're welcome to experiment I suppose. Good luck. But I'd strongly recommend not installing this straight onto your production system.
> while FreeBSD uses ipfilter in userspace
Absolutely incorrect. Get your facts straight.
I've never needed the ISO's. The net install works rather well, and you can do it over HTTP or FTP, as well as the other standbys (NFS, local, etc).
I've lurked on the misc@openbsd mailing list, and seen what Darren says. He seems "shady" (best as I can describe it). He seems to do his best to piss people off, and whenever pf doesn't work as expected, he says "IPF does that". Even if the poster was using the wrong syntax.
The firewall age isn't an issue, it's infancy happened on the -current tree. I'm rather happy with pf, and will keep using it whenever possible.
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
:-) )
:-)
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.
It may not be registered, but that is not required for copyright (Besides, you showed a trademark). Trademarks don't require registration either, it just makes them stronger.
And since OpenBSD is based here in Canada, the above (NAL) summarized US rules don't necessarily apply, other than through treaties on Intellectual Property. It is not a registered trademark in Canada either, as you can check here.
Complexity is Easy. Simplicity is Hard.
He's definately changed it.
The first version said "Redistribution and use in source and binary forms are permitted provided that this notice is preserved and due credit is given to the original author and the contributors."
Everyone had assumed that use included modification. Darren got pissed at Theo and started claiming that it did not. To quote Darren at the time: "Yes, this means that derivitive or modified works are not permitted without the author's prior consent." He claimed that this was not a change to the license, but it was certainly a change from the way everyone using it had thought it was to be read. This was what provoked OBSD to remove his package. If the other BSD teams were true to their principles they would have removed it too, at this point, and actually they might have if Darren hadn't lobbied them heavily and agreed to change itfor them. Which he eventually did. If he's still claiming that he never changed the license then he's just exposing himself as a shameless liar - the first case it sort of made sense to claim he wasn't *changing* the license but only clarifying (although he's on record earlier that it amounted to "public domain" - his words - which shows that he was really lying even then - his reinterpretation was definately novel even in his own mind, even if he wouldn't admit it. But the new license actually changes words in the license itself, it's not just a "clarification" by any stretch of the imagination. The license on the versions he's distributing now says "Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors." It also has a viral clause prohibiting it's incorporation into anything under a different license, such as GPL or BSD. This was not a part of the original license.
For comparison:
The original license, for example from the ip_fil.c in NetBSD 1.5, is:
The complete LICENSE file, as included with NetBSD 1.5 and the original ip_fil3.4.17 source distribution, is:
Pretty much the same license, the second just has some disclaimers added. This was the license he first described as "public domain" (search for my comments on past articles on this and you should find a link to where he stated that" - and then "clarified" at a later date to prohibit modification.
Now, the license on the version he is distributing today, with an explicit allowance for modification, and the new viral clause:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
The point would be valid if there weren't a more readable way to configure iptables:
iptables --append firewall --source 10.11.0.0/16 --proto tcp --destination-port ssh --jump ACCEPT
iptables --append firewall --destination-port ssh --jump DROP*
This seems both readable and easy to follow to me. I maintain a large and (necessarily) complex firewall using iptables (and DNAT, SNAT, mark-based routing, etc.) I've never found it to be especially difficult to follow the config files, nor awkward to read.
I don't deny things could be just as simple as pf, possibly even easier, but I don't think complexity of configuration is a valid criticism of iptables. On the contrary, I'd have to say I find the example you gave a little counter-intuitive - it's necessary to think for a little too long about whether that's "to any" or "to any port". That's probably just me, though - in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste / how accustomed each person is to the syntax - neither of the syntaxes are (IMHO) intrinsically better.
* The second line's unnecessary if your input/forward chain policy is 'DROP', which would be the case for most sane firewalls I can think of...
PenguiNet: the (shareware) Windows SSH client
I have recently installed OpenBSD on my home
/etc/rc.conf and put
/etc/pf.conf)
/etc/sysctl.conf
/etc/nat.conf)
/etc/nat.conf)
router-firewall-workstation after running
2.6 - 2.9 and lemme tell ya, pf ROCKS
with less than 10 lines changed across 4 files in
/etc I was able to get the following configured
for my network:
-firewalling (enable pf in
4 rules in
-full nat (enable ip forwarding in
and put 1 line in
-full port forwarding with ip header rewriting (put
2 lines in
so simple, so powerful, and BUNDLED!
'nuff said
A year spent in artificial intelligence is enough to make one believe in God.
I agree. I like the idea of Theo and company sticking to their principles and not looking the other way when it came to the ipf license. Ahem.
I also trust and respect the work that the OpenBSD team does.
I cannot say the same for Reed. In fact, have a look at the Jan 02 openbsd-users mailing list, Reed was asking for help compiling obsd. How much would you trust his distro?
AC
Been there, done that. OpenBSD on Alpha XP900 ..
Don't blame others, if you lack the clue to do things the right way.