Custom OpenBSD 3.0 with IPFilter From Darren Reed

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

Re:Free as in... fascism?

[imp]

IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security

Except that isn't true. there have been a number of issues with the way that iptables/netfilter in linux interacts with some systems. A number of problems related to timers in the state engine have come to light and do cause real problems for some systems. Also, 2.4 was relatively recent in history, so all the problems and issues with iptables/netfitler cannot be known yet. To assert otherwise is to ignore the history of software. All software has a hype cycle: The latest thing is always the best, then experience shows that it doesn't handle this or that right, followed by the disillusionment phase followed by the adopting another product that's in the hype phase. ipfilter is much farther along in this process and is maturing nicely. We have not had the history to know yet if iptables/netfilter will be the same.

If you don't believe me, go back and look at the press that each new Linux release gets. Then look at how people talk about that release 3-6 months later, and then 1-2 years later. It takes time for problems to be diagnoised and understood.

Re:Ego dramma

[illusion_2K]

Where did you get that from?

The issue that the OpenBSD guys had with IPF was that the license wasn't 100% BSD compatible as it stood when they decided to ditch it. I can't recall exactly what the issue was, but there's historical posts in the misc@openbsd.org mailing list. (Searching for Theo De Raadt and IPF should be enough - he's explained his position at least a half dozen times). Afterwards. Darren decided to change the license so that the other BSD's wouldn't ditch IPF in favor of PF too.

All in all, one of the things I respect most about the OpenBSD guys is how they do stick to their principles, as they did in the IPF fiasco.

Who would use this?

[evilviper]

The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.

I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.

While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.

Re:Who would use this?

[jsimon12]

I have to disagree with you on this one, "almost everyone" on the OpenBSD list might have loved PF, cause it was now their own little baby. But take a look at other lists (ip-filter), people were not happy with PF, last time I tried PF it was NO WHERE near as robust of IPF, as for ease of use, I would disagree there too, the syntax is similar, and IPF ALREADY was damn easy to use (compared to rulesets for CheckPoint or IP Tables or whatever). So step off dude, PF needs work before it can compare with IPF.

Re:Who would use this?

[uberdood]

Might I ask when you last tried PF? I'd enjoy an example of something than can be done in IPF that can't in PF.

There are already examples of the reverse - namely:

1) scrubbing
2) variables
3) listed elements allowing one line to do what takes many lines in IPF
4) inbound and outbound rules on bridges

Politics, flamefest, and egos aside, I simply believe PF is technically superior - based on the above things that PF can do that IPF can't - in addition to the common features of both - until proven otherwise.

Re:Why I love Open Source

[TheAwfulTruth]

As long as he's the only one. Can you imagine 10 companies doing this? 100? Of course they'd never all be in sync or anything either... And eventually the software will of course only work on HIS distribution. One version of the OS for every piece of software you use? There's an inner circle of hell we can all do without.

Re:Getting a taste of his own medicine

[Kirruth]

Well, you know, secure systems that aren't designed by obsessive control freaks aren't secure systems.

Only the paranoid survive and all that.

Darren Reed's latest license for IPFilter

[kjj]

Copyright (C) 1993-2002 by Darren Reed.

The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.

Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.

The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

I hate legalese, don't you ?

Ironic that this relatively short license which is somewhat BSD style is actually copyleft or "viral" in nature. Look closely at the section before the diclaimer boiler-plate. Maybe it should be called the DPL (Darren Public License) BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?

why theo being a prick is a good thing (tm)...

[psxndc]

I think it's great that Darren released his own version of OpenBSD. I hope that many people will in fact use it and love it. I however will not be one of those people. See, to me, Theo and his attitude are good for the OS. Theo wants things his way(tm) or the highway. This means that only software that _he_ wants to run and use will be included. Would you write software that you wouldn't trust or use? Given that the rest of the OpenBSD team checks Theo's work too, I trust that the OpenBSD product will be a robust, secure OS. Darren's porduct AFAIK will only be audited by himself. This to me is not as secure or as desireable as the official OpenBSD product and therefore won't be used by me for the whole reason of using OpenBSD: security. I've never met Theo, and from what I understand he can be a real ass, but something about his analality (??) helps me sleep at night not worrying about my home network getting haX0red.

psxndc