Custom OpenBSD 3.0 with IPFilter From Darren Reed

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

Good.

[rainer_d]

Especially for people who don't want to migrate.
I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

Not that PF is bad - you just can't do everything together ;-)

cheers,
Rainer

Ego dramma

[JDizzy]

I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.

Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.

Re:Ego dramma

[rifter]

Actually, the reason FreeBSD can use it is that it uses an unmodified ipfilter. Ipfilter was originally written for FreeBSD, IIRC. But while FreeBSD uses ipfilter in userspace, OpenBSD always used a heavily modified form which lived in kernel space. The problem was that Darren and Theo got in a pissing match and Darren put a clause in his license that said he had to approve any release of ipfilter. Theo responded by dumping ipfilter, now Darren is trying to counter by creating his own OpenBSD.

While this is legal, the problem is that the whole point of OpenBSD is the security audtnig the OpenBSD team does. The version Darren is pushing is essentially a patched version of what they are putting out, but any security auditing of his patches is likely going to be done by him alone. I don't think this is a way to go, frankly.

Re:Ego dramma

[hollow_man]

Where did you get that from? Theo got his knickers in a twist about a test release of IPF (aimed at Solaris of all OSes!) and challenged Darren. Funnily enough, (after being threatened (although some debate can be had about what constituted a threat)) Darren then decided to clarify his IPF license (which for release versions hadn't changed for yonks) so it was not quite compatible with the goals of OpenBSD. Hence the split. Darren has cordial relationships with FreeBSD and NetBSD core and as such things never get as out of hand as with Theo.
With the regards to the "design problems" someone else posted about earlier, IPF is designed to be a crossplatform package (we use it exclusively on Solaris here) and as such it will never be as taylored for OpenBSD as pf is.
I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.

Re:Ego dramma

[jazman_777]

I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.

Which cause? Being nice and warm and fuzzy with everyone? Or putting out a solid secure OS? I think his temperament works just fine for the latter, he weeds out the chaff who think his goal should be the former.

Re:Ego dramma

[Tuzanor]

The thing is Theo never really got all THAT upset. He essentially just said "give us BSD rights to this thing" while darren said, "if you beg and suck up, maybe".

Theo just decided to hell with it and just announced that ipf is leaving OpenBSD. He never called anybody names or anything. he just sorta unexpectantly removed it.

Re:Security still number one?

[2Bits]

As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

IPFilter: Any advantages over pf?

[Frater+219]

I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

Re:IPFilter: Any advantages over pf?

I've used both. pf and ipf are pretty close in terms of functionality and stability, and pf has some nice incremental features over ipf. If I had to choose, I'd use pf.

Free as in... fascism?

[dfeldman]

This move represents the latest step that Darren Reed has taken to attempt to gain control over open source operating systems that incorporate his packet filter. He has expressed the belief, on many newsgroup postings, that he deserves a place on the *BSD teams (as at least a committer) because of the way that his product has increased market share for the BSDs. And he continues to attempt to hold those distributions hostage until they bend to his will. His eventual goal is to release a closed-source BSD that incorporates his filter, because he cannot stand to give the public the right to modify and redistribute his precious code.

Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.

Darren, listen to your users - change your license or perish.

df

Re:Free as in... fascism?

[Frater+219]

IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

iptables :
iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

pf:
block in proto tcp to any port ssh
pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.

Re:Free as in... fascism?

[jayed_99]

in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste/how accustomed each person is to the syntax

Exactly!
A standard slashdot argument is: "I use XYZ and it is easier/better than ABC."

The reason that it's "easier/better" is that you're more familiar with it. People make judgements based on what they have experience with.

Sure, I think that BSD is better than Linux. I think that the *BSDs firewall syntax is better than the Linux firewall syntax. I think that the *BSD ports/package system rocks compared to any Linux solution (yes, even apt). But I think these things because I use *BSD all of the time! If I used Linux all of the time, I'd look at BSD and say, "What are these stupid disk slice things? What is this disklabel crap? Can't I just make some partitions and go?"

You can draw examples from every facet of the computer world on this subject. Emacs and vi, anyone? Perl versus Python? C++ versus Java? Generally, "better" means "the thing that I know how to use the best."

Some things have a more difficult learning curve than others -- does that make them better? Maybe; but that shouldn't be your only criteria for judging.

We're more prone to see things as "better" when we've invested time in learning them. And when we do compare things, we often use a suboptimal example for the thing that we don't know well -- because we don't know it well.

childish acts...

Darren, grow up :)

Why not just create a port for OpenBSD ?

Re:Security still number one?

[BigBir3d]

That is what Lindows must have been thinking.

Re:This release will include ISOs as well

[Null_Packet]

How is it good that Darren Reed will be including ISO's? Looking at the thread this seems to be a cut towards the openbsd team by undermining their primary fund raising activity- selling cd's.

Besides, I have to wonder how resourceful someone is who doesn't know how to find OpenBSD ISO's via Google.

This isn't a troll, but this strikes me as counter-productive to Open Source in general, and it seems even sillier that one needs to distribute an entire ISO for such a small package.

Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.

Re:Why I love Open Source

As long as he's the only one. Can you imagine 10 companies doing this? 100? Of course they'd never all be in sync or anything either... And eventually the software will of course only work on HIS distribution. One version of the OS for every piece of software you use? There's an inner circle of hell we can all do without.

Dude, didn't you just describe linux?

ISO's

[skyhook]

I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
How the hell hard can it be to do the following?

mkdir ~/obsd30
cd ~/obsd30
[use favorite method of obtaining all files from OBSD Mirror]
cd ..
mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
cdrecord [your options] obsd30.iso

(NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)

I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.

I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.

License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)

If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.

I'm sticking with 2.9, but only for a little while

[jet_silver]

This story made me laugh my bag off.

TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).

I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.

This is a shame for Opensource

[lamj]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.

By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.

Re:This is a shame for Opensource

[befletch]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

Yes, there were lots of childish comments. However, doing a code-weighted-average in my head, it seemed like the OpenBSD group was pretty calm and considered about the whole thing. Not that I'm completely unbiased, I guess.

A more important point is that aside from the fact that pf was pretty much a fait acompli when Darren changed his license, Theo had a very good reason for not going back to ipf - the license change is still not open enough for OpenBSD to include ipf in the kernel.

Theo et al want OpenBSD to be usable by anyone for anything, which means that Darren's, "you can't change the license terms," clause is still a problem. (See item #2 on OpenBSD's goals page.) As far as Theo is concerned you are fully welcome to fork OpenBSD (along with pf) and license your version under the GPL, if that is your desire.

If you don't share or value that goal, fine. But criticising Theo and/or OpenBSD for maintaining these goals is a little harsh.

Re:A clarification

BSDites are under the illusion that they may one day want to close access to the source and become the next SUN. (This is exactly what Bill Joy did)

They feel that if they use the GPL they wont be able to commercialize in the microsoft sense, which is true unless they own all contributions.

Bollocks. Is it so hard to understand that we're just giving away our code? No agenda, we just want people to use it with the only condition being that our names remain on the source?

Freedom. For people to use, or abuse, and unenforced by us. The difference between BSD and GPL.

Re:Who would use this?

[epine]

Just this morning I upgraded two of my OpenBSD machines to 3.0, along with the machine I built over the weekend from scratch.

I've used IPF since 2.6 and IMHO it wasn't nearly easy enough to use. Each line of the file is simple, but managing conceptual changes to your firewall is a royal pain in the Perl script. So far I've just read some of the new PF documentation and skimmed the PF list from time to time. I have no doubts that PF will mature rapidly, if it isn't already. I can't believe some of the new changes to the syntax weren't made years ago.

I've been working on the IP protocol stack for a couple of years, mainly looking at some of the latency problems with TCP/IP in signal contention networks (aka cell phones). TCP was designed to handle path contention networks and it doesn't handle signal contention at all well. The packet structure of IP is not rocket science. The TCP/IP stack is a much worse beast than what PF requires, especially if you add in all the IPv6 changes (substantial). I was reading this code yesterday. It's written clearly enough, yet hard to analyse case by case.

What matters for the new PF implementation is making correct syscalls and handling all the error returns correctly. The OpenBSD people know all the pitfalls from years of fixing other's mistakes. If you get the syscalls right, the remaining stability issue is largely semantic. The semantics are easily demonstrated by building rulesets that work.

The third area of concern are the efficiency tricks. I think will take another iteration at least to perfect. This area was probably neglected while the effort focussed on functionality, stability, and correctness. Try not to forget that the OpenBSD people have complete access to the IPF source code to guide them through the tricky spots.

Theo doesn't control OpenBSD, he just controls one tree. I wasn't at all unhappy that OpenBSD chose to write PF from scratch. They've done a good job on OpenSSH, which I regard as a more challenging problem. I also regard IPv6 integration as more challenging the PF. IPv6 and IPsec are a scary beast.

My next task is to start playing with new PF on all the new 3.0 boxes I've just configured. I'm not expecting any anguish. If my expectations are off base, I'll post again eating humble pie. I'm not saving my appetite, I don't think I'll need it.

Re:I'm sticking with Theo and the boys.

[The+Finn]

If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.

s/Darren Reed/Theo de Raadt/

a little courtesy on both sides could've gone a long way. Theo truly brings out the best and worst in people.