Custom OpenBSD 3.0 with IPFilter From Darren Reed

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

Good.

[rainer_d]

Especially for people who don't want to migrate.
I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

Not that PF is bad - you just can't do everything together ;-)

cheers,
Rainer

Ego dramma

[JDizzy]

I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.

Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.

Re:Ego dramma

[Tuzanor]

The thing is Theo never really got all THAT upset. He essentially just said "give us BSD rights to this thing" while darren said, "if you beg and suck up, maybe".

Theo just decided to hell with it and just announced that ipf is leaving OpenBSD. He never called anybody names or anything. he just sorta unexpectantly removed it.

Re:Security still number one?

[2Bits]

As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

IPFilter: Any advantages over pf?

[Frater+219]

I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

Re:IPFilter: Any advantages over pf?

I've used both. pf and ipf are pretty close in terms of functionality and stability, and pf has some nice incremental features over ipf. If I had to choose, I'd use pf.

Free as in... fascism?

[dfeldman]

This move represents the latest step that Darren Reed has taken to attempt to gain control over open source operating systems that incorporate his packet filter. He has expressed the belief, on many newsgroup postings, that he deserves a place on the *BSD teams (as at least a committer) because of the way that his product has increased market share for the BSDs. And he continues to attempt to hold those distributions hostage until they bend to his will. His eventual goal is to release a closed-source BSD that incorporates his filter, because he cannot stand to give the public the right to modify and redistribute his precious code.

Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.

Darren, listen to your users - change your license or perish.

df

Re:Free as in... fascism?

[Frater+219]

IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

iptables :
iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

pf:
block in proto tcp to any port ssh
pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.

Re:Free as in... fascism?

[jayed_99]

in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste/how accustomed each person is to the syntax

Exactly!
A standard slashdot argument is: "I use XYZ and it is easier/better than ABC."

The reason that it's "easier/better" is that you're more familiar with it. People make judgements based on what they have experience with.

Sure, I think that BSD is better than Linux. I think that the *BSDs firewall syntax is better than the Linux firewall syntax. I think that the *BSD ports/package system rocks compared to any Linux solution (yes, even apt). But I think these things because I use *BSD all of the time! If I used Linux all of the time, I'd look at BSD and say, "What are these stupid disk slice things? What is this disklabel crap? Can't I just make some partitions and go?"

You can draw examples from every facet of the computer world on this subject. Emacs and vi, anyone? Perl versus Python? C++ versus Java? Generally, "better" means "the thing that I know how to use the best."

Some things have a more difficult learning curve than others -- does that make them better? Maybe; but that shouldn't be your only criteria for judging.

We're more prone to see things as "better" when we've invested time in learning them. And when we do compare things, we often use a suboptimal example for the thing that we don't know well -- because we don't know it well.

childish acts...

Darren, grow up :)

Why not just create a port for OpenBSD ?

Re:This release will include ISOs as well

[Null_Packet]

How is it good that Darren Reed will be including ISO's? Looking at the thread this seems to be a cut towards the openbsd team by undermining their primary fund raising activity- selling cd's.

Besides, I have to wonder how resourceful someone is who doesn't know how to find OpenBSD ISO's via Google.

This isn't a troll, but this strikes me as counter-productive to Open Source in general, and it seems even sillier that one needs to distribute an entire ISO for such a small package.

Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.

ISO's

[skyhook]

I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
How the hell hard can it be to do the following?

mkdir ~/obsd30
cd ~/obsd30
[use favorite method of obtaining all files from OBSD Mirror]
cd ..
mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
cdrecord [your options] obsd30.iso

(NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)

I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.

I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.

License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)

If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.

I'm sticking with 2.9, but only for a little while

[jet_silver]

This story made me laugh my bag off.

TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).

I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.

This is a shame for Opensource

[lamj]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.

By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.

Re:This is a shame for Opensource

[befletch]

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

Yes, there were lots of childish comments. However, doing a code-weighted-average in my head, it seemed like the OpenBSD group was pretty calm and considered about the whole thing. Not that I'm completely unbiased, I guess.

A more important point is that aside from the fact that pf was pretty much a fait acompli when Darren changed his license, Theo had a very good reason for not going back to ipf - the license change is still not open enough for OpenBSD to include ipf in the kernel.

Theo et al want OpenBSD to be usable by anyone for anything, which means that Darren's, "you can't change the license terms," clause is still a problem. (See item #2 on OpenBSD's goals page.) As far as Theo is concerned you are fully welcome to fork OpenBSD (along with pf) and license your version under the GPL, if that is your desire.

If you don't share or value that goal, fine. But criticising Theo and/or OpenBSD for maintaining these goals is a little harsh.