Slashdot Mirror

← Back to Stories (view on slashdot.org)

Custom OpenBSD 3.0 with IPFilter From Darren Reed

Posted by timothy on from the isos-to-follow dept.

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

6 of 265 comments (clear)

  1. Good. by rainer_d · · Score: 4, Interesting
    Especially for people who don't want to migrate.
    I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

    Not that PF is bad - you just can't do everything together ;-)

    cheers,
    Rainer

    --
    Windows 2000 - from the guys who brought us edlin
  2. Ego dramma by JDizzy · · Score: 4, Interesting

    I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.

    Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.

    --
    It isn't a lie if you belive it.
  3. Re:Security still number one? by 2Bits · · Score: 4, Interesting

    As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

  4. IPFilter: Any advantages over pf? by Frater+219 · · Score: 5, Interesting

    I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

    Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

  5. Re:This release will include ISOs as well by Null_Packet · · Score: 4, Interesting

    How is it good that Darren Reed will be including ISO's? Looking at the thread this seems to be a cut towards the openbsd team by undermining their primary fund raising activity- selling cd's.

    Besides, I have to wonder how resourceful someone is who doesn't know how to find OpenBSD ISO's via Google.

    This isn't a troll, but this strikes me as counter-productive to Open Source in general, and it seems even sillier that one needs to distribute an entire ISO for such a small package.

    Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.

  6. Re:Free as in... fascism? by Frater+219 · · Score: 5, Interesting
    IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

    Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

    I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

    iptables :
    iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

    pf:
    block in proto tcp to any port ssh
    pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

    Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.