Slashdot Mirror
Custom OpenBSD 3.0 with IPFilter From Darren Reed
rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.
OpenBSD's main tenet is that security is the most important part of the distribution. This rogue distribution is using OpenBSD's name (is this allowed? Anyone?); is it still following OpenBSD's strictures regarding security, such as a full source audit before release?
I can't say that I don't give a fuck. I've just run out of fuck to give.
I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.
Not that PF is bad - you just can't do everything together ;-)
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.
Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.
It isn't a lie if you belive it.
conflict surrounding the openbsd project
next story please.
One important thing to note (and left out of this announcement) is that Darren will be including bootable ISOs with his releases. This is a great move, as I've always run into trouble with the hacked together OpenBSD unofficial ISOs. I'm also not too keen on using a 6-month-old firewall with who knows how many fixes needed in the future, and am glad IPF is back in the game with a OpenBSD-alike release that I can grab and run with. Good job to everyone involved!
Interested in open source engine management for your Subaru?
Just installed OpenBSD 3.0 today.
/etc/pf.conf, not /etc/ipf.rules.
The new Packet Filter' syntax is somewhat backwards-compatible with IPFilter, the most significant difference being that with PF you now must specify protocol when specifying ports, so for example if with IPF you had:
block in on fxp0 from any to any port = 137
with PF you have to change it to:
block in on fxp0 proto { udp, tcp } from any to any port = 137
And you place the default donfiguration in
Dude,
You don't want to include my program with your distribution?
Fine, I'll just include your distribution with my program!
'nuff said!
Note to impressionable youngsters: there is no basis in fact for this statement.
OpenBSD team wants to get changes incorporated into IPF. Darren no respond.
Ask again -> No respond. Darren coder supreme.
OpenBSD decide to make changes, but only in OpenBSD source tree. Darren hears, gets angry! Decides: "LICENSE NO ALLOW!"
Insert Flame War.
OpenBSD team decide to switch to different packet filter under BSD license. Because Project Goal: Every user should be able to make changes to source tree. IPF license bad!!
Darren try get back: says, NetBSD, FreeBSD allowed! MUAHAHAHAH!!!
Theo say: no care, pf much better than ipf!
Darren changes mind: changes license. But OpenBSD will not change back to ipf. Darren even much more bitter.
Darren so bitterbitter. Decides: I'LL GET BACK BY FORKING OPENBSD AND RELEASING MY OWN VERSION. HEHEHEHEHE.
Conclusion: Open source, closed minds.
I find this very amusing.
I don't have a bias for one or the other (IPF vs PF), but will probably stick with PF since it's included in the default OBSD 3.0 installation.
Is there any reason why I should keep using IPF? Isn't it still included in the ports if I really needed it? Doesn't this sound like a political move?
Wooden armaments to battle your imaginary foes!
> BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?
It's simply called pf and it's custom to OpenBSD.
I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.
Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?
It's called packet filter - just pf, rather than ipf. It was developed by the OpenBSD team, and has some features they wanted to add but never could due to the restrictions on the IPF license. That's what Theo claimed in an interview I read, anyway.
It's the file system speed improvements that really make an upgrade to OpenBSD 3.0 worthwhile, though..
Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.
Darren, listen to your users - change your license or perish.
df
Darren, grow up :)
Why not just create a port for OpenBSD ?
No no no...
you *can* distribute OpenBSD however you like.
The original OpenBSD CD *layout* is Copyrighted by Theo.
Nothing stops anyone from downloading everything off of the FTP servers, and creating your own ISO image.
ceci n'est pas une signature
From the OpenBSD FAQ:
Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.
I guess if you want to distribute an ISO you need to make sure you build it yourself and make sure that it is different from the CD-ROM's.
I think it's kind of silly to say that the layout is copyrighted, but no sillier than Amazon having a patent on "one-click" shopping...possibly less.
It's a shame that Theo has to resort to this kind of thing to get people who are using the OS to actually buck up a few dollars for CDs.
If what I have read onthe mailing lists is any indication, it is unlikely Theo will lose control (well, of teh project anyway :) ). Most seemed to agree that this kind of stunt is exactly what Darren was trying to pull when he put the offending clause in the license in the first place. And regardless of how people feel, it seems the "Official" OpenBSD is still more trusted.
NetBSD out of business? What? Are you smoking Moderator crack, Mr. Troll? Besides, Theo was locked out of the NetBSD project and waited almost a year (holding the only Sparc port BTW) before coming out with OpenBSD. It is not the same situation.
I use it all the time. No unsecure sockets!
--SC
You read fiction? I write it! Lemme know what you th
I actually feel a nice sense of relief when I read this Troll. It just wouldn't be a slashdot *BSD story without him.
And since he was so late today, I was actually concerned that he was the one who had died, rather than BSD.
of what happened to date.
You can read the original mix of hurt feelings, screams of piglethood, and resentment here
When in doubt, have a man come through a door with a gun in his hand.
The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.
I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.
While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
But why doesn't he just 'fix' the licensing on his code?
He did, but not until Theo's group had almost completed the replacement pf. See the "Amusing" post above for a pretty good summary.
It seems silly that the whole thing has gone this far in the first place.
I think it's more sad than amusing, but silly's a good description too. In (supposedly) adults.
I thought you couldn't distribute any form of OpenBSD as an ISO?
I can see why you'd think that. Because after all, the official FAQ says you can, and the discussion comes up on Slashdot about once a month in some other story, so of course you'd think it wasn't allowed.
WTF moderated that up?
Can you *call* it OpenBSD, or does Theo have a trademark on that?
Anybody remember the brouhaha over openssh.org last year?
PF has a fair number of nice features IPF doesn't have, such as variables and sets. Using them you should be able to make your new rules a lot cleaner. And, when you write something from scratch, odds are you'll do it better the second time by virtue of greater experience with the domain... PF is a Good Thing.
News for Geeks in Austin, TX
I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
..
How the hell hard can it be to do the following?
mkdir ~/obsd30
cd ~/obsd30
[use favorite method of obtaining all files from OBSD Mirror]
cd
mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
cdrecord [your options] obsd30.iso
(NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)
I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.
I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.
License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)
If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.
lot's of engineers for wine would have been nice, too, but bundling netscape, a bsd (or linux), and the (then) personal use version of staroffice, and they could have kicked a good chunk of the low-end clean out from under microsoft.
hawk
Only the paranoid survive and all that.
"Well, put a stake in my heart and drag me into sunlight."
Copyright (C) 1993-2002 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.
Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
I hate legalese, don't you ?
Ironic that this relatively short license which is somewhat BSD style is actually copyleft or "viral" in nature. Look closely at the section before the diclaimer boiler-plate. Maybe it should be called the DPL (Darren Public License) BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?
psxndc
The emacs religion: to be saved, control excess.
This lets the two pieces, mix, match,mate, link, whatever without trying to control the output.
hawk
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
:-) )
:-)
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.
BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?
In that sense, the BSD is just as viral as the GPL. What they whine about is different:
BSDites are under the illusion that they may one day want to close access to the source and become the next SUN. (This is exactly what Bill Joy did)
They feel that if they use the GPL they wont be able to commercialize in the microsoft sense, which is true unless they own all contributions.
Although they make alot of good server and security code, the BSD programmers have a really uptight and clannish community.
To settle this once and for all, my name is Theo DeRaadt. Happy?
--
Theo DeRaadt
Founder, OpenBSD project.
This story made me laugh my bag off.
TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).
I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.
I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.
I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.
By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....
Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.
Darren Reed wresting control of OpenBSD from Theo? Are you serious? Did Theo wrest control of NetBSD from whomever? No, he just started his own BSD. From what I can tell, NetBSD is chugging along just fine. Darren can do the same, create "OpenBiggerEgo" or something; if it ends up better, great.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
He's definately changed it.
The first version said "Redistribution and use in source and binary forms are permitted provided that this notice is preserved and due credit is given to the original author and the contributors."
Everyone had assumed that use included modification. Darren got pissed at Theo and started claiming that it did not. To quote Darren at the time: "Yes, this means that derivitive or modified works are not permitted without the author's prior consent." He claimed that this was not a change to the license, but it was certainly a change from the way everyone using it had thought it was to be read. This was what provoked OBSD to remove his package. If the other BSD teams were true to their principles they would have removed it too, at this point, and actually they might have if Darren hadn't lobbied them heavily and agreed to change itfor them. Which he eventually did. If he's still claiming that he never changed the license then he's just exposing himself as a shameless liar - the first case it sort of made sense to claim he wasn't *changing* the license but only clarifying (although he's on record earlier that it amounted to "public domain" - his words - which shows that he was really lying even then - his reinterpretation was definately novel even in his own mind, even if he wouldn't admit it. But the new license actually changes words in the license itself, it's not just a "clarification" by any stretch of the imagination. The license on the versions he's distributing now says "Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors." It also has a viral clause prohibiting it's incorporation into anything under a different license, such as GPL or BSD. This was not a part of the original license.
For comparison:
The original license, for example from the ip_fil.c in NetBSD 1.5, is:
The complete LICENSE file, as included with NetBSD 1.5 and the original ip_fil3.4.17 source distribution, is:
Pretty much the same license, the second just has some disclaimers added. This was the license he first described as "public domain" (search for my comments on past articles on this and you should find a link to where he stated that" - and then "clarified" at a later date to prohibit modification.
Now, the license on the version he is distributing today, with an explicit allowance for modification, and the new viral clause:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Given Theo's legendary patience and understanding, i'm sure that Theo and Darren can find a compromise they can live with and work this out.
FreeBSD for the impatient.
This particular conflict concerning the fine OpenBSD operating system is not as simple as it seems at first glance. As a matter of fact, I believe this is a huge conspiracy by Darren Reed and his organization to eventually distribute an operating system nearly identical to OpenBSD, but with one slight modification: Darren Reed's version will include IPFilter.
A little more investigation on your part will reveal that this is more or less what's actually going on, rather than what we're being told.
If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.
It has likely taken him way longer to set up his own installer and layout than if he had just grown up and listened to reason.
No thanks, I'm sticking with the official OpenBSD CD sets.
hrm.. does Reed's come with a cool music track like OpenBSD 3.0 had on CD 2?
Go Theo!
Trolling is a art,
Looking at the actual licence:
server# pwd
/usr/src/contrib/ipfilter
server# cat IPFILTER.LICENCE
Copyright (C) 1993-2001 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.
Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]
There is the licence. Now, what part of with or without modification == "he cannot stand to give the public the right to modify" ?
Oh, thats right. This is slashdot. "Let not facts get in the way of promoting all things Linux." From your post "IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4," All that 'ass kicking' must be why the 2.4 series is The kernel of pain Your anger is that the fine code of IPFilter can't be GPLed is all.
If it was said on slashdot, it MUST be true!
Bollocks. Is it so hard to understand that we're just giving away our code? No agenda, we just want people to use it with the only condition being that our names remain on the source?
The point at hand was not "why choose the BSD", but rather "why are BSDer's typically so GPL hostile?"
Ive got nothing against someone slapping a BSD on a piece of good code- that is something to be admired. Especially because I can combine it with GPL'd source and distribute the product.
What im talking about is things like the SSLeay licence: a BSD license with a nasty clause saying that it cannot be combined with anything GPL as a special (annoying) tack on. (which remains in openssl till today)
The above may explain the creation of the GNUtls project to an extent, and thats the kind of thing Im talking about.
I have recently installed OpenBSD on my home
/etc/rc.conf and put
/etc/pf.conf)
/etc/sysctl.conf
/etc/nat.conf)
/etc/nat.conf)
router-firewall-workstation after running
2.6 - 2.9 and lemme tell ya, pf ROCKS
with less than 10 lines changed across 4 files in
/etc I was able to get the following configured
for my network:
-firewalling (enable pf in
4 rules in
-full nat (enable ip forwarding in
and put 1 line in
-full port forwarding with ip header rewriting (put
2 lines in
so simple, so powerful, and BUNDLED!
'nuff said
A year spent in artificial intelligence is enough to make one believe in God.
Re:Removed for licensing issues? LOL
What's wrong with lots of distributions? Seems like a good idea to me. People use whichever one they want. You trust Theo, you use OppenBSD, you prefer someone else, you use another version. Isn't that what OpenSource is about? Isn't what people like about BSD over Linux that you're even allowed to close the source? (I don't think that's such a good idea, but I don't use it, so that's fair.)
Is there some reason that there shouldn't be multiple distributions? Some will be more popular, others will slowly fade. Perhaps all will, but there's certainly a better chance if there are multiple sources.
The only thing that's too bad about this is the acrimony. Pity. But then I've known people who enjoyed that. I don't know the participants, but judging from the commentary, these might be some of them. In which case no problem.
Are you worried about what the newspapers will say? I can almost guarantee that they'll totally ignore it.
.
I think we've pushed this "anyone can grow up to be president" thing too far.
Designed?
Designed. Tested. Audited. Coded. Used. Abused.
Only the paranoid stand a chance.
You find one bug. You get all his friends and relations.
Slashdot Headline: Custom OpenBSD 3.0 With djbdns/Qmail From Dan Bernstein
!
# dmesg|more
OpenBSD 3.0 (I_HATE_THEO!!!) #1: Thu Oct 18 14:48:27 MDT 2001
djb@cr.yp.to:/usr/src/sys/arch/i386/I_HATE_THEO!!
Where will the insanity stop?
Believe me, there are other measures involved in picking a firewall besides its security (where there are a lot of decent entries) and its cost in terms of latency. (It isn't likely to hit bandwidth unless it's overloaded, btw.) The factors that I see involved in picking firewall kit shake out into two categories: technical and social, as follows.
Technical factors:
Social factors:
The next best thing to "You can hire someone with thus-and-so certification, and you're guaranteed they can write new rules for this right away" is something like "This system is so straightforward that anyone who knows Unix can pick it up in an hour and write new rules for it. Oh, and here's the complete documentation -- and I can assure you that there are ...
I'm not saying OpenBSD is the only system that can meet these goals. (After all, I'm still waiting on the OpenBSD 3.0 CD to show up so I can set up a testbed to prove it's a better choice than more Cisco gear.) I'm saying it's not quite as easy as "pick whatever works and doesn't eat the network, and wing the rest."
Both the GPL and the Darren Copyleft depend on what the law will consider "a derivative of this code". So there is no legal difference in how viral they are.
Either both or neither let you mix, match, mate or link.
It might be less restrictive than what the FSF claim of the GPL, but in that case it is becasue FSF is wrong about the GPL.