Slashdot Mirror
Custom OpenBSD 3.0 with IPFilter From Darren Reed
rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.
OpenBSD's main tenet is that security is the most important part of the distribution. This rogue distribution is using OpenBSD's name (is this allowed? Anyone?); is it still following OpenBSD's strictures regarding security, such as a full source audit before release?
I can't say that I don't give a fuck. I've just run out of fuck to give.
I've setup a firewall with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.
Not that PF is bad - you just can't do everything together ;-)
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.
Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.
It isn't a lie if you belive it.
conflict surrounding the openbsd project
next story please.
One important thing to note (and left out of this announcement) is that Darren will be including bootable ISOs with his releases. This is a great move, as I've always run into trouble with the hacked together OpenBSD unofficial ISOs. I'm also not too keen on using a 6-month-old firewall with who knows how many fixes needed in the future, and am glad IPF is back in the game with a OpenBSD-alike release that I can grab and run with. Good job to everyone involved!
Interested in open source engine management for your Subaru?
Just installed OpenBSD 3.0 today.
/etc/pf.conf, not /etc/ipf.rules.
The new Packet Filter' syntax is somewhat backwards-compatible with IPFilter, the most significant difference being that with PF you now must specify protocol when specifying ports, so for example if with IPF you had:
block in on fxp0 from any to any port = 137
with PF you have to change it to:
block in on fxp0 proto { udp, tcp } from any to any port = 137
And you place the default donfiguration in
Dude,
You don't want to include my program with your distribution?
Fine, I'll just include your distribution with my program!
'nuff said!
Note to impressionable youngsters: there is no basis in fact for this statement.
OpenBSD team wants to get changes incorporated into IPF. Darren no respond.
Ask again -> No respond. Darren coder supreme.
OpenBSD decide to make changes, but only in OpenBSD source tree. Darren hears, gets angry! Decides: "LICENSE NO ALLOW!"
Insert Flame War.
OpenBSD team decide to switch to different packet filter under BSD license. Because Project Goal: Every user should be able to make changes to source tree. IPF license bad!!
Darren try get back: says, NetBSD, FreeBSD allowed! MUAHAHAHAH!!!
Theo say: no care, pf much better than ipf!
Darren changes mind: changes license. But OpenBSD will not change back to ipf. Darren even much more bitter.
Darren so bitterbitter. Decides: I'LL GET BACK BY FORKING OPENBSD AND RELEASING MY OWN VERSION. HEHEHEHEHE.
Conclusion: Open source, closed minds.
I find this very amusing.
I don't have a bias for one or the other (IPF vs PF), but will probably stick with PF since it's included in the default OBSD 3.0 installation.
Is there any reason why I should keep using IPF? Isn't it still included in the ports if I really needed it? Doesn't this sound like a political move?
Wooden armaments to battle your imaginary foes!
I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.
Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?
It's called packet filter - just pf, rather than ipf. It was developed by the OpenBSD team, and has some features they wanted to add but never could due to the restrictions on the IPF license. That's what Theo claimed in an interview I read, anyway.
It's the file system speed improvements that really make an upgrade to OpenBSD 3.0 worthwhile, though..
Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.
Darren, listen to your users - change your license or perish.
df
Darren, grow up :)
Why not just create a port for OpenBSD ?
If what I have read onthe mailing lists is any indication, it is unlikely Theo will lose control (well, of teh project anyway :) ). Most seemed to agree that this kind of stunt is exactly what Darren was trying to pull when he put the offending clause in the license in the first place. And regardless of how people feel, it seems the "Official" OpenBSD is still more trusted.
NetBSD out of business? What? Are you smoking Moderator crack, Mr. Troll? Besides, Theo was locked out of the NetBSD project and waited almost a year (holding the only Sparc port BTW) before coming out with OpenBSD. It is not the same situation.
of what happened to date.
You can read the original mix of hurt feelings, screams of piglethood, and resentment here
When in doubt, have a man come through a door with a gun in his hand.
The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.
I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.
While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
..
How the hell hard can it be to do the following?
mkdir ~/obsd30
cd ~/obsd30
[use favorite method of obtaining all files from OBSD Mirror]
cd
mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
cdrecord [your options] obsd30.iso
(NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)
I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.
I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.
License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)
If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.
lot's of engineers for wine would have been nice, too, but bundling netscape, a bsd (or linux), and the (then) personal use version of staroffice, and they could have kicked a good chunk of the low-end clean out from under microsoft.
hawk
Only the paranoid survive and all that.
"Well, put a stake in my heart and drag me into sunlight."
Copyright (C) 1993-2002 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.
Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
I hate legalese, don't you ?
Ironic that this relatively short license which is somewhat BSD style is actually copyleft or "viral" in nature. Look closely at the section before the diclaimer boiler-plate. Maybe it should be called the DPL (Darren Public License) BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?
psxndc
The emacs religion: to be saved, control excess.
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
:-) )
:-)
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.
To settle this once and for all, my name is Theo DeRaadt. Happy?
--
Theo DeRaadt
Founder, OpenBSD project.
This story made me laugh my bag off.
TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).
I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.
I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.
I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.
By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....
Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.
He's definately changed it.
The first version said "Redistribution and use in source and binary forms are permitted provided that this notice is preserved and due credit is given to the original author and the contributors."
Everyone had assumed that use included modification. Darren got pissed at Theo and started claiming that it did not. To quote Darren at the time: "Yes, this means that derivitive or modified works are not permitted without the author's prior consent." He claimed that this was not a change to the license, but it was certainly a change from the way everyone using it had thought it was to be read. This was what provoked OBSD to remove his package. If the other BSD teams were true to their principles they would have removed it too, at this point, and actually they might have if Darren hadn't lobbied them heavily and agreed to change itfor them. Which he eventually did. If he's still claiming that he never changed the license then he's just exposing himself as a shameless liar - the first case it sort of made sense to claim he wasn't *changing* the license but only clarifying (although he's on record earlier that it amounted to "public domain" - his words - which shows that he was really lying even then - his reinterpretation was definately novel even in his own mind, even if he wouldn't admit it. But the new license actually changes words in the license itself, it's not just a "clarification" by any stretch of the imagination. The license on the versions he's distributing now says "Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors." It also has a viral clause prohibiting it's incorporation into anything under a different license, such as GPL or BSD. This was not a part of the original license.
For comparison:
The original license, for example from the ip_fil.c in NetBSD 1.5, is:
The complete LICENSE file, as included with NetBSD 1.5 and the original ip_fil3.4.17 source distribution, is:
Pretty much the same license, the second just has some disclaimers added. This was the license he first described as "public domain" (search for my comments on past articles on this and you should find a link to where he stated that" - and then "clarified" at a later date to prohibit modification.
Now, the license on the version he is distributing today, with an explicit allowance for modification, and the new viral clause:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Given Theo's legendary patience and understanding, i'm sure that Theo and Darren can find a compromise they can live with and work this out.
FreeBSD for the impatient.