Slashdot Mirror
Custom OpenBSD 3.0 with IPFilter From Darren Reed
rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.
Dude,
You don't want to include my program with your distribution?
Fine, I'll just include your distribution with my program!
'nuff said!
Note to impressionable youngsters: there is no basis in fact for this statement.
OpenBSD team wants to get changes incorporated into IPF. Darren no respond.
Ask again -> No respond. Darren coder supreme.
OpenBSD decide to make changes, but only in OpenBSD source tree. Darren hears, gets angry! Decides: "LICENSE NO ALLOW!"
Insert Flame War.
OpenBSD team decide to switch to different packet filter under BSD license. Because Project Goal: Every user should be able to make changes to source tree. IPF license bad!!
Darren try get back: says, NetBSD, FreeBSD allowed! MUAHAHAHAH!!!
Theo say: no care, pf much better than ipf!
Darren changes mind: changes license. But OpenBSD will not change back to ipf. Darren even much more bitter.
Darren so bitterbitter. Decides: I'LL GET BACK BY FORKING OPENBSD AND RELEASING MY OWN VERSION. HEHEHEHEHE.
Conclusion: Open source, closed minds.
I find this very amusing.
I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.
Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?
Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.
I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":
iptables :
iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY
pf:
block in proto tcp to any port ssh
pass in proto tcp from 10.11.0.0/16 to any port ssh keep state
Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.
The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.
I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.
While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I think that you mean the ISO/CD-ROM image layout. From the FAQ:
/etc, /home, and so forth...) is under copyright.
Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.
I don't think that the layout of the filesystem itself (/,
The actual name would be under trademark, and I would imagine that someone else would be unable to use the trademark to distribute a derivative of OpenBSD. Linux is the name of the kernel for Linux distros, bsd is the name of OpenBSD's kernel. The use of Linux as a trademark should technically be approved by Linus or whomever manages that for him.
I guess this would be OpenBSDarren...
I've never needed the ISO's. The net install works rather well, and you can do it over HTTP or FTP, as well as the other standbys (NFS, local, etc).
I've lurked on the misc@openbsd mailing list, and seen what Darren says. He seems "shady" (best as I can describe it). He seems to do his best to piss people off, and whenever pf doesn't work as expected, he says "IPF does that". Even if the poster was using the wrong syntax.
The firewall age isn't an issue, it's infancy happened on the -current tree. I'm rather happy with pf, and will keep using it whenever possible.
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
:-) )
:-)
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.
To settle this once and for all, my name is Theo DeRaadt. Happy?
--
Theo DeRaadt
Founder, OpenBSD project.
He's definately changed it.
The first version said "Redistribution and use in source and binary forms are permitted provided that this notice is preserved and due credit is given to the original author and the contributors."
Everyone had assumed that use included modification. Darren got pissed at Theo and started claiming that it did not. To quote Darren at the time: "Yes, this means that derivitive or modified works are not permitted without the author's prior consent." He claimed that this was not a change to the license, but it was certainly a change from the way everyone using it had thought it was to be read. This was what provoked OBSD to remove his package. If the other BSD teams were true to their principles they would have removed it too, at this point, and actually they might have if Darren hadn't lobbied them heavily and agreed to change itfor them. Which he eventually did. If he's still claiming that he never changed the license then he's just exposing himself as a shameless liar - the first case it sort of made sense to claim he wasn't *changing* the license but only clarifying (although he's on record earlier that it amounted to "public domain" - his words - which shows that he was really lying even then - his reinterpretation was definately novel even in his own mind, even if he wouldn't admit it. But the new license actually changes words in the license itself, it's not just a "clarification" by any stretch of the imagination. The license on the versions he's distributing now says "Redistribution and use, with or without modification, in source and binary forms, are permitted provided that this notice is preserved in its entirety and due credit is given to the original author and the contributors." It also has a viral clause prohibiting it's incorporation into anything under a different license, such as GPL or BSD. This was not a part of the original license.
For comparison:
The original license, for example from the ip_fil.c in NetBSD 1.5, is:
The complete LICENSE file, as included with NetBSD 1.5 and the original ip_fil3.4.17 source distribution, is:
Pretty much the same license, the second just has some disclaimers added. This was the license he first described as "public domain" (search for my comments on past articles on this and you should find a link to where he stated that" - and then "clarified" at a later date to prohibit modification.
Now, the license on the version he is distributing today, with an explicit allowance for modification, and the new viral clause:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Given Theo's legendary patience and understanding, i'm sure that Theo and Darren can find a compromise they can live with and work this out.
FreeBSD for the impatient.