Slashdot Mirror
OpenBSD 3.1 Released
Telent writes "OpenBSD 3.1 is out. I've been using a -current snapshot from April as my desktop, and this is truly an amazing release with lots of new PF tricks, improved driver support, and many other cool things. Get it from the master site at ftp.openbsd.org, or use a mirror when possible. Even the release art kicks butt. Enjoy!"
Congratulations OpenBSD team. Thanks for another great release.
You can't grab the 3.1 release fromt he FTPs just yet. As Todd Miller said on misc@:
"The files have been transferring to the main ftp mirror since last night. Once that is done they will move to the secondary mirrors and the email announcement will be sent out."
I still get "permission denied" when tryign to access the 3.1 directory. Of course this is an entirely different story if you've ordered the CDs.
3.1 still hasn't been officially announced:
So, check back soon.
b&
All but God can prove this sentence true.
Just go to https://https.openbsd.org/cgi-bin/order for international orders or for European orders https://https.openbsd.org/cgi-bin/order.eu
The new artwork really ROCKS!
Can't fight the Systemagic, Über tragic, Can't fight the Systemagic....
Check out the OpenBSD faq pages....m l
more specifically
http://www.openbsd.org/faq/faq10.ht
I think you will find PF the easist to use because the rules are easy to learn and make sense.
Yes
I run OpenBSD on a 486 with 16 MB RAM, so I would qualify your system as "overkill".
Better still....
http://www.deadly.org/pf-howto/html/
Quoth baywuulf:
OpenBSD will run just fine on this computer. monk.trumpetpower.com is running on basically that same platform, and it's never given me a hint of trouble. Not that it or my DSL would likely survive a slashdotting, but....
My laptop is a Pentium 120 with 72 Mbytes RAM. I run Konqueror and Netscape under Windowmaker on it all the time. Sure, it's not a blazing speed daemon, but it's quite useable. And it's great to take onsite--I've got Apache, a DHCP server, lots more running on a machine I can tuck under my arm. I can max out a 100 Mbit Ethernet link with Apache, which actually makes the laptop a bit more convenient in some cases than a CD for transfering files.
b&
All but God can prove this sentence true.
more than adequate. I ran my home gateway on a p166/48mb ram machine for something like a year and a half (only downtime was due to things like me tripping over the power cable in a drunken stupor ;-)), no problems at all. I don't think the load ever went above 0.3 the whole time. (This was with 2.7, I don't see how 3.1 could be much different.) Heck, you could probably use a 486 if it had enough ram... Honestly, if all you're doing is firewall/gateway duty anything north of 8megs would probably be ok. I got openbsd to run on a 486/33 with (iirc) 6 megs at one point (a fancy struck me to put an irc server in my bathroom)... that was sort of painful, but the machine did run. I ended up reinstalling win98 on the p166 machine and using my old linksys router in it's place (becuase some friends of mine lost their computer in hurricane Allison last year, i figured they needed _a_ machine more than I needed _another_ machine, heh), if not for that then I imagine the little box would still be cheerfully tossing packets around for me. Now, obviously, if you have a bigger network behind the obsd machine than, say, 10 workstations, you're going to need more hw (faster proc, more ram to hold state tables, etc.)... Given that amd k6-2 cpus and super-7 motherboards are practically free these days, a machine to stand in front of a good sized office network probably wouldn't cost more than a hundred bucks if you were willing to scrounge (you only need a couple hundred meg hd unless you want to log things).
News for Geeks in Austin, TX
I think you got your link incorrect. Maybe you meant this.
ISO images are copywrite to Theo de Raadt and are not distributed beyond actual cds. OpenBSD has a different support/developement model, funded through cd sales and donations.
The non US distribution points seem to be solely in Europe and can be found here
troodon.net
I got the released CD through the mail a few days ago. Could be because I live near where the main distributor is based.
This allowed me to spend the weekend upgrading the servers over to 3.1. The process was painless, the pre-compiled packages from ports allowed me to speed a few things up and within seconds I had everything patched against the errata and ready to go.
I would like to point out that this is the first release where ports.tar.gz works without a problem. Normally I am forced to download ports or even src.tar.gz because they refuse to be decompressed.
However, I am not looking forward my 2.9 firewall to 3.1. Since OpenBSD 3.x releases no longer support IPF, I need to have the new FP ruleset in place before I do anything serious on that machine.
Theres a good guide to setting up openbsd IPF firewalls here
troodon.net
I used to think the same thing, but then I did a little searching on Groups.Google.Com and foud out that it is very easy to make your own ISO. You can get the latest snapshot... All you have to do is download the latest binary files from the OpenBSD FTP snapshot directory... Then use freeware cdrecord to do the change. I use a command like this on my Windows 2000 and Windows XP systems: Download the i386 to c:\OpenBSD\snapshot-05192002\i386\ and run mkisofs. c:\cdrecord\mkisofs -v -r -T -J -V "OpenBSD-i386-31" -b 3.1/i386/cdrom31.fs -c boot.catalog -o c:/OpenBSD/OpenBSD-i386-31-snap.iso -x c:/OpenBSD/OpenBSD-i3 86-31-snap.iso c:/OpenBSD/snapshot-05192002/ Obviously you have to mess with the paths a bit for your syste, but it isn't that hard. Creates a 130MB ISO, burn it with Nero (or something else) and boot. With Nero, make sure you do "full disc" and "finalize" options when burning the options. Again, check groups.google.com and search "openbsd mkisofs".
These might be also helpful:
OpenBSD Packet Filter
Re: pf and statesfull filtering on a bridge
The OpenBSD Packet Filter HOWTO
troodon.net
Okay, now it's official. Here's the announcement:
To: announce@openbsd.org
Subject: OpenBSD 3.1 Released!
Date: Sun, 19 May 2002 15:03:44 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
- OpenBSD 3.1 RELEASED -
May 19, 2002.
It is our pleasure to officially announce the release of OpenBSD
3.1. This year OpenBSD turns 7 years old. In celebration of this
milestone, we invite you to enjoy our 11th release on CD-ROM (and
12th via FTP). We continue to celebrate OpenBSD's record of four
years without a remote hole in the default install. Just like all
of our previous releases, 3.1 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support (http://www.OpenBSD.org/plat.html)
o Much improved support for UltraSPARC hardware. More models are
supported and X11 works on all supported models.
o Improved 802.11b support, including a host-based access point
mode for Prism chipsets (i.e. wireless bridging). It is now
possible to completely configure a wireless interface using ifconfig.
o The hardware crypto drivers now work on all PCI platforms.
o Major macppc improvements including a brand new pmap module
that cut 'make build' time by over an hour.
o Tekram TRM-S1040 based PCI SCSI controllers are now supported.
o Creative SB Live! cards are now supported.
o HiFn 7811 is now supported by the hifn driver. A long-standing
bug causing PCI aborts has also been fixed in the hifn driver.
o Kernel support for Altivec on the macppc platform.
- Major improvements in the pf packet filter:
o Significant performance improvements due to additional optimizations
based on detailed benchmarks. Filter rule evaluation cost
(which occurs for every packet that isn't passed statefully)
is reduced by about 70%.
o Stateful filtering (including address translation and redirection)
for arbitrary IP protocols other than TCP, UDP and ICMP, for
instance GRE (used for IPsec/PPTP).
o Configurable memory limits (preventing memory exhaustion).
'pfctl -m' can set an upper bound on the number of simultaneous
states or fragments.
o authpf(8), an authenticating gateway user shell, modifies filter
rules when a user logs in, controlling network access at the user
level.
o New 'fastroute', 'route-to' and 'dup-to' options allow pf to
route packets independently of the system routing table. This
can be used to e.g., implement source-based routing or to
duplicate packets to an IDS or logging host.
o Parser improvements allow further reduction of rule set complexity
('no nat', rdr port ranges, and more).
o Rule labels simplify usage of counters for accounting ('pass in
from any to any port www label http_requests').
o The 'no-route' keyword in filter rules matches packets with non-
routable addresses. E.g., 'block in quick from no-route to any'
blocks packets from non-routable source addresses.
o tcpdump(8) expressions can filter pf logs on pf-specific fields.
E.g. 'tcpdump -i pflog0 action block' prints only blocked packets.
o Additional ioctls for adding and removing state entries (used by
proxies, authpf(8) and pfctl(8)).
- Ever-improving security (http://www.OpenBSD.org/security.html)
o More fixes for potential signal handler races. Work is ongoing in
this area to fix the signal handlers in all programs, not just
privileged ones.
o sshd now supports a privilege separation mode where all incoming
network traffic takes place in an unprivileged process.
o A number of memory leaks that could lead to denial of service
attacks have been plugged.
o Several other security issues fixed throughout the system, many
of which were identified by members of the OpenBSD team themselves.
Please see http://www.OpenBSD.org/errata30.html for more details
on what was fixed.
- New subsystems included with 3.1
o A version of the venerable spell program is now included.
o Generic macros for manipulating splay trees and red-black trees.
o Support for extended attributes in the filesystem.
- Many other bugs fixed (http://www.OpenBSD.org/plus30.html)
- The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)
o The 3.1 CD-ROMs ship with many more pre-built packages for the
common architectures. The FTP site contains hundreds more
packages (for the important architectures) which we could not
fit onto the CD-ROMs.
- Many subsystems improved and updated since the last release:
o A long-standing bug in the i386 MBR that caused a hang on boot
with some machines has been fixed.
o Better sizing of kernel buffers, based on amount physical memory.
o Other memory-related limits are tunable without recompiling a
lernel via config -e.
o Improved behavior of the virtual memory system in low-memory
situations.
o ALTQ is supported by more ethernet drivers and now works on
bridged interfaces.
o Loadable kernel modules are now supported on ELF platforms.
o The 2 gigabyte file size limit has been removed from mmap(2),
vnd(4), savecore(8), dump(8), restore(8), and rcp(1).
o XFree86 updated to 4.2.0.
o sendmail updated to 8.12.2.
o Latest KAME IPv6
o KTH Heimdal-0.4e
o OpenSSH 3.2
If you'd like to see a list of what has changed between OpenBSD 3.0
and 3.1, look at
http://www.OpenBSD.org/plus31.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
This is our twelfth OpenBSD release, and the eleventh release which
is available on CD-ROM. Our releases have been spaced six months
apart, and we plan to continue this timing.
- SECURITY AND ERRATA
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.1 FTP/CD-ROM binaries and the actual 3.1
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems and we always provide patches as soon as
possible. Therefore, we advise regular visits to
http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html
Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:
http://www.OpenBSD.org/mail.html
- CD-ROM SALES
OpenBSD 3.1 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track by Ty
Semaka, http://www.thedevils.com/.
Profits from CD sales are the primary income source for the OpenBSD
project in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 3.1 CD-ROMs are bootable on the following six platforms:
o i386
o alpha
o sparc
o sparc64 (UltraSPARC)
o macppc
o hp300*
* The m68k-based platforms, including hp300, are located on a fourth
CD that is not included in the official CD-ROM package. You can
download the ISO image for the fourth CD as described below.
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:
https://https.OpenBSD.org/cgi-bin/order
or, for European orders:
https://https.OpenBSD.org/cgi-bin/order.eu
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. As well, donations to the project are highly
appreciated, as described in more detail at:
http://www.OpenBSD.org/goals.html#funding
Due to space restrictions and our desire not to raise the cost of
the CD-ROM, the Motorola 68k-based platforms are located on a
fourth CD that is not included in the official CD-ROM package.
An ISO image for this CD may be downloaded from:
ftp://ftp.openbsd.org/pub/OpenBSD-ISO/3.1-CD4.iso
This CD contains the amiga, hp300, mac68k and mvme68k install sets
as well as the m68k packages. The CD is bootable on the hp300.
Note that not all ftp mirrors will carry the CD image.
- T-SHIRT SALES
The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:
https://https.OpenBSD.org/cgi-bin/order
The new 3.1 t-shirt is not available at this time but will be
available shortly.
- FTP INSTALLS -
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.
1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:
http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/3.1/ftplist
2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.1/ which contains these files and directories.
This is a list of what you will see:
Changelogs/ alpha/ macppc/ sparc64/
HARDWARE amiga/ mvme68k/ src.tar.gz
PACKAGES ftplist packages/ srcsys.tar.gz
PORTS hp300/ ports.tar.gz tools/
README i386/ root.mail vax/
XF4.tar.gz mac68k/ sparc/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:
CKSUM INSTALL.os2br comp31.tgz man31.tgz
INSTALL.ata INSTALL.pt etc31.tgz misc31.tgz
INSTALL.chs MD5 floppy31.fs xbase31.tgz
INSTALL.dbr base31.tgz floppyB31.fs xfont31.tgz
INSTALL.i386 bsd floppyC31.fs xserv31.tgz
INSTALL.linux bsd.rd game31.tgz xshare31.tgz
INSTALL.mbr cdrom31.fs index.txt
If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs file. Consult the INSTALL.i386
file if you don't know which of the floppy images you need (or
simply fetch all of them).
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
http://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 3.1 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/3.1/tools
directory to do so.
- XFree86 FOR MOST ARCHITECTURES -
XFree86 has been integrated more closely into the system. This
release contains XFree86 4.2.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During installation,
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.
On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.2.0 or where XFree86 4.2.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.
- PORTS TREE -
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.1 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see PORTS file for more information.
Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see PACKAGES, below).
- BINARY PACKAGES WE PROVIDE -
A large number of binary packages are provided. Please see PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/PACKAGES) for more details.
- SYSTEM SOURCE CODE -
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.1/ directory:
XF4.tar.gz ports.tar.gz src.tar.gz srcsys.tar.gz
- THANKS -
OpenBSD 3.1 includes artwork and CD artistic layout by Ty Semaka,
who also is featured in an audio track on the OpenBSD 3.1 CD set.
Ports tree and package building by Christian Weisgerber, David Lebel,
Marc Espie, Peter Valchev and Miod Vallat.
System builds by Theo de Raadt, Niklas Hallqvist, Todd Fries and Bob Beck.
ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.1 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Campbell, Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bob Beck, Brad Smith, Brandon Creighton, Brian Caswell,
Brian Somers, Bruno Rohee, Camiel Dobbelaar, Chris Cappuccio,
Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn, Damien Miller,
Dan Harnett, Daniel Hartmeier, David B Terrell, David Lebel,
David Leonard, Dug Song, Eric Jackson, Federico G. Schwindt,
Grigoriy Orlov, Hakan Olsson, Hans Insulander, Heikki Korpela,
Horacio Menezo Ganau, Hugh Graham, Ian Darwin, Jakob Schlyter,
Jan-Uwe Finck, Jason Ish, Jason Peel, Jason Wright, Jean-Baptiste Marchand,
Jean-Jacques Bernard-Gundol, Jim Rees, Joshua Stein,
Jun-ichiro itojun Hagino, Kenjiro Cho, Kenneth R Westerback,
Kevin Lo, Kevin Steves, Kjell Wooding, Louis Bertrand, Marc Espie,
Marco S Hyman, Mark Grimes, Markus Friedl, Mats O Jansson, Matt Behrens,
Matt Smart, Matthew Jacob, Matthieu Herrb, Michael Shalayeff,
Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin, Miod Vallat
Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,
Oleg Safiullin, Paul Janzen, Peter Galbavy, Peter Stromberg,
Peter Valchev, Reinhard J. Sammer, Shell Hin-lik Hung, Steve Murphree,
Thierry Deval, Theo de Raadt, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Wim Vandeputte.
All but God can prove this sentence true.
I can't be bothered to answer all of this, so here's the important (as I see them) points:
You have some great code by its the license. Why do you no GPL LGPL the code or at least parts that do not need to be BSD.
Because we *LIKE* BSDL.
BSD license is not very nice when someone yanks their code from the code base and makes it non free. How would you like it if someone gave you a gift "code" and then 6 months later took the gift back "code". Granted most coders do not do this but some do.
FUD. Code cannot be yanked from the code-base. You can't "un-license" code like that. I can take the code and add to it and sell it without revealing my source, but it will still exist in the *BSD code bases for all to see/use/whatever.
Sendmail has had a bad history. Granted. Sendmail is not so insecure anymore. And configuration of sendmail defaults will please most people.
-
ping -f 255.255.255.255 # if only
Although not a question that should be modded to +5 as its been answered before -- again and again, in this case its good so that people can learn why Sendmail is in OpenBSD.
First, Sendmail is a GREAT MTA when used properly. The way it is installed, and the way it interoperates with the system is very secure. You dont see OpenBSD machines being used as spam gateways or getting hacked due to sendmail. Its almost secure plug-and-play.
Why people think that sendmail is automatically insecure is beyond me. OpenBSD is NOT MEANT to be an "OS for dummies" (like many Linux distrobutions are trying to be). OpenBSD is meant for users who know what they are doing, and are experienced enough not to make the stupid mistakes that will get them hacked/exploited. As long as you dont do something incredibly stupid, 99% of the time the architecture OpenBSD will take care of the rest. This includes getting sendmail up and running.
So basically it runs quite well on OpenBSD, but you have to install the whole Linux base system (bad, bad thing if you have a small disk), as well as to enable Linux-compat in the kernel.
Programming can be fun again. Film at 11.
Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)
In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record.
For more information on why Postfix's security is completely superior to sendmail's, please see this page.
Sendmail in OpenBSD hasn't run as root since 2.9.
Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here.
I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.
Yes, but they give you instructions for making your own iso.. I just made my 3.1 iso. Very simple.
Common sense is not so common.