Slashdot Mirror
OpenBSD 3.2 Readies For Release, pf Matures
An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
Is it me, or is this story confusing? They took ipfilter out, but there is pf, so how is it without packet filter?
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
I passed the Turing test.
Codswallop, January 11th is a Saturday!
If you open yourself to the foo, You and foo become one.
Dear Slashdotters,
I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.
1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!
Use FreeBSD instead. Or if its old and shitty and single processor, use NetBSD. OpenBSD is fucking hype. The only good thing about it is SSH. Its performance sucks and its the only non SMP BSD left.
Theo, you are a jerk, and no one likes working with you. The NetBSD guys were assholes to kick you out, but whine all you want about that, OpenBSD sucks. Sorry. I tried several times to give OpenBSD a chance. Sorry, pal, "secure" is a relative term even for you mist priv sep zealot (nice job hackin in privsep and causing a root exploit) and trojaned tarballs.
Good job, Rat. We dont care aboutn OpenBSD. FreeBSD or die.
Does anyone know if anyone has ported the OpenBSD pf over to Debian?
That OpenBSD is the most secure OS in the world, but even though it dosent have it's precious packet filter, I still think it whips any other in the security area.
And why did you staple the trout to the RAM?
I had never before done any kernel programming, but I knew C
Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!
And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.
(hey it's a joke. but I'm still not giving up FreeBSD)
so basically, you're saying: OpenBSD is the most secure OS out there, as long as you don't install it on a computer?
Its already out there in the source tree... and has been for a while (beginning of october).
.tgzs from:i 386
/usr
You can grab the main
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.
If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)
set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd
cvs -q get -rOPENBSD_3_2 -P src
You can then follow along here:
http://www.openbsd.org/faq/upgrade-minifaq.html
Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..
(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)
-- C
this information is bad, as the 3.2 snapshots are now further ahead in development than the 3.2 release code. there is no supported method for backtracking from -current to -release.
for the impatient, the best method is to check out the 3.2 sources from cvs (as described) and build from source
I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.
Ignore the "p2p is theft" trolls, they're just uninformed
What mirror sites are available for these outdated packages?
What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.
I'd hardly call pf mature. Hell, its only been in the CVS for less than a month. I commend OpenBSD as much as the next guy, but if Theo isn't careful he is going to end up with another root exploit in the default install.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Be careful. The 3.2 errata hasn't been commited to CVS. So while you're running the 3.2 RELEASE, 3.2 STABLE won't exist until the actual release.
If you really want an early 3.2, you need to port the relevant 3.1 errata to your 3.2 tree.
Actually I think the Net people hate him more.
Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.
He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.
This is why pf sounds like it will be very good (direct quotes from the article):
Wax on, wax off baby!
Comment removed based on user account deletion
Which you realize, is more secure. OSX is similar in this respect. sshd, ftpd, all the services.. off by default. even sharing.. until you enable it.
If you start randomly turning on services on obsd w/o knowing what you are doing, who's fault is it for being insecure after the install?
-
ping -f 255.255.255.255 # if only
I think the more important question is the Cisco Patent. Is there any way around it?
If usability is what you're looking for, try FreeBSD instead. One of OpenBSD's goals is to be Secure by Default. Whereas other BSD variants and most Linux distros take an approach of 'turn everything on and let the admin turn off what he doesn't need', OpenBSD takes the opposite approach. In my experience as an admin, theres no difference in effort between locking down, say, a Redhat install, or enabling what I need after install on OpenBSD. The difference is, the more clueless among us will be more protected by the default install of OpenBSD than by Redhat.
Why didn't you warn me?
From there, /usr/ports makes available a tonne of software (some of which even works -- amazing!).
I'm speaking as a guy who hasn't installed X (tried once and mostly failed), but enjoys the commandline quite a bit. If you like working on the 'NIX commandline, or would like to learn, OBSD is a great system to play with.
khl
Or VMS which from what I heard is still being used by banks and such despite the fact that it was such a perverse OS and that TCP/IP was an optional package. Did that thing have any bugs at all !?
Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....
You can grab the main .tgzs from:i 386
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
Those are snapshots of 3.2-current, not of what will be released as 3.2.
The article is one of the best resumes I've ever seen.
Just disable the root account and install setuid programs or daemons to do specific functions for your administrator. If you have physical security, nobody will be able to actually login as root. Install an IP filter that only allows packets from priviliged ports if you don't want user's processes to user network directly. As for filesystem security, have users login to a chrooted account that only contains or mounts directories that they are supposed to access. How will this Unix installation be less secure than OSes you mentioned? Perhaps you mean that default UNIX distributions you saw are not very secure. Or that system calls supported by your OSes encourage secure application design. But it should be still easier to write a library for this purpose under Linux than to write a whole new OS. What am I missing?
I hate when people say that OpenBSD is the most secure OS.
Its fucking bullshit and everyone knows it. Stop pretending! Its like the pink fucking elephant in the living room that no one wants to talk about!
OpenBSD hasnt had a remote exploit in its default install because OpenBSD doesnt fucking install anything in the default install. The default install is a shell of an operating system. If you care that much about security your computer shouldnt be connected to a network in the first place.
the project is not commercial, and has no dreams of having millions of users. it only seeks to do what it does well - which it has for some time.
most of the users and all of the developers would probably scoff at the idea of upgrading the installer because development resources aren't cheap, and they feel the time would be better spent elsewhere since the installer does work just fine.
the 'rustic' install (complete with MANUAL PARTITIONING!!!) serves as a barrier to entry, keeping the mailing lists more clean of 'how do i mount a floppy?' questions.
The article is one of the best resumes I've ever seen.
Prospective employer: What have you done?
Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
Employer: (Silence while recovering from amazement.) What pay do you expect?
I hit a key accidentally, and Mozilla posted my comment above.
If you follow these OpenBSD zealots line of reasoning then the most secure operating system is the one that does not exist.
Does anyone take them seriously?
Your clever ploys aren't going to fool me. I refuse to NOT click on the link!
seriously though, it seems that attempting to discuss bsd here at slashdot is a difficult proposition at best, can anyone recommend some sites where there is some intelligent discussion of bsd news and issues, without the annoying "BSD is dying" crap? deadly.org is the only one i know of and its pretty slow.
any links / suggestions would be greatly appreciated, thanks!
The intergration. All of these features in a powerful package with an installer targetted at admins.
The only thing I would ever ask of them is to take some of the lessons learned from the Gentoo Portage System.
anyone else notice how its just one letters location that seperates a reference to the most insecure OS and the most secure OS?
OBSD
BSOD
ehh past my bedtime i think
yes, a great slash based bsd site is
/., but without much of the bsd bashing (I believe microsoft bashing is a religion there too though, but hey, I'm all for that)
daily.daemonnews.org
same thing as
-isolenz
Needless to say, I had our quad Xeons back running OpenBSD by the end of the week. Gerbil is back on its way to another glorious 3 years of uptime.
no you didn't. openbsd only runs on a single processor.
thank you, come again.
Yay! Just in time for my birthday. :-) Actually, I'll probably wait a bit...just finished my upgrade to 3.1 STABLE. I wish every OS upgrade was as smooth...cvs update, compile, then do some diffs of etc. Nothing to it.
..than gentoo. You would be braindamaged to think that cvsup and ports dont lead to a real, stable, coherent well documented productionable system and that Gentoo leads to ANY of those said qualities.
Gentoo is not stable, audited, coherent, documented and its certainly not production ready.
OpenBSD isnt even on the radar.
and my fear of change; but having worked on many unix and other firewalls: ipf has worked very well, I'm sure there are good reasons to add pf(ctl), but keep ipf for my sake! ;^)
"Failure of Windows operating systems is extremely rare. If it happens, it is usually due to operating system file c
What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.
Support the OpenBSD developers by getting a 3.2 CD 3.2 CD $40 or for Europe EUR 45
The new new 3.2 poster is very nice too, get it for $10 US or EUR 14 in Europe
Cool Mac software that I found while looking for info: ssh and sftp for mac with SSH2 support. License? Well, there's a GNU head on the website :)
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
Theo has the best way to make BKL a bygone issue. NEVER SUPPORT SMP! I can't believe everyone hasn't thought of this first. My god. This is revolutionary
can anyone recommend some sites where there is some intelligent discussion of bsd news and issues
I prefer mailing lists. In fact, after signing up to some interesting OpenBSD lists (mostly just reading) I found I was reading OpenBSD a lot less and reading www.deadly.org a lot more (and wishing it had a lot more articles and discussion).
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Bugger, sorry. That should read "I found I was reading /. a lot less and reading www.deadly.org a lot more".
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
http://uptime.netcraft.com/up/graph/?mode_u=on&mod e_w=on&site=www.openbsd.org
Operating System and Web Server for www.openbsd.org
The site www.openbsd.org is running Apache/1.3.26 (Unix) PHP/4.2.1 mod_perl/1.27 on Solaris.
Go to your slashdot preferences, the homepage tab, and on the lower part of the page is "Customize Slashboxes". Enable some of the bsd sites to see their headlines while reading slashdot.
Like Shanep said, OpenBSD Journal (at deadly.org) is a good one.
Got brain?
Not stable?
Try installing it and using it before you comment!
Gentoo 1.2, and then 1.4rc1, have been running my web/mail/shell server for months now, and it has NEVER not been stable. I never have to reboot it (apart from the very occasional kernel upgrade) and it never falters.
So i disagree with your uninformed comment completely!
your personal web/mail/shell server. i have been following gentoo since before you were probably aware of it. try loading that baby up. your personal web/mail server doesnt count. and if you are using that in production, whoooo-weeee. you are one risky kind of guy [aka reckless]
now, what was your max uptime, mr reboot the system to tinker the kernel? thats what I thought. "Gee, I havent left it up for more than 3 days at a time because Marcelo releases yet another broken 2.4.20[pre/rc] update!" Come to think of it, a k-tard like yourself would love something like Gentoo, its great for bored people looking for an excuse to reboot.
the whole fucking thing a half assed fork of NetBSD.
At least FreeBSD is original. (oh, and scalable, faster, more featured, has better ports, is secure -i dont know what the fuck or how the fuck SSH is better on OBSD, is coherent and respectful of 4.4BSD without being a fucking lunatic and keeping the shit that should have gone years ago there
Theo de Craap. He stole SSH from Tatu, OpenBSD from NetBSD, most of the drivers from FreeBSD. The pf/ipf series was probably inspired by work done elsewhere since he set a precedent for being incapable of being original, or better.
Although I'm looking forward to the release,
and will upgrade eventually, I'm *REALLY* looking
forward to the next song..
For every problem, there is at least one solution that is simple, neat, and wrong.
Said "Mac Attack" is ancient and only affects very old versions of Mac OS 9.
An embedded, dedicated solution?
Don't get me wrong, though I've personally not used a BSD as a firewall, I know people who have, and they're happy with it, completely happy. But I really prefer something which was built from the ground up to be a firewall and ONLY a firewall.
I've worked extensively with the Sonicwall devices, and I've also heard some good things about the WatchGuard Firebox series. Then again, if you want to go gung ho all out and out, you can get a Cisco PIX.
Basically, for me, it boils down to having a specific device for a specific job, as opposed to having a general purpose piece of software running on commodity hardware for a specific job.
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
.. 2 things:
This definition depends on what you call "secure".
Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.
I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.
To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.
What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA
-----
There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)
The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".
Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.
TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.
-----
Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:
OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.
VMS has an audit trail, access control lists, and a privilege model.
AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).
VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?
An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.
Now let's look at Trusted OSs:
SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.
Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).
Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.
Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.
-----
What I'd like to say is
1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...
2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).
regards,
octogen
Following in Theo The Rats footsteps, I intend to write the most secure OS in the world. It will support no CPU's! It will be revolutionary! No executable stacks, no kernel buffer overflows, no race conditions, no starvation problems, no privelege escalations, nothing!
However, also like Theo The Rat, I can't code for shit, especially hard stuff like an Operating System, so I'll just wait for someone else to do it while I cross post to everyone elses mailing lists with flames. Guys?
Its due to the intended audience/market.
If the installer is too complex/confusing for you, then you are not the intended audience.
Not meant as an insult, just reality.
OBSD isn't intended for the 'average' person, but one slightly above that level.
---- Booth was a patriot ----
I live in my girlfriend's parents basement
and my openbsd server is humming along right beside me, can i be lucky #13?
Redhat has not enabled services by default since the early days of 7.0(that was back in 2000.) Here's something which most of us have known for quite some time, but you can call it news if you like: Recent News
So basically, you're whole post is moot because Redhat hasn't enabled services by default for nearly 2 years now.
OpenBSD is dying, because Theo has a cold.
Heh...just kidding. But really, we're too dependant on him, and his whims. We need a less ego in the BSD world. Theo DeRaadt, Darren Reed, Dan Bernstein et al can be fine programmers but what's the damn point if they can't get along. OpenBSD's development has too much power concentrated in the hands of too few people. This leads to all sorts of boo-boos and the inability to maintain older code (3.0 just died...ugh!).
I think that licenses are important. They need to be unconfusing. Project developers should find an existing, popular, and well understood license that most closely suit their needs and put their work under that license, rather than create their own. Here is where I fault DJB and Reed for their licensing quirks.
What license is irritating me the most right now is PINE's.
Daniel has a mirror of the interview at his site.
Legalize the constitution. Think for yourself question authority.
--- or --
cluebat: Z-OS is otherwise known as IBM OS/390 and holds something like 80% of the world's business data.
Okay, who is the troll. Some fucking fool doesnt know what a mainframe OS is, or someone who rather politely points it out.
You are a fucking idiot. You are the troll. And an OpenBSD zealot asshole.
hi.
if he cleans stuff up so well why doesnt he submit patches back to the orginal "offenders?"
thats why i thought. he doesnt. so get back to trying to suck your own dick, jbolden cockeater.
Ahemmm! set[ug]id, both. Also, the addition of Provos' systrace(1), which has been coming along for some time is tres cool, man. Listen, read:
Provos' (the author) systrace webpage on the subject.CTS. Someone bitched about the installer, and how cooler it'd be, how more ``popular'' OBSD'd be if it came with a purdier installer, cotton candy, and power seats. This flies in the face of how OBSD developers feel about the audience of their OS. `Fuck popular! Popular only brings unwashed numbers and wastes time; they don't handhold anyone.' `Read gaddammit, read!' `If you wont read the fucking excellent manpages, or wont read other included documentation, if you wont search list archives for the same repeated questions (and they will be if you are that stupid) you're a fucking slacker, if you read them and don't understand them, you're a fucking luser.' Sound like an OS that gives a shit about being popular or tolerant of stupid newcomers? I don't think so.
If you're prepared to do the hard work, not expecting handholding and waste anyone's time, you'll be alright. Not for everyone, as it should be.
I have extra new copies of Official OpenBSD CDs, selling them for a song, too.They should really make you use blocks. If you can't convert blocks to megs, then you shouldn't be using OpenBSD.
Gentoo Linux has the wheel user as BSD.
I use NetBSD right now and for years, but it fails when it comes to Flash support on the web.
So OpenBSD 3.2 is released today, where can I buy this from in London, UK?
the Smith & Wesson extraction method destroys the keys. If you need a copy of the clear data, and you're dealing with someone who maintains that "you can have my keys when you pry them from my cold, dead fingers", shooting them won't do you much good. You'll have to either use some sort of subterfuge to sneak off with a copy of the keys or break the keyholder's will with some form of duress.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k