Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 3.2 Readies For Release, pf Matures

Posted by CowboyNeal on from the alternatives-to-linux-and-iptables dept.

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

8 of 292 comments (clear)

  1. Re:so is there a packet filter or not? by aridhol · · Score: 5, Informative

    When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  2. Re:so is there a packet filter or not? by a+(+h+3+r+0+n · · Score: 5, Informative

    The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.

  3. if you are going to upgrade to 3.2 ahead of time by congiman · · Score: 5, Informative

    Its already out there in the source tree... and has been for a while (beginning of october).

    You can grab the main .tgzs from:
    ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

    I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

    If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

    set your cvsroot:
    setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
    cd /usr
    cvs -q get -rOPENBSD_3_2 -P src

    You can then follow along here:

    http://www.openbsd.org/faq/upgrade-minifaq.html

    Make sure you do all the steps,
    Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

    (note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

    -- C

  4. Re:so is there a packet filter or not? by jbolden · · Score: 5, Informative

    OpenBSD truly IS among the most secure operating systems in the world.

    I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:

    - The existence of a filesystem
    - Having any individual have much real authority over the system ....

  5. Re:WARNING: SNAPSHOTS ARE NEWER THAN RELEASE by congiman · · Score: 4, Informative

    The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....

    But, I'll also grant you that that seems weird in that it usually changes more often.

    If all else fails, wait 3 days and you can find it at:

    ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
    (THIS LINK WILL NOT WORK UNTIL FRIDAY)
    (this is posted in PST, so Friday is still 3 days away).

    Yeah the best way would be to grab 3.1
    ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1

    install it
    and then src code upgrade

    -- C

  6. Why pf sounds great by capedgirardeau · · Score: 5, Informative

    Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

    He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

    This is why pf sounds like it will be very good (direct quotes from the article):

    ... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

    ... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

    ... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

    ... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

    ... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

    ... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]

    --
    Wax on, wax off baby!
  7. Re:pf? Mature? by atrus · · Score: 4, Informative

    If you actuaky read the interview, pf appeared in the 3.0 release. Which is about a year ago.

  8. The most secure OS by octogen · · Score: 4, Informative

    And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.

    This definition depends on what you call "secure".

    Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.

    I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.

    To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.

    What means "secure"?
    "[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
    - SE Linux FAQ, NSA

    -----

    There are mainly two types of secure Operating Systems.
    a) Everything up to the C2 level of security
    b) Everything from B1 up to A1 (never ever reached by any OS)

    The difference is information labeling.
    You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".

    Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.

    TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.

    -----

    Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:

    OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.

    VMS has an audit trail, access control lists, and a privilege model.

    AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).

    VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?

    An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.

    Now let's look at Trusted OSs:

    SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.

    Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).

    Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
    If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.

    Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.

    -----

    What I'd like to say is .. 2 things:

    1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...

    2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
    HERE is TCSEC B3 certified Unix (Linux-compatible, too).

    regards,
    octogen