OpenBSD 3.2 Readies For Release, pf Matures

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

Re:so is there a packet filter or not?

[aridhol]

When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.

Re:so is there a packet filter or not?

[a+(+h+3+r+0+n]

The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.

if you are going to upgrade to 3.2 ahead of time

[congiman]

Its already out there in the source tree... and has been for a while (beginning of october).

You can grab the main .tgzs from:
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd /usr
cvs -q get -rOPENBSD_3_2 -P src

You can then follow along here:

http://www.openbsd.org/faq/upgrade-minifaq.html

Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

-- C

Re:so is there a packet filter or not?

[jbolden]

OpenBSD truly IS among the most secure operating systems in the world.

I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:

- The existence of a filesystem
- Having any individual have much real authority over the system ....

Why pf sounds great

[capedgirardeau]

Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

This is why pf sounds like it will be very good (direct quotes from the article):

... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]