Slashdot Mirror
OpenBSD 3.2 Readies For Release, pf Matures
An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
I usually don't feed the trolls, but...
OpenBSD is fucking hype. The only good thing about it is SSH.
Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.
I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.
Ignore the "p2p is theft" trolls, they're just uninformed
Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.
That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.
"I may not have morals, but I have standards."
If usability is what you're looking for, try FreeBSD instead. One of OpenBSD's goals is to be Secure by Default. Whereas other BSD variants and most Linux distros take an approach of 'turn everything on and let the admin turn off what he doesn't need', OpenBSD takes the opposite approach. In my experience as an admin, theres no difference in effort between locking down, say, a Redhat install, or enabling what I need after install on OpenBSD. The difference is, the more clueless among us will be more protected by the default install of OpenBSD than by Redhat.
the project is not commercial, and has no dreams of having millions of users. it only seeks to do what it does well - which it has for some time.
most of the users and all of the developers would probably scoff at the idea of upgrading the installer because development resources aren't cheap, and they feel the time would be better spent elsewhere since the installer does work just fine.
the 'rustic' install (complete with MANUAL PARTITIONING!!!) serves as a barrier to entry, keeping the mailing lists more clean of 'how do i mount a floppy?' questions.
because it makes more sense. month, then day. increasing specificity.
but then they go fuck it up and put the year at the end.
it should be: year, month, day
that's what the Goddess intended. praise the Goddess for her wisdom.
Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?
Do you want to setup networking? [Y, n]
Do you expect to run XFree86? [Y, n]
What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.
The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.
The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.
That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.
I don't wanna boast, be elitist, troll, whatever here, but I actually think the OpenBSD 3.1 installer is one of the best installers I've ever seen. Sure enough, it doesn't have a GUI, but it fits on one 1.44 MB diskette and uses little RAM.
The installation process is as simple as answering questions that are in plain English. The one thing that sucks about it is the disklabel part. I think it would be helpful to do some ad-hockery to come up with sensible defaults here. Nevertheless, help is available in clear English and a swap and root partition (and whatever more you deem necessary) are soon enough created.'
Now I am going to abuse the rest of this post for stating what other improvements (besides the disklabel editor already mentioned) I would like to see in OpenBSD. The default install ships with many services (fully or nearly completely) preconfigured but commented out. This is a Good Thing. However, although SMTP and POP3 are mostly set up this way, the same is not true for their secure (tunneled over SSL) versions. I think that OpenBSD, especially with its focus on security, should really offer this.
Another thing that would be good for OpenBSD to have is a secure distributed filesystem. This applies to other operating systems as well, and I know there are various options that work, each with serious drawbacks. Two options that I consider of special interest are Coda and SFTP. Coda is said to be in alpha stage (and has been, for a long time), but is reported to work quite nicely. SFTP is not technically a filesystem, but can be used as one by Linux with LUFS. I think a LUFS-equivalent for [Open]BSD would be a huge win.
Please correct me if I got my facts wrong.