OpenBSD 3.2 Readies For Release, pf Matures

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

Re:OpenBSD is crap, heres why - vermillion

I usually don't feed the trolls, but...

OpenBSD is fucking hype. The only good thing about it is SSH.

Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.

OBSD Support !!!

[SuperDuG]

I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.

Re:Why no easy installer?

[krmt]

Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.

That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.

Re:Why no easy installer?

[evilviper]

Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?

Do you want to setup networking? [Y, n]
Do you expect to run XFree86? [Y, n]

What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.

The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.

That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.

Re:Why no easy installer?

[RAMMS+EIN]

I don't wanna boast, be elitist, troll, whatever here, but I actually think the OpenBSD 3.1 installer is one of the best installers I've ever seen. Sure enough, it doesn't have a GUI, but it fits on one 1.44 MB diskette and uses little RAM.

The installation process is as simple as answering questions that are in plain English. The one thing that sucks about it is the disklabel part. I think it would be helpful to do some ad-hockery to come up with sensible defaults here. Nevertheless, help is available in clear English and a swap and root partition (and whatever more you deem necessary) are soon enough created.'

Now I am going to abuse the rest of this post for stating what other improvements (besides the disklabel editor already mentioned) I would like to see in OpenBSD. The default install ships with many services (fully or nearly completely) preconfigured but commented out. This is a Good Thing. However, although SMTP and POP3 are mostly set up this way, the same is not true for their secure (tunneled over SSL) versions. I think that OpenBSD, especially with its focus on security, should really offer this.

Another thing that would be good for OpenBSD to have is a secure distributed filesystem. This applies to other operating systems as well, and I know there are various options that work, each with serious drawbacks. Two options that I consider of special interest are Coda and SFTP. Coda is said to be in alpha stage (and has been, for a long time), but is reported to work quite nicely. SFTP is not technically a filesystem, but can be used as one by Linux with LUFS. I think a LUFS-equivalent for [Open]BSD would be a huge win.