Slashdot Mirror
OpenBSD 3.2 Readies For Release, pf Matures
An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
Codswallop, January 11th is a Saturday!
If you open yourself to the foo, You and foo become one.
Dear Slashdotters,
I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.
1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!
When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I had never before done any kernel programming, but I knew C
Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!
And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.
(hey it's a joke. but I'm still not giving up FreeBSD)
I usually don't feed the trolls, but...
OpenBSD is fucking hype. The only good thing about it is SSH.
Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.
so basically, you're saying: OpenBSD is the most secure OS out there, as long as you don't install it on a computer?
The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.
Its already out there in the source tree... and has been for a while (beginning of october).
.tgzs from:i 386
/usr
You can grab the main
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.
If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)
set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd
cvs -q get -rOPENBSD_3_2 -P src
You can then follow along here:
http://www.openbsd.org/faq/upgrade-minifaq.html
Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..
(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)
-- C
OpenBSD truly IS among the most secure operating systems in the world.
....
I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:
- The existence of a filesystem
- Having any individual have much real authority over the system
I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.
Ignore the "p2p is theft" trolls, they're just uninformed
What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.
The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....
But, I'll also grant you that that seems weird in that it usually changes more often.
If all else fails, wait 3 days and you can find it at:
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
(THIS LINK WILL NOT WORK UNTIL FRIDAY)
(this is posted in PST, so Friday is still 3 days away).
Yeah the best way would be to grab 3.1
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1
install it
and then src code upgrade
-- C
Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.
He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.
This is why pf sounds like it will be very good (direct quotes from the article):
Wax on, wax off baby!
A lot of very high end stuff runs on systems with distributed administration (like most of America's transaction processing, accounting, etc...) Back in the late 70's - early 80's capability systems were a huge percentage of the market.
You don't need a file system to have data -- for an example you are likely familiar with think of palm OS. Data is just stored in internal program specific data structures and "swapped" out of ram to disk. The important thing is that the disk is just a bunch of sectors with a zillion different data formats; but to understand the organization of the date requires running the system which imposes the security model...
If usability is what you're looking for, try FreeBSD instead. One of OpenBSD's goals is to be Secure by Default. Whereas other BSD variants and most Linux distros take an approach of 'turn everything on and let the admin turn off what he doesn't need', OpenBSD takes the opposite approach. In my experience as an admin, theres no difference in effort between locking down, say, a Redhat install, or enabling what I need after install on OpenBSD. The difference is, the more clueless among us will be more protected by the default install of OpenBSD than by Redhat.
If you actuaky read the interview, pf appeared in the 3.0 release. Which is about a year ago.
Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....
I don't know about Z-OS, but I've read a little about EROS. EROS doesn't need a filesystem. That's because everything in EROS is persistent. The system saves a complete snapshot of its virtual memory to disk every couple of minutes. There is no "rebooting" of the OS. If you pull the plug, it comes back up exactly in the state of the last snapshot.
For me, it took a little while for that concept to sink in. They're saying that there's no need to redundantly keep information in permanent storage and volatile storage. Just make it all permanent, and you don't need the filesystem concept at all. In one step, you eliminate whole classes of bugs (parsing, file permissions, sharing files, filesystem namespace problems, etc.)
Their authority model also makes sense. Think of your system as a large building. Normal OSes treat security like doors with electronic badge readers; you're allowed to do things based on who you are. Naturally, a lot of doors must be programmed to let you through if you're going to get around the building to do your work. It's hard to ensure that each person is never able to get into a room that they shouldn't be in.
EROS is more like a building full of unique old-fashioned key locks. You have no automatic authority to go through any door. You must obtain the individual key for each door. You get these keys on an as-needed by the people in various rooms you interact with as you do your work. Each person with keys to hand out individually determines if you are worthy to go through the next door.
Reading up on EROS really expanded my view of how an OS could work. You can check it out at www.eros-os.org.
Yes, VMS had bugs, but they were all very well-documented. Consult manuals B-127J0 through B-141J7 for more information.
The article is one of the best resumes I've ever seen.
Prospective employer: What have you done?
Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
Employer: (Silence while recovering from amazement.) What pay do you expect?
I hit a key accidentally, and Mozilla posted my comment above.
You are missing all the bugs that might be in the code still running as uid 0. Your daemons, the kernel, all of them are vulnerable. I haven't seen many exploits that actually get root by doing "su" to it, so "disabling" that account will not achieve more than, for example, a good password.
A "secure" OS in this context means an OS with well-known "clean", stable code that has been reviewed for flaws etc etc. There isn't much you can do from an administration point of view if the services/daemons you have to use are flawed.
I think sprinkling setuids around is not a great idea at all. Especially custom-written ones. Beautiful things can happen accidentally linking against the wrong library in a chrooted dir :)
Chroot is *not* 100% secure. It is not a sandbox. You can still access ports, memory and processes and kernel functions, you can talk to daemons, starve the system of resources or convince the parent process to do things it will regret.
Plus if you chroot users you'd still have to give them most of the OS somewhere unless they login to not do any work, and that will soon get boring when you'll have to upgrade all of it.
A truly secure machine requires hardware support. A better CPU design. If the 8086 did not mix stack with code and data we would not have had so many problems today.
What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.
Go to your slashdot preferences, the homepage tab, and on the lower part of the page is "Customize Slashboxes". Enable some of the bsd sites to see their headlines while reading slashdot.
Like Shanep said, OpenBSD Journal (at deadly.org) is a good one.
Got brain?
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
.. 2 things:
This definition depends on what you call "secure".
Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.
I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.
To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.
What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA
-----
There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)
The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".
Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.
TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.
-----
Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:
OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.
VMS has an audit trail, access control lists, and a privilege model.
AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).
VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?
An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.
Now let's look at Trusted OSs:
SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.
Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).
Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.
Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.
-----
What I'd like to say is
1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...
2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).
regards,
octogen
Other way around. The whole point of any GNU/*anything* port, Debian or not, is to get the entire GNU toolchain running on said kernel.
The debian part would obviously be porting as much stuff as possible to run on said GNU/*anything*.
So GNU/OpenBSD would run pf but not iptables. See?
This is the one point where the GNU/*OS* thing makes sense. Though I think GNU Debian *OS*/*arch* would be better, as in GNU Debian Linux/i386 or GNU Debian OpenBSD/i386.