OpenBSD 3.2 Readies For Release, pf Matures

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

Save you the effort...

[Fnkmaster]

Dear Slashdotters,

I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.

1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!

Re:Save you the effort...

what a stereotype!

not everyone has a basement, you know.

Re:so is there a packet filter or not?

[aridhol]

When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.

oh GREAT

I had never before done any kernel programming, but I knew C

Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!

And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.

(hey it's a joke. but I'm still not giving up FreeBSD)

Re:OpenBSD is crap, heres why - vermillion

I usually don't feed the trolls, but...

OpenBSD is fucking hype. The only good thing about it is SSH.

Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.

Re:so is there a packet filter or not?

[a+(+h+3+r+0+n]

The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.

if you are going to upgrade to 3.2 ahead of time

[congiman]

Its already out there in the source tree... and has been for a while (beginning of october).

You can grab the main .tgzs from:
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd /usr
cvs -q get -rOPENBSD_3_2 -P src

You can then follow along here:

http://www.openbsd.org/faq/upgrade-minifaq.html

Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

-- C

Re:so is there a packet filter or not?

[jbolden]

OpenBSD truly IS among the most secure operating systems in the world.

I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:

- The existence of a filesystem
- Having any individual have much real authority over the system ....

OBSD Support !!!

[SuperDuG]

I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.

Why no easy installer?

[browser_war_pow]

What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.

Re:Why no easy installer?

[krmt]

Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.

That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.

Re:Why no easy installer?

[Dog+and+Pony]

First off, anything is easy compared to installing Debian (typical that I *do* run it, anyways... sigh.) Well, slackware's worse.

And second, no marketing drone has ever, as long as humans has kept track, installed anything except the latest email worm. For all the other software, they grab whoever is close and not wearing a tie. Usually it is some guy that would rather shoot himself in the foot than use up the afternoon installing windows Me, but there you go.

Re:Why no easy installer?

[evilviper]

Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?

Do you want to setup networking? [Y, n]
Do you expect to run XFree86? [Y, n]

What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.

The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.

That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.

Re:Why no easy installer?

[RAMMS+EIN]

I don't wanna boast, be elitist, troll, whatever here, but I actually think the OpenBSD 3.1 installer is one of the best installers I've ever seen. Sure enough, it doesn't have a GUI, but it fits on one 1.44 MB diskette and uses little RAM.

The installation process is as simple as answering questions that are in plain English. The one thing that sucks about it is the disklabel part. I think it would be helpful to do some ad-hockery to come up with sensible defaults here. Nevertheless, help is available in clear English and a swap and root partition (and whatever more you deem necessary) are soon enough created.'

Now I am going to abuse the rest of this post for stating what other improvements (besides the disklabel editor already mentioned) I would like to see in OpenBSD. The default install ships with many services (fully or nearly completely) preconfigured but commented out. This is a Good Thing. However, although SMTP and POP3 are mostly set up this way, the same is not true for their secure (tunneled over SSL) versions. I think that OpenBSD, especially with its focus on security, should really offer this.

Another thing that would be good for OpenBSD to have is a secure distributed filesystem. This applies to other operating systems as well, and I know there are various options that work, each with serious drawbacks. Two options that I consider of special interest are Coda and SFTP. Coda is said to be in alpha stage (and has been, for a long time), but is reported to work quite nicely. SFTP is not technically a filesystem, but can be used as one by Linux with LUFS. I think a LUFS-equivalent for [Open]BSD would be a huge win.

Re:WARNING: SNAPSHOTS ARE NEWER THAN RELEASE

[congiman]

The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....

But, I'll also grant you that that seems weird in that it usually changes more often.

If all else fails, wait 3 days and you can find it at:

ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
(THIS LINK WILL NOT WORK UNTIL FRIDAY)
(this is posted in PST, so Friday is still 3 days away).

Yeah the best way would be to grab 3.1
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1

install it
and then src code upgrade

-- C

Why pf sounds great

[capedgirardeau]

Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

This is why pf sounds like it will be very good (direct quotes from the article):

... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]

Re:pf? Mature?

[atrus]

If you actuaky read the interview, pf appeared in the 3.0 release. Which is about a year ago.

pF

[LeiraHoward]

Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....

Re:so is there a packet filter or not?

[Waffle+Iron]

That sounds really bloody useful ... I can't do anything with my computer; and even if I could there's nothing I could do it to.

I don't know about Z-OS, but I've read a little about EROS. EROS doesn't need a filesystem. That's because everything in EROS is persistent. The system saves a complete snapshot of its virtual memory to disk every couple of minutes. There is no "rebooting" of the OS. If you pull the plug, it comes back up exactly in the state of the last snapshot.

For me, it took a little while for that concept to sink in. They're saying that there's no need to redundantly keep information in permanent storage and volatile storage. Just make it all permanent, and you don't need the filesystem concept at all. In one step, you eliminate whole classes of bugs (parsing, file permissions, sharing files, filesystem namespace problems, etc.)

Their authority model also makes sense. Think of your system as a large building. Normal OSes treat security like doors with electronic badge readers; you're allowed to do things based on who you are. Naturally, a lot of doors must be programmed to let you through if you're going to get around the building to do your work. It's hard to ensure that each person is never able to get into a room that they shouldn't be in.

EROS is more like a building full of unique old-fashioned key locks. You have no automatic authority to go through any door. You must obtain the individual key for each door. You get these keys on an as-needed by the people in various rooms you interact with as you do your work. Each person with keys to hand out individually determines if you are worthy to go through the next door.

Reading up on EROS really expanded my view of how an OS could work. You can check it out at www.eros-os.org.

Daniel Hartmeier's resume

[Futurepower(R)]

The article is one of the best resumes I've ever seen.

Prospective employer: What have you done?
Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
Employer: (Silence while recovering from amazement.) What pay do you expect?


I hit a key accidentally, and Mozilla posted my comment above.

The most secure OS

[octogen]

And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.

This definition depends on what you call "secure".

Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.

I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.

To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.

What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA

-----

There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)

The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".

Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.

TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.

-----

Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:

OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.

VMS has an audit trail, access control lists, and a privilege model.

AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).

VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?

An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.

Now let's look at Trusted OSs:

SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.

Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).

Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.

Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.

-----

What I'd like to say is .. 2 things:

1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...

2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).

regards,
octogen