OpenBSD 3.2 Readies For Release, pf Matures

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

Save you the effort...

[Fnkmaster]

Dear Slashdotters,

I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.

1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!

Re:Save you the effort...

what a stereotype!

not everyone has a basement, you know.

Re:so is there a packet filter or not?

[aridhol]

When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.

Re:OpenBSD is crap, heres why - vermillion

I usually don't feed the trolls, but...

OpenBSD is fucking hype. The only good thing about it is SSH.

Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.

Re:so is there a packet filter or not?

[a+(+h+3+r+0+n]

The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.

if you are going to upgrade to 3.2 ahead of time

[congiman]

Its already out there in the source tree... and has been for a while (beginning of october).

You can grab the main .tgzs from:
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd /usr
cvs -q get -rOPENBSD_3_2 -P src

You can then follow along here:

http://www.openbsd.org/faq/upgrade-minifaq.html

Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

-- C

Re:so is there a packet filter or not?

[jbolden]

OpenBSD truly IS among the most secure operating systems in the world.

I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:

- The existence of a filesystem
- Having any individual have much real authority over the system ....

Why no easy installer?

[browser_war_pow]

What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.

Re:Why no easy installer?

[krmt]

Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.

That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.

Re:Why no easy installer?

[Dog+and+Pony]

First off, anything is easy compared to installing Debian (typical that I *do* run it, anyways... sigh.) Well, slackware's worse.

And second, no marketing drone has ever, as long as humans has kept track, installed anything except the latest email worm. For all the other software, they grab whoever is close and not wearing a tie. Usually it is some guy that would rather shoot himself in the foot than use up the afternoon installing windows Me, but there you go.

Re:Why no easy installer?

[evilviper]

Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?

Do you want to setup networking? [Y, n]
Do you expect to run XFree86? [Y, n]

What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.

The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.

That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.

Why pf sounds great

[capedgirardeau]

Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

This is why pf sounds like it will be very good (direct quotes from the article):

... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]

Re:so is there a packet filter or not?

[Waffle+Iron]

That sounds really bloody useful ... I can't do anything with my computer; and even if I could there's nothing I could do it to.

I don't know about Z-OS, but I've read a little about EROS. EROS doesn't need a filesystem. That's because everything in EROS is persistent. The system saves a complete snapshot of its virtual memory to disk every couple of minutes. There is no "rebooting" of the OS. If you pull the plug, it comes back up exactly in the state of the last snapshot.

For me, it took a little while for that concept to sink in. They're saying that there's no need to redundantly keep information in permanent storage and volatile storage. Just make it all permanent, and you don't need the filesystem concept at all. In one step, you eliminate whole classes of bugs (parsing, file permissions, sharing files, filesystem namespace problems, etc.)

Their authority model also makes sense. Think of your system as a large building. Normal OSes treat security like doors with electronic badge readers; you're allowed to do things based on who you are. Naturally, a lot of doors must be programmed to let you through if you're going to get around the building to do your work. It's hard to ensure that each person is never able to get into a room that they shouldn't be in.

EROS is more like a building full of unique old-fashioned key locks. You have no automatic authority to go through any door. You must obtain the individual key for each door. You get these keys on an as-needed by the people in various rooms you interact with as you do your work. Each person with keys to hand out individually determines if you are worthy to go through the next door.

Reading up on EROS really expanded my view of how an OS could work. You can check it out at www.eros-os.org.