Slashdot Mirror
OpenBSD 3.3 Released
An anonymous reader writes "OpenBSD 3.3 was released today, with many new features, including integration of the ProPolice stack protection technology, W^X ('write xor X') on sparc, alpha and hppa, privilege separated XFree86 and an incredible number of enhancements and stability improvements to the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting. Information on the release can be found here and download sites are listed here. (Also, here's a handy way to speed up your DSL connection - prioritizing empty TCP ACKs and ToS low-delay traffic with OpenBSD 3.3's pf.)"
I've been using Freebsd on my servers as of fairly recently and so far I love it. As a result, my intrest in BSD in general has grown. I was looking just today at OpenBSD and NetBSD features. OpenBSD looks fantasic and I was about to give it a whirl when I realized they don't support SMP. Now this wouldn't be an overly huge issue if it were primarily a desktop OS. I applaude all the work that has obviously gone into this project. But I will be overjoyed the day I see SMP added to the new feature list. This is NOT a troll. I think the way it stands is extremely impressive. I just want to express my sincere desire to see SMP support. =)
As opposed to most GNU/Linux distros, OpenBSD is "insanely" geared towards closing all and any security holes in the default install, and is fanatical about exploits. The only distro that comes even close to OpenBSD's quality checks is Debian stable. (And honestly, they share the same "problem" - stable but out-dated desktop software with stable, rock solid server apps)
Honestly, OpenBSD and most GNU/Linux distros are going after different audiences: most GNU/Linux distros I see are reaching for the workstation, while OpenBSD (and, honestly, all the BSDs) are geared with the server in mind first, with desktop being a late comer or complete after thought.
If someone's using GNU/Linux as a desktop, they wouldn't be interested, but for someone running a server they want to secure as best as possible, OpenBSD is really a great option.
...but to stay on topic, it sounds good, I will wait a week before even attempting to download it and throw it on a spare partition on my server. Quick question, is this ProPolice by Hiroaki Etoh which is integrated into OpenBSD's 'system compiler' the same as the stack protector patch for GCC developed by Hiroaki Etoh at IBM, as previously mentioned on /. concerning the new Trusted Debian 1.0 release, just without the fancy 'ProPolice' name?
It's kinda bizarre to pick one's software based on the hardware you happen to have to run it on. My OpenBSD PostFix mail server runs fine on an older Celeron workstation and the good feeling of trust and security is worth not even having a keyboard and mouse normally connected - I last plugged them in to reboot after a power failure, then moved them over to the Win2K box for it's regular maintenance reboots. Rarely ever have to move them back as all OpenBSD maintenance is done from my office.
;))
That is to say, having a near uncrackable box is well worth giving up the peripheral style de jour, to me
try { do() || do_not(); } catch (JediException err) { yoda(err); }
OpenBSD, while a capable desktop, isn't primarily intended as such. It's strengths are in the realm of the firewall, gateway - the commandline leftover Pentium 200 that makes a nice mailserver. It's focus as security, and security demands a 'disabled by default' approach.
There isn't much there to begin with when compared to FreeBSD or Linux because of this philosophy. While it's not exactly politically correct to say so within the OBSD community, it's sort of an accepted truism that 'less is more', and you're better serviced by one of the former two OSes if you're for ease of use and a desktop OS. GUIs and user friendliness = reams of unaudited code = lots of bugs. That said, the GOBIE project IS looking to overhaul the OpenBSD setup process, at least, so hopefully things will be easier for everybody in the future.
Personally, I came to OpenBSD three years ago after having used RedHat for only six months and having gotten my box owned *HARD* - while it took a bit to figure everything out for a relative *nix newb, I can vouch that the payoff is worth it if you're willing to invest the time into making sure you never get owned again (not that there are any 100% guarantees with any software).
--Ryv
FreeBSD 5.0 seems superior to Linux in the role of webserver when it comes to scaling, and Linux to all other open source OSes (but in overall ranking I'd still put Win2k Pro over it, sadly) for desktop.
:)
While OpenBSD is certainly the leader in the security and frontline realm, the guys at FreeBSD really have a slew of interesting ideas as far as what directions they want to go in are.
Can't wait to see what the OpenBSD 3.4 release looks like, though. That's supposed to be an even bigger release than 3.3 - here's hoping the DARPA-snuffing didn't can that. In any case, looks like I'll be busy upgrading the firewalls tonight
--Ryv
I dont think it's a matter of whats easier, but what fits your need, and what you're used to. I prefer OpenBSD to any other OS. Configuration is a snap, easier for me than any other OS.
/etc/rc.conf and pkg_add, IMO it can't get any easier. I get lost in the myriad of configuration files present in current Linux distributions.
Between
Also, the source where you will get information on OpenBSD (for example, setting up X) is VERY different from what you'd expect for Linux.
Namely, OpenBSD has EXCELLENT manual pages. Also, the online documentation is very helpful for new users, as it clearly explains the basics of the system, and where to start if you're unfamiliar with it.
Once you get used to it OpenBSD is not at all difficult to install. I use it entirely for network security (five machines) so I've never bothered to install X.
/sbin/dhclient (which is not an obvious place to look) and that this script clobbers resolv.conf That was a bugger to sort out back in the 2.6 days when I didn't what I know now about DNS and resolvers.
The man pages are excellent. The only place I've been bit is that the dclient man page doesn't mention that it runs a script in
Since the 3.2 release of OpenBSD we have been making heavy use of chroot Apache as a forwarding web proxy to hide the real server machines from the public internet. This way all of our SSL connections terminate at an OpenBSD box. If OpenSSL requires a security patch, we only have one OS to update. And the security is great even if we don't patch, because only the chroot Apache on OpenBSD is exposed.
It seems like very version adds another great feature. In this release we are anxious to experiment with the failover NAT in PF.
I generally don't praise OpenBSD in public. I figure if you need it, you know it already.
Damn, that business with the prioritizing ACKs sounds fantastic! I have the same setup as in their example (ADSL 512Kb down/128Kb up) and always have to put upload limits on filesharing programs so they only upload at maybe 11KB or 12KB per second, 'cos if I let them hit their full 16-ish KB/sec, the downloads choke and die.
I might have to salvage some crappy old box from work and see if I can't set it up as an OpenBSD gateway..
Last time I wrote this type of code was on Data General's AOS/VS (which pretty much dates it), and DG didn't approve of that kind of thing at all. It didn't stop my program from working, though.
Plus it mentions RH 6.2, I doubt anyone is running a website on that anymore (shudder).
HAH! I know of *many* sites that use a RH 6.2 boxes for serving, and even some that use RH 5.x distros as well. Just because RH no longer rolls their own fixes doesn't mean that the distros have dried up. Many sysadmins would rather manually update the software on their servers than go thru the trouble of migrating to yet another distro.
There are also those that use a heavily locked down ancient distro for serving. Apache is kept current and everything else is closed. This is even easier to do in an environment where each task has its own server. If it ain't broke, don't fix it.
I'll tell you what, there is no way in hell that I would ever use RH 8 or 9 for a server. Even a bare bones install has way too much BS. For my needs, Debian does my Linux needs quite well. As do IRIX and Solaris. RH is great for the desktop, but nutty crazy for server use.
I agree, and I'm not being funny here. Why the hell won't the XFree86 team bring back the old XF86Setup program? That thing is infinitely better than xf86cfg. I won't touch xf86cfg with a 10 foot bargepole.
Marxism is the opiate of dumbasses
Um, you don't *have* to upgrade just because a new version came out you know, either for security or functionality reasons. Open BSD 6-month iterations are not "major revisions" typically.
I'm still running OpenBSD 2.7 on my production machines, having made a few critical security patches made over the last 2-3 year timeframe.