Absolute OpenBSD

DrCarbonite (Jeff Martin) writes "I've used OpenBSD in the past, and benefitted from its extensive online documentation. Sometimes an off-line reference is useful (i.e. required), and Absolute OpenBSD fills this void." Read on for the rest of Martin's review, as well as a more critical one from Marius Aamodt Eriksen. Absolute OpenBSD: UNIX for the Practical Paranoid author Michael W. Lucas pages 489 publisher No Starch Press rating 8 reviewer Jeff Martin, Marius Aamodt Eriksen ISBN 1886411999 summary Well-written guide to administering OpenBSD for the intermediate to advanced user.

OpenBSD is not your average open source operating system, and consequently it does not have an average user community supporting it on the Internet. Absolute OpenBSD (AOB) by Michael W. Lucas, bills itself as "the definitive guide to OpenBSD." In addition to detailing the operating system (OS), Lucas does a wonderful job of illustrating and preparing new users for the different community surrounding OpenBSD.

A book like AOB is going to introduce many new users to OpenBSD, and it would be a disservice both to the existing community and the newcomers to not explain OpenBSD's culture. Thus, the first two chapters discuss the OpenBSD philosophy and also show the user how to become self-supporting when it is time to solve problems rather than flooding the mailing lists with easily answerable questions.

Critics may feel OpenBSD's rugged individualism is an indictment of its usability, but then they may be better served by a different OS.

The next few chapters focus on the installation of OpenBSD. AOB covers both dedicated and multi-boot installations. Most serious users will likely choose the dedicated installation, however Lucas points out that may not be an option for someone looking to sample OpenBSD, or for those users who wish to share a common data partition. Both types are covered, allowing the reader to decide which is most appropriate. Important installation caveats are also mentioned, such as OpenBSD's requirement that its root partition must be completely contained within the first 8 gigabytes of the hard drive. Although OpenBSD supports several different hardware platforms, when specifics are required Lucas focuses on the i386 platform. Lucas does a good job explaining the concepts, so users of non-Intel hardware should have minimal difficulty installing on their particular hardware.

Following the installation discussion, Chapter 6 covers OpenBSD's booting process and its /etc/rc scripts. Lucas' explanations go beyond simply itemizing these different aspects, choosing instead to provide the reader with the reasons a certain option may be needed. Expert users will already know when they wish to boot in single-user mode, but others will appreciate the discussion on how to boot alternate kernels, run fsck, and boot from alternate hard disks.

OpenBSD is promoted as a secure OS, and AOB is diligent in covering this aspect. File flags and securelevels are introduced and discussed. Lucas does a good job explaining what they do and what acceptable scenarios would be for their application. OpenBSD's systrace utility is explained in detail. Writing systrace policies, generating them using the policy-generation tool, and obtaining predefined policies from the Internet is described in depth.

OpenBSD administrative information receives attention as well. Chapters 11 and 12 cover configuring and building custom kernels. The treatment in Chapter 13 of compiling ports and installing packages is very helpful-- and in fact necessary for those looking to install essential utilities such as fortune.

OpenBSD's ports system was originally adapted from that in FreeBSD, and users of that OS may see some similarities. Users from a different background will appreciate the primer.

Three chapters of AOB are devoted to OpenBSD's in-kernel packet filter, pf. This is arguably one of OpenBSD's best features, and Lucas suitably spends a lot of time discussing it. Chapter 17 covers basic pf usage, such as explaining pf's configuration file, tables, and macros. In addition, Lucas takes a timeout to also explain pf's suitability for particular tasks. Chapter 18 describes advanced applications of pf, including network address translation, load balancing, and bandwidth management. Chapter 19 concludes with managing live pf execution. Correctly managing a live firewall on-the-fly is important for sites requiring high uptime, and Lucas does well in explaining the various methods available for logging, viewing statistics, and rule management. Wrapping up, AOB also describes how to configure authenticated pf access by authorized users. "pf" has a lot of power, and spreading the material over 3 chapters worked well in presenting the reader with information at a manageable rate.

One of the strengths of an OS-specific book such as AOB is that the material covered benefits from a more focused approach. If it doesn't apply to OpenBSD, it doesn't need to be covered. Lucas has an experienced background in system administration, and this experience shines through well in the material. His remarks about the dangers of a system with open access via RPC seem especially prophetic in light of current events -- and not mindless ranting.

Overall, AOB is a well-written book that hits its market squarely on target. Those new to OpenBSD will appreciate the comprehensive approach that takes them from concept to functional execution. Existing and advanced users will benefit from the discussion of OpenBSD-specific topics such as the security features and pf administration. Lucas does well in his attempt to increase the number of those who would be practical paranoids.

Marius's turn: Reviewer Marius Aamodt Eriksen also liked some aspects of Absolute OpenBSD, but found more faults in it; his critique may help you decide whether this book is for you (and he disagrees about the match between the book and its audience). He writes:

The book covers a very broad area, but it lacks depth in some parts. Perhaps my biggest problem with Absolute OpenBSD is that it should have focused more the features that make OpenBSD unique: its security features. For example, it does not cover IPsec. Many of the various security features of OpenBSD are mentioned, but few are covered in much detail.

Michael Lucas' writing style is quite relaxed and informal. However, this often gets in the way of content. The numerous rants about how Windows security sucks simply get irritating. It is distracting from the focus of the book and simply unneccessary. Also, the tangents on TCP/IP and various other underlying technologies likewise deviate from the focus of the book. Lucas also does not hesitate to express personal opinions and views on a range of subjects. Though I typically have no problems with authors expressing their views, Lucas' tend to be unfounded and not well argued; they too are simply distracting. At times, it almost felt like Lucas was trying to put down less experienced people, teaching them lessons they "should know." I cannot imagine that this is what the typical audience of the book are looking for.

Absolute OpenBSD makes little effort to cover the various architectures that are supported by OpenBSD. The install section only covers i386; though probably not an issue for most users, it would be nice to have a more complete reference.

Otherwise, I would consider the contents of the book to be quite complete, and most definitely sufficient to provide a good introduction to OpenBSD and many of its neat features. An entire chapter is devoted to how to find more help, covering the various documentation, man pages and mailing lists. This is an excellent idea, and makes up for most of the (content) shortcomings of the book.

The PF (Packet Filter) section was very good; it covered a very broad set of features that PF provides, while carrying sufficient technical detail. The examples were very illustrative and appropriate for the text.

I spotted a few technical errors while reading the book. The editing also seems a bit rushed: in addition to the technical errors, there a number of typos. Unfortunately, there isn't an errata section on the book's website; I strongly recommend Lucas and his publisher make one available.

My biggest problem with Absolute OpenBSD is that it is not true to its audience. I imagine that the audience is one which would like to know how to do something in OpenBSD without being told how "real system administrators" do it, or how much Microsoft sucks. My recommendation to Lucas would be to write Absolute System Administration and leave it out of Absolute OpenBSD. I do not mean to sound harsh, merely critical. The book has very many good sides, and by many counts is an excellent reference for people looking to migrate to OpenBSD. I would not have any problems recommending it to anyone who wanted to migrate to OpenBSD or see what it's about -- just be wary of the distractions.

You can purchase Absolute OpenBSD from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:Why not online?

[cK-Gunslinger]

Online documentation is usually of little help if you are setting up a new system from scratch. Also useless if you are trying to figure out how to connect to the 'net. And since you've written half the book already, why not just finish it?

Also, sometimes it's just easier to use off-line references (books, mags, etc) I'm sure just about every bit of information in my collection of OO and C++ books is available in some form online, but does that mean I should get rid off them? Of course not.

Oh, and in case IHBT, oh well :)

Re:$12 CHEAPER at Amazon!!!

Have you forgotten that the slashdot/opensource crowds were boycotting amazon cuz of their stupid patents. Its so funny how geeks forget to stand up to the good cause for a simple discount. That's why the RIAA and MPAA will win, because we are all noise and no action. ._segmond

Re:Why can't it be more like Linux?

[pmz]

I've often wanted to set up a firewall using OpenBSD because it is secure out of box but every time I go and install it, I get frustrated because it is so different from Linux.

Where is the kernel's .config file, where are all the info pages, where is emacs, where are the rc.? directories and so on?

OpenBSD has got to be the simplest OS to configure for network infrastructure among all the OSes I've worked with (Windows, Solaris, Linux, OpenBSD). Firewall? NAT? In OpenBSD, what is that, three configuration files, including /etc/rc.conf, and a couple or three man pages?

Also, OpenBSD's manual pages are second to none.
Between the manual pages, the FAQ, and the on-line mailing list archives, almost always is there enough information either for a direct solution or an inferred one. And, usually the inferred solutions are only required for unusual configurations that the user got themselves into (e.g., trying to shoehhorn yet another OS onto a Sun workstation multi-boot config).

I think the best description of the BSD-derived systems out there is that their users tried the other systems first, and, then, choose BSD. The *BSDs are the Apple of the UNIX realm.

Unique?

[AilleCat]

There are very few things that make OpenBSD unique from other BSD OS's... security features like "IPSEC" are available in FreeBSD, NetBSD, and others as well. That certainly is not unique to OpenBSD. Cryptography is just as much a focus in FreeBSD development as it is for OpenBSD.

I don't feel that OpenBSD's status for being the "most secure OS" is anything but general FUD, and I have news for you all, before you call me bigoted towards FreeBSD.... I rely on OpenBSD for fully half of what I do. I have several internet connected OpenBSD boxes. An OS is only as secure as the person adminning it is clueful.

Re:Why not Amazon, or others?

[pivo]

Why not if you can afford to splash extra $10 on a book just to make an ideological point.

Some people give their lives for "ideological points", $10 seems pretty cheap by comparison.

On the other side of the coin, what kind of person are you if you give up what you believe in for $10?

Re:The OpenBSD Attitude

[Schubert]

The (hostile) "vocal" users of the community do not represent the silent majority. They are VASTLY outnumbered by the nice guys and usually they back themselves up into a corner eventually and either finally shuts up or leaves the community altogether.

To find friendly help you have to look in the right places. IRC channels are hardly that right place. The mailing lists are fine provided you respect the guidlines of the lists (e.g. don't post to the wrong list, don't crosspost...) and you should at least make a modest effort to find if your question has been answered via either google or the mailing list archives. If you can't at least spend a few minutes if your precious time doing that, how can you expect some complete stranger (who you are not paying) to be nice and cheery when he points you in the right direction?

Re:Why can't it be more like Linux?

[cscx]

Phew it's about time someone said that. ipchains/iptables is ridiculously hairy and overly complicated to set up. Compare that to pf, which in contrast is more secure, easier to set up, and uses plain English, easy-to-understand syntax in pf.conf.