OpenBSD 3.5 Released

pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"

Excellent

[mastergoon]

I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers. I can't wait for SMP support to be working.

Re:Excellent

[Homology]

what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

As long as this state of affair exists, GRsecurity will not be a viable option for the majority of Linux users.

On OpenBSD you have similar technology integrated with the OS. No need for patches or other stuff to use it.

Re:Excellent

Hint, the stuff in ports doesn't come with OpenBSD, it is installed separately.

My point is that grsecurity may have some very nice security features, but one of the main reasons OpenBSD is so secure is that it has people going through the code auditing it. Security is a process, not a patch.

Re:Security

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it. Usually a port that has an absolutely horrible track record might not make it in, or if it has a gaping security problem it might be marked as BROKEN.

Use common sense, chose packages of software you have faith in to not suck.

Happy user since 2.7

[Daimaou]

I would like to offer my thanks to the OpenBSD team here on Slashdot, where it will promptly be lost in hundereds of other posts.

I have used OpenBSD since 2.7 as a firewall, a web server, and a file server. There are a lot of unix-like operating systems out there, but for me, nothing can beat the simplicity and security of OpenBSD in these areas.

I'm also extremely happy with the ease of applying patches on OpenBSD. It makes remote management the easiest thing in the world (well, from a unix perspective anyway).

If you haven't tried OpenBSD, and are looking for an excellent server OS, I highly recommend giving it a try. I would recommend supporting the effort by buying a CD too.

Re:Happy user since 2.7

[trewornan]

No real help is given to new users and such an elitest attitude is suicide.

A number of the reviews and guides I looked at before deciding on OpenBSD warned me about the communities attitude to this. But, firstly - I guess it's an understandable attitude if you aren't really concerned about promoting your OS and just want to be able to run it yourself, let's face it most of us are really freeloaders (I can't hack kernel code can you?). Secondly, the only time I've ever asked for help was on bsdforums and I got two quick and helpful replies, without any abuse at all so I'm not sure their reputation is entirely justified (but then I did RTFM first).

Re:Happy user since 2.7

A few things:

1) I'm a long time Open and Free BSD user

2) Posting anonymously does not in and of itself make one's comments or opinions have zero value

3) Posting with a name you assigned yourself is little different than posting anonymously. You chose your own nickname and there is no way to guarantee a direct association between your self chosen online name and your real world self. Thus, you too, are anonymous.

4) There are plenty of so-called non-anonymous posters on this site and elsewhere on the net who have absolutely nothing of value to say. Knowing who they are or who they might be does not add any weight to their opinions. Their opinion and 4 bucks gets you a cup of coffee.

5) By dismissing someone's comments simply for lack of having their self assigned name you are launching an ad hominen attack which is the weakest form of debate. When intelligent and educated people see such an attack they usually grant more weight, not less weight, to the statements of the person being attacked. Afterall, if you can't refute their arguments, but instead must attack the person making them, it appears to others as if you have nothing to refute their statements, thus they are either more likely to be correct or you are more likely to be easily dismissed in the future, or both.

6) Lastly, there are many situations in the real world and online where one might have something worth saying but the cost of being known is too high. I prefer a world where we can know the truth about what is going on even if we don't know the source of the truth. Truth is universal. It doesn't matter who the source is as long as it is true. For example, in a repressive state or in a dangerous work environment, one can be executed, jailed, fined, or fired for telling others what is going on. I *want* to know if the nearby nuclear power plant is soon to explode and I don't care if the informant is an anonymous employee. The same is true for human rights abuses around the world. This person may be someone important in some company or organization who doesn't want to risk their career to simply express their opinion on the net. They should be able to do so without being flat out dismissed because *you* want them to associate some fake self created name to their comments to make you feel as if you really know who it is. You're just as anonymous as they are except they're not pretending.

7) Given all of the above, I understand that the post was intended to cause a flame fest and hence is trolling. However! There are numerous accurate statements and several opinions expressed which I and many others agree with. There is little in this post which is flat out incorrect. It is the tone which is begging for flames which makes it a troll, not the factual statements or valid opinions expressed. Just because the poster is trolling, doesn't mean they're wrong.

Think about it.

Have a nice day,
Anonymous, but not a coward

Re:pfsync/CARP

[astrashe]

Isn't a lot of Cisco's appeal on the hardware side?

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

Wouldn't the computer architecture make an OpenBSD router less stable?

k, troll, I'll bite....

[TheHonestTruth]

I am a Computer Information Systems Professional at a major Fortune 500 corporation.

ok....

Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional.

Hmmm.... ok. I guess that's possible.

We had previously been running OpenBSD on all our quad processor Xeons.

*bzzzzzt* You are either lying or dumb. Why install OpenBSD, which I admittedly love and am not biased against, on a quad processor system when SMP is in like alpha stage, beta at best? Because you're trolling or have no idea what you are doing. Next!

-truth

No, not silly.

[Tony-A]

That single remote hole (as opposed to no remote hole) means that security does matter and cannot be taken for granted.
Uber secure? I'd grant them that.
Secure? Probably not, but they're working on that.
Secure means that I can run unpatched vulnerable software with impunity.
Security does not mean that I have to try playing catch-up with the latest security "fixes".

Re:never-been-rooted claims getting sillier

[mentin]

The funny part is that OpenBSD dudes
1) only count remote vulnurabilities, ignoring any local ones
2) only count default install, i.e. ignoring vulnurabilities in anything that makes system minimally interesting (web, ftp server, XWindows, routing apps)
3) ignore denial of service attacks - even remote ones and even those that allow you to remotely crash system (although they don't explicitly mention it)

Re:never-been-rooted claims getting sillier

[nuintari]

1. They only count the remote ones in that exact statement, they fix all the bugs they find, and critical bugs have been few and far between.
2. The stock install comes with apache, an ftp server, X, and routing software.
3. No, every recent DoS attack that has effected obsd has been fixed. I would hardly call, same day patches as "ignoring".

Re:One remote whole...

[nuintari]

You have to take into account OpenBSD has privsep, stack protection, W^X memory, and a myriad of other security features not present in most other *nix systems.

Taken together, a large chunck of potential remote exploits become much less serious problems because the exploit isn't capable of root'ing an OpenBSD box. Sure, a DoS vulnerability is nothing to sneeze at, but it sure beats getting rooted. Same vulnerability will that will root a linux box, will often only annoy the living hell out of an Open box, and you'll still see a patch faster for OpenBSD.

Re:pfsync/CARP

[pe1chl]

>Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

All but the high-end Cisco boxes are very short of central processor power. Look at boxes in the 1700, 2600 and 3700 lines. They need additional co-processor cards to help with tasks like encryption and compression, where a PC could perform these easily without any help.

And when you need only little bandwidth but need a nontrivial amount of interfaces, you are forced to buy quite a large box. (the 1700 series accomodates only 2 interfaces, and on the 2600 series there is the possibility of 4 interfaces but only for Voice, not for Data. so very quickly you will need a 3725, for applications where a PC could still easlily handle the load)

Documentation

[Alioth]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq. The manual page is clearly written, has good examples, and provides the information you need.

I run Linux on my main workstation (and having been a Linux user since the 0.12 kernel days, Linux is close to my heart), but I'm increasingly impressed with OpenBSD as a firewall - the documentation is light-years ahead of Linux iptables documentation for a start, and then there's the new capabilities of pf with 3.5. It's not far off challenging the big boys like CheckPoint FireWall-1 (whose only advantage for our particular network is a pretty GUI configuration tool). With OpenBSD 3.5 with carp and pfsync, the CheckPoint box's days are numbered - I can get better reliability/redundancy with OpenBSD now. The OpenBSD documentation is better. The mailing lists for OpenBSD are more informative than the CheckPoint ones. The hardware is a lot less expensive, and you don't have to pay annual software rental like you do with FW-1.

Re:Documentation

[ImpTech]

Hear hear! I *still* can't really do iptables all that well, but I picked up pf in virtually no time. Its not only the better documentation, its that pf is so much less cumbersome to work with. Though I guess I should say I've never bothered to learn the new-fangled iptables-save/iptables-restore system, but why bother when I can just use OpenBSD on the firewall box?

Re:pfsync/CARP

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
One file, more files, what is the difference? If the config files are well organized, which they are, there is no reason to have it all in one file.

Store the configuration in solid-state flash memory.
Get a CompactFlash card and a CF-to-IDE adapter.

Upgrade the entire OS by TFTP'ing a single file.
Could be done, you would need twice as much disk (CF) space as you need for a single installation, then download the new OS, unpack it on a free partition, swich default partition for booting, reboot. Ok, perhaps noone has done this until now. Perhaps it's because noone really needs it, not even the people who use OpenBSD on all their routers.

Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
Why do you need to do all this in hardware? Most of this stuff can be done in software a strong enough CPU and IO. The rest that can't be done in software is probably not used by majority of Cisco users (see below for more).
Really, you are building these requirements in such a way that OpenBSD cannot comply. It's a bit like saying that OpenOffice will replace MS Office if the third submenu in the 'File' menu is 'Open', when you click on it, go 102 pixels down and 53 pixels left, click, select the third option, and it reads 'Microsoft Word (.doc)'. What you really need is that it opens a .doc file, no matter how it is done.

Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
Not everyone needs those, and the majority who do not can use OpenBSD. The rest will probably use Cisco anyway, but it may just not be enough for Cisco to survive. Thus "Cisco killer".

In fact I don't think this will happen, as the strong Cisco feature is that they sell everything in one package, unpack and plug and play :). And they have some tech support, too.

Re:pfsync/CARP

[drinkypoo]

The sad part is, that the Cisco stuff ain't all that stable. Plus, the fact that they have been known to offload some of the work into firmware on the chassis means that sometimes something needs to be upgraded and it can't be, or they won't do it - and since it's (obviously) not open source, you can't fix it either. For instance, the catalyst 5000 switches (but not 5500s) are not considered Y2K compliant with any supervisor module, even a III.

The only really special thing about Cisco hardware as compared to a PC is that their backplane has traditionally been much faster than anything a PC has had to offer, and they have offered network cards (or blades in the Cisco parlance) with more ports (since they are larger) and with additional processors on the cards which do routing themselves. (Layer 3 switch blades, for example.) It's nothing you couldn't do on a PC, though, there just hasn't been a reason to. The most modern PCs have an extremely fast bus however, in the form of 66MHz/64 bit PCI, and now PCI-Express is coming along and the wider versions of that are even faster from what I understand.

Anyway, since when do routers not have moving parts? Every Cisco product beyond the SOHO level has at least one cooling fan. A cat5k (I pick on it a lot because it's what I have most experience with) has, like, eight plus one per power supply. Meanwhile, there are PCs without any moving parts - A cisco PIX 520 would be one of these, if it didn't have a power supply fan, because it's just a PC in a custom rack case, with an expansion card with a flash ram disk on it, and some Intel EEPro 100/B Management Adapters in it. (Someone told me once that tulips work too, as they were used in older pix 520s, but I've never seen that before.)

So the short form is "no", the computer architecture won't make an OpenBSD router less stable than a Cisco one. The only thing that might would be OpenBSD itself.

Re:FreeBSD and OpenBSD

[ArbitraryConstant]

FreeBSD supports a bit more hardware, and usually sooner. Performance is no comparison (favors FreeBSD), neither is ease of use (favors OpenBSD).

OpenBSD supports binary emulation of FreeBSD binaries, and I believe FreeBSD supports binary emulation of OpenBSD binaries. They should be almost completely source compatible. In practice you'll usually install something from ports and you won't care where it came from.

OpenBSD is missing a lot, which is why it tends to get used for firewalls that operate transparently. I don't think it's suitable as a general purpose OS. It's my favorite OS, but it's not good at everything.

FreeBSD is heading towards the ultimate webserver/workstation platform. OpenBSD is heading towards the ultimate router/firewall platform. In a lot of ways, these goals are mutually exclusive. They're both very well documented and easy to learn, so it's worth it to try them both out. I went from no experience to moderately skilled expert in about 4 hours on both of them, significantly less time than it took me for any Linux I've tried.

Re:pfsync/CARP

[evilviper]

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.

This is bull. Cisco routers do not have text editors, and transfering a config file to/from a cisco router every time you need to make a change is quite cumbersome.

I used to be annoyed that different Unix config files have different syntaxes, until I used Cisco... There, each different option (hundreds, if not thousands in each config) may have it's own syntax, that you really have to memorize, or look-up to get right.

Store the configuration in solid-state flash memory.

Not a problem at all. I had a router running solely on a 32MB PCMCIA card several years ago.

Upgrade the entire OS by TFTP'ing a single file.

Now that's pretty stupid. First, I've seen many routers corrupted because TFTP is so very hit-or-miss... The fact that most Cisco routers are only able to use TFTP is a serious drawback, not an advantage.

As for the single file... OpenBSD's base system is spread across about 5 tar.gz files... If it makes you feel better, I could very quickly whip up a script that will combine them into one tgz file. Better?

Provide support for layer 2/3 QoS packet tagging in hardware

QoS is supported by PF. It's not in hardware, but that's no real concern.

When the only tool you have is a hammer, everything looks like a nail.

When you only own stock in Cisco, everything else must be inferior.

Re:about security holes

[evilviper]

If you call chroot a poor kludge, you're obviously not a security guy.

Not true, I'm "a security guy", and I'd say he's right (although I would phrase that differently).

Granted, it's not perfect, but it does help a little.

From everything I've seen, it hurts more than it helps in 99% of cases.

Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do?

Yes, and Chroot seems to be prevnting people from actually doing that.

The huge majority of network services do not need to be root, except to open a port <1024... If it was not for that, most programs could run as an unprivlidged user, and NEVER need root access.

Remember, with chroot, you have to trust your program to only do what it needs to do as root, and be secure about it. Then you have to trust that it is dropping privlidges as soon as possible. You have to trust it is setting up the chroot correctly, and that it is dropping privlidges correctly. There have been several instances where services have been exploitable because they did not properly drop privlidges. (IIRC, samba was one of them)

So, shouldn't the people be educated about what it solves and what it doesn't, then?

Okay, everyone, chroot solves nothing. You use it only if no other security measure are possible, such as is the case with OpenSSH.

Just a solution to one problem: filesystem namespace visibility.

It is not a solution to that. First off, access to any of the files on a system (except for suid/sgid files) is not a security risk AT ALL.

Second, and most importantly, it is possible to break out of a chroot, so it's not providing much security.

Re:Security

[evilviper]

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it.

This is lowsy advice. You can have all the programs you want installed, and it won't make your system any less safe.

The only exception is suid/sgid programs.

It always drives me insane when I read another "security" tutorial on the web that suggest deleting unused programs, or your compiler, will make your system more secure, somehow.

Incidentally, ports do include patches, and most maintainers will include a patch that fixes a bug in the code if they notice it while they are porting... So, while ports aren't really audited, it IS safer to use the OpenBSD port of a program, than to compile the vanilla source yourself.

Use common sense, chose packages of software you have faith in to not suck.

Always good advice.

It's called sarcasm

[b00m3rang]

The parent (I meant to post as a reply to the existing reply) implied that they concede the fact that firewall rulesets with Linux and iptables are so unwieldy that a GUI interface is required, but still asserted that this is superior to pf which is easily manageable via a text session.

I don't honestly believe you think I was advocating replacing an OpenBSD firewall with a Windows machine under any circumstances. Windows ISA Server is by far the worst firewall I've ever had the misfortune of deploying.