OpenBSD 3.5 Released

pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"

Excellent

[mastergoon]

I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers. I can't wait for SMP support to be working.

Re:Excellent

>> I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers.

what about www.grsecurity.net? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

Re:Excellent

[Lord+Kano]

How much traffic are you handling if you really need SMP on a firewall/router?

LK

Re:Excellent

[klasikahl]

I think you're forgetting about the NSA funded SELinux project. It's also a kernel level MAC security patch. I prefer SELinux over GrSec for many reasons, one of which is the fact a team of well trained NSA kernel hackers coded SELinux. (As opposed to GrSec whose head coder and inventor is a punk who uses his security knowledge to keep his exploits as 0days. Sounds pretty fishy to me; I won't trust anything that has his name on it.) SELinux is in the official 2.6 kernel branch. Check it out here.

Re:Excellent

[Homology]

what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

As long as this state of affair exists, GRsecurity will not be a viable option for the majority of Linux users.

On OpenBSD you have similar technology integrated with the OS. No need for patches or other stuff to use it.

Re:Excellent

[amix]

Dont' think so mainstream. Think exotic:

• VIA C3 (C5P core). Has double-RNG and AES hardware integrated. Perfect for VPN and WLAN.
• At 1.2GHz it is not very fast (due to architecture) but consumes very (!) low energy and is coolable passive. Perfect for a home-server, that is 24/7 and in your living-room
• is SMP capable

a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall.

While one CPU is serving the net and procmailing, the other one could compress some tarbz2 for the backup.

Well, I am aware, this is a server and not firewall/router, but why not combine it, especially since the firewall is a spearate system here. So yes, OpenBSD should really have SMP. Too bad VIA does not plan the C5P as So370 version and matching mobo, but in future such things might come. Why not ?

Re:Excellent

With dual-core CPUs possibly on the way from AMD, and the proliferation of other SMP or HyperThreading technologies, SMP is slowly becoming a priority.

Something changed Theo's mind about it (maybe it was just Niklaus volunteering), so it's probably worth looking into.

Re:Excellent

[krunk7]

Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.

Congratulations! You've won "The 1337ist Statement of the Day Award"!!

Re:Excellent

[EvilAlien]

Using the 2.6 kernel on a system with security as the primary goal isn't wise anyways. Part of having a well-secured system is staying away from the insufficiently audited and tested code, i.e. the new stuff.

Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they get for easy of use and "newbie friendly" features.

Amazingly, yes

It does.

Security

The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows

So if I want optimal security, how do I choose which packages to use?

Re:Security

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it. Usually a port that has an absolutely horrible track record might not make it in, or if it has a gaping security problem it might be marked as BROKEN.

Use common sense, chose packages of software you have faith in to not suck.

Re:Security

[evilviper]

Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it.

This is lowsy advice. You can have all the programs you want installed, and it won't make your system any less safe.

The only exception is suid/sgid programs.

It always drives me insane when I read another "security" tutorial on the web that suggest deleting unused programs, or your compiler, will make your system more secure, somehow.

Incidentally, ports do include patches, and most maintainers will include a patch that fixes a bug in the code if they notice it while they are porting... So, while ports aren't really audited, it IS safer to use the OpenBSD port of a program, than to compile the vanilla source yourself.

Use common sense, chose packages of software you have faith in to not suck.

Always good advice.

pfsync/CARP

[ArbitraryConstant]

OpenBSD is the Cisco killer.

It's now suitable for replacing a lot of the Cisco gear out there.

Re:pfsync/CARP

[astrashe]

Isn't a lot of Cisco's appeal on the hardware side?

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

Wouldn't the computer architecture make an OpenBSD router less stable?

Re:pfsync/CARP

[PatJensen]

When you can do the following, OpenBSD will be a Cisco IOS killer.

• Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
• Store the configuration in solid-state flash memory.
• Upgrade the entire OS by TFTP'ing a single file.
• Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
• Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
• Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
• Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)

When the only tool you have is a hammer, everything looks like a nail.

-Pat

Re:pfsync/CARP

[ArbitraryConstant]

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

Wouldn't the computer architecture make an OpenBSD router less stable?

Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.

Re:pfsync/CARP

[Schubert]

When the only tool you have is an axe, everything looks like fun. :-)

Re:pfsync/CARP

[mrchaotica]

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) and it's small (the same length as the epia itself, and a little over an inch wide). Depending on which epia you have, it's possible to plug it's ATX out straight into the Epia's ATX in without a cable.

So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!

Re:pfsync/CARP

[pacman+on+prozac]

IPv4 routing in Cisco is done by software not hardware.

This already is a Cisco killer for one simple reason, VSRP is crap.

Re:pfsync/CARP

[pe1chl]

>Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

All but the high-end Cisco boxes are very short of central processor power. Look at boxes in the 1700, 2600 and 3700 lines. They need additional co-processor cards to help with tasks like encryption and compression, where a PC could perform these easily without any help.

And when you need only little bandwidth but need a nontrivial amount of interfaces, you are forced to buy quite a large box. (the 1700 series accomodates only 2 interfaces, and on the 2600 series there is the possibility of 4 interfaces but only for Voice, not for Data. so very quickly you will need a 3725, for applications where a PC could still easlily handle the load)

Re:pfsync/CARP

[kfg]

When the only tool you have is an axe, everything looks like fun. :-)

Yeah, they made us shout that in group before trust building exercises at the Borden Institute of Family Relationships.

KFG

Re:pfsync/CARP

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
One file, more files, what is the difference? If the config files are well organized, which they are, there is no reason to have it all in one file.

Store the configuration in solid-state flash memory.
Get a CompactFlash card and a CF-to-IDE adapter.

Upgrade the entire OS by TFTP'ing a single file.
Could be done, you would need twice as much disk (CF) space as you need for a single installation, then download the new OS, unpack it on a free partition, swich default partition for booting, reboot. Ok, perhaps noone has done this until now. Perhaps it's because noone really needs it, not even the people who use OpenBSD on all their routers.

Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
Why do you need to do all this in hardware? Most of this stuff can be done in software a strong enough CPU and IO. The rest that can't be done in software is probably not used by majority of Cisco users (see below for more).
Really, you are building these requirements in such a way that OpenBSD cannot comply. It's a bit like saying that OpenOffice will replace MS Office if the third submenu in the 'File' menu is 'Open', when you click on it, go 102 pixels down and 53 pixels left, click, select the third option, and it reads 'Microsoft Word (.doc)'. What you really need is that it opens a .doc file, no matter how it is done.

Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
Not everyone needs those, and the majority who do not can use OpenBSD. The rest will probably use Cisco anyway, but it may just not be enough for Cisco to survive. Thus "Cisco killer".

In fact I don't think this will happen, as the strong Cisco feature is that they sell everything in one package, unpack and plug and play :). And they have some tech support, too.

Re:pfsync/CARP

[drinkypoo]

The sad part is, that the Cisco stuff ain't all that stable. Plus, the fact that they have been known to offload some of the work into firmware on the chassis means that sometimes something needs to be upgraded and it can't be, or they won't do it - and since it's (obviously) not open source, you can't fix it either. For instance, the catalyst 5000 switches (but not 5500s) are not considered Y2K compliant with any supervisor module, even a III.

The only really special thing about Cisco hardware as compared to a PC is that their backplane has traditionally been much faster than anything a PC has had to offer, and they have offered network cards (or blades in the Cisco parlance) with more ports (since they are larger) and with additional processors on the cards which do routing themselves. (Layer 3 switch blades, for example.) It's nothing you couldn't do on a PC, though, there just hasn't been a reason to. The most modern PCs have an extremely fast bus however, in the form of 66MHz/64 bit PCI, and now PCI-Express is coming along and the wider versions of that are even faster from what I understand.

Anyway, since when do routers not have moving parts? Every Cisco product beyond the SOHO level has at least one cooling fan. A cat5k (I pick on it a lot because it's what I have most experience with) has, like, eight plus one per power supply. Meanwhile, there are PCs without any moving parts - A cisco PIX 520 would be one of these, if it didn't have a power supply fan, because it's just a PC in a custom rack case, with an expansion card with a flash ram disk on it, and some Intel EEPro 100/B Management Adapters in it. (Someone told me once that tulips work too, as they were used in older pix 520s, but I've never seen that before.)

So the short form is "no", the computer architecture won't make an OpenBSD router less stable than a Cisco one. The only thing that might would be OpenBSD itself.

Re:pfsync/CARP

[evilviper]

Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.

This is bull. Cisco routers do not have text editors, and transfering a config file to/from a cisco router every time you need to make a change is quite cumbersome.

I used to be annoyed that different Unix config files have different syntaxes, until I used Cisco... There, each different option (hundreds, if not thousands in each config) may have it's own syntax, that you really have to memorize, or look-up to get right.

Store the configuration in solid-state flash memory.

Not a problem at all. I had a router running solely on a 32MB PCMCIA card several years ago.

Upgrade the entire OS by TFTP'ing a single file.

Now that's pretty stupid. First, I've seen many routers corrupted because TFTP is so very hit-or-miss... The fact that most Cisco routers are only able to use TFTP is a serious drawback, not an advantage.

As for the single file... OpenBSD's base system is spread across about 5 tar.gz files... If it makes you feel better, I could very quickly whip up a script that will combine them into one tgz file. Better?

Provide support for layer 2/3 QoS packet tagging in hardware

QoS is supported by PF. It's not in hardware, but that's no real concern.

When the only tool you have is a hammer, everything looks like a nail.

When you only own stock in Cisco, everything else must be inferior.

Monty Python clone??? wtf?

[Billly+Gates]

Eagerly, awaiting the openbsd 3.5 theme song I ftped into one of the mirrors.

Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.

Strange but somewhat ammusing to say the least. Go download it.

yea

seems main ftp server is down. remember there are the mirrors if you guys want to get it. http://openbsd.org/ftp.html

and OpenBSD Rocks!

my favorite comment from the changelog

[imac.usr]

- Enable bus mastering on fxp(4). Oh yes.

I don't know what it means, but I approve.

Re:my favorite comment from the changelog

[Gogo+Dodo]

fxp is the driver for the Intel PRO/100 Ethernet adapters.

Happy user since 2.7

[Daimaou]

I would like to offer my thanks to the OpenBSD team here on Slashdot, where it will promptly be lost in hundereds of other posts.

I have used OpenBSD since 2.7 as a firewall, a web server, and a file server. There are a lot of unix-like operating systems out there, but for me, nothing can beat the simplicity and security of OpenBSD in these areas.

I'm also extremely happy with the ease of applying patches on OpenBSD. It makes remote management the easiest thing in the world (well, from a unix perspective anyway).

If you haven't tried OpenBSD, and are looking for an excellent server OS, I highly recommend giving it a try. I would recommend supporting the effort by buying a CD too.

Re:Happy user since 2.7

[trewornan]

No real help is given to new users and such an elitest attitude is suicide.

A number of the reviews and guides I looked at before deciding on OpenBSD warned me about the communities attitude to this. But, firstly - I guess it's an understandable attitude if you aren't really concerned about promoting your OS and just want to be able to run it yourself, let's face it most of us are really freeloaders (I can't hack kernel code can you?). Secondly, the only time I've ever asked for help was on bsdforums and I got two quick and helpful replies, without any abuse at all so I'm not sure their reputation is entirely justified (but then I did RTFM first).

Mascot

[Zardus]

Isn't that the wrong mascott in the slashdot story?

Re:Every Hacker's Wet Dream

[no+reason+to+be+here]

my formerly slackware-lovin', now debian-lovin' former roommater, despite his love of Tux and all things penguin, has started using OpenBSD for his router/firewall. If he's using it, i imagine their must be at least another dozen out there that use it. :)

seriously though, just check netcraft. there are lots of sites hosted on OpenBSD.

OpenBSD

[foo+fighter]

We who are about to be rooted salute you!

Re:"single remote hole"

[cperciva]

What was it?

OpenSSH.

never-been-rooted claims getting sillier

[SuperBanana]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

Prediction for OpenBSD 6.0 announcement:

"We remain proud of OpenBSD's record of 15 years with only a single remote hole on a 986, executed from a windows system over a local network by a person under the age of 18. On tuesday. During a full moon. At low tide."

Re:never-been-rooted claims getting sillier

[0racle]

How is it getting sillier? Because they increment it once a year when there wasn't a hole that year, or are you just so used to using something else that you just cant believe that something goes longer then a month without a catastrophic security hole.

Re:never-been-rooted claims getting sillier

[nuintari]

1. They only count the remote ones in that exact statement, they fix all the bugs they find, and critical bugs have been few and far between.
2. The stock install comes with apache, an ftp server, X, and routing software.
3. No, every recent DoS attack that has effected obsd has been fixed. I would hardly call, same day patches as "ignoring".

Fast AES

[atrus]

I found this part of the release notes particulary interesting:

OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).

I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.

Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.

Re:Fast AES

[CTho9305]

Why waste all the power on a Via C3 (multiple watts) when you could use an AMD Alchemy Au1550, which consumes less than 1 watt? The development board is MUCH smaller than any uATX-like form factor.

Re:Fast AES

[atrus]

The AMD Alchemy is smaller, but with the C3+chipset being Intel/PC compatible, there already is a large base of software available for the C3. By extension, there are many more people familiar with programming things on PC operating systems, which makes the C3 an appealing choice. The Alchemy is more custom. While I'm sure the development kit for the Alchemy is good, it can't match the available software base of PCs. Need to add a DNS server? There are numerous ones available which meet different needs. While you probably could port one of the DNS servers to run on the Alchemy, this is a time consuming operation.

Re:Fast AES

[leov211]

Yes, the new 600MHz version of Nehemiah runs fanless on the new CL6000 mini-itx server board.

Re:Fast AES

[BiggerIsBetter]

Cost and availability. When my boxed set of OpenBSD 3.5 arrives in a week or so, I can go out and buy a Mini-ITX board and box for a few hundred dollars off the shelf. I can have a reasonable firewall device up and running the afternoon the CDs arrive. And even better, it's not using overpriced development components, it's in full volume production. The AMD product is interesting, but unless they get real product on shelves at reasonable prices, it's not worth my time to chase what is effectively vapour-ware.

BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.

Re:Fast AES

[mst76]

I believe the 600mhz fanless boards (ME 6000, CL 6000) also include the hardware AES accellerator.

Re:"single remote hole"

[Indy1]

it was a bug in openssh, which if i remember correctly, would of been tricky to exploit in the first place.

Re:For the trolls, out there...

[Zork+the+Almighty]

Where is ??? - profit ?

Re:Every Hacker's Wet Dream

[TheHonestTruth]

Be at the Burlington Mall in Burlington, MA tomorrow, in the Food Court near Quiznos at 5 PM EDT. I'll be the guy shaking your hand. Then we can end this "I never met anyone IRL that runs this" farce.

-truth

Isn't it about time...

[AvantLegion]

... for remote hole #2?

k, troll, I'll bite....

[TheHonestTruth]

I am a Computer Information Systems Professional at a major Fortune 500 corporation.

ok....

Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional.

Hmmm.... ok. I guess that's possible.

We had previously been running OpenBSD on all our quad processor Xeons.

*bzzzzzt* You are either lying or dumb. Why install OpenBSD, which I admittedly love and am not biased against, on a quad processor system when SMP is in like alpha stage, beta at best? Because you're trolling or have no idea what you are doing. Next!

-truth

Re:Argh

[dhartmei]

There's an inofficial Bittorrent link, just make sure you verify MD5 checksums against those listed on the official ftp server.

Here's all you need to know

BSD versus Linux

Not all mirrors have 3.5 yet...

[b00m3rang]

I've found that ftp.sunet.se does, however.

In case google is broken, which it's not

[b00m3rang]

http://www.openbsd.org/faq/faq4.html

Re:Every Hacker's Wet Dream

[manifest37]

http://uptime.netcraft.com/up/today/top.avg.html
The sites with the longest uptime run OpenBSD
thats who uses it

I'll bite too...

Let's begin hacking this one apart :P

1) Devry... nice.. :P not.
2) A company capable of buying quad xeon hardware doesn't sound like the kind of cmopany that needs to resort to running a workstation OS--XP Professional--on a server. Plus, Windows XP will only use 2 CPUs maximum.
3) Like mentioned before, you'd never run OpenBSD on an SMP box in a production scenario
4) What kind of password? The Windows XP password has nothing to do with Dell. If you mean the BIOS password, that has nothing to do with Windows.
5) Microsoft's multi-user computing (read: NT Domains/Active Directory) is actually quite good.
6) If your server had three years of uptime, there was probably (I'm sure there wasn't but I don't want to be wrong) no OpenBSD SMP support (not even beta) 3 years ago... I wonder how your boss feels about a server having 75% of its computing power being unused.

There's more wrong with your post, but why bohter...

My addition

[bobtheheadless]

Everybody has their OpenBSD quips, so I may as well add mine.

I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.

Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.

Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...

Re:Was anyone else pissed when...

[Cyno01]

I really dont think sidewinders should be replaced with OpenBSD, maybe AMRAMs, but not sidewinders...

Re:Every Hacker's Wet Dream

[prockcore]

http://uptime.netcraft.com/up/today/top.avg.html
The sites with the longest uptime run OpenBSD
thats who uses it

That's not a valid list.

$ uname -sr
SunOS 5.7
$ uptime
12:11am up 1585 day(s), 8:41, 1 user, load average: 0.27, 0.27, 0.26

That puts us in the top 10, and we're not the only ones. The problem is the uptime solaris reports to netcraft rolls over every 495 days.

Re:"single remote hole"

[Tony-A]

Something very tricky with one-time passwords, IIRC. Seems like all Linux and most OpenBSD users would have been unaffected.
It seems to me that the design level of OpenBSD is remote administration of the box where an intervening router is owned by a competent enemy.

One remote whole...

[gnu-sucks]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

If you look at the release 3.4 errata list, there's at least three or four root exploits waiting to happen. And 3.3 and 3.2 aren't any better.

And YES, sendmail was in the default install. As well as many programs based off the lately bad libc-6.

OpenBSD is the most secure, and secure-oriented, but its not perfect by any means.

And yes, I run OpenBSD on a few servers, and one desktop!

Re:One remote whole...

[nuintari]

You have to take into account OpenBSD has privsep, stack protection, W^X memory, and a myriad of other security features not present in most other *nix systems.

Taken together, a large chunck of potential remote exploits become much less serious problems because the exploit isn't capable of root'ing an OpenBSD box. Sure, a DoS vulnerability is nothing to sneeze at, but it sure beats getting rooted. Same vulnerability will that will root a linux box, will often only annoy the living hell out of an Open box, and you'll still see a patch faster for OpenBSD.

Re:One remote whole...

[Triumph+The+Insult+C]

and in the default install, sendmail only listens on localhost ...

Perfect Timing

[alexhmit01]

Ironically, I just finished installing 2 OpenBSD machines in the past couple of days, just finished up one about 5 minutes ago. Unfortunately, while they get the software up on a mirror quickly, everytime we buy the CDs they don't ship out for weeks after the downloaders grabbed them... makes it a bit discouraging to buy the CDs, which we used to do (several copies) each release...

But now that OpenBSD is only on Firewalls, no webservers, it's less pressing.

about security holes

Yes, lack of security holes makes anything secure, this is quite obvious. However, how can you know you don't have any security holes? The answer is simple: you cannot.

If you call chroot a poor kludge, you're obviously not a security guy. Granted, it's not perfect, but it does help a little. Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do? Well, taken to the extreme, this would mean:

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.

You're saying chroot is giving a false sense of security. So, shouldn't the people be educated about what it solves and what it doesn't, then? Obviously it's a good feature, it just isn't intended to be a solution to everything. Just a solution to one problem: filesystem namespace visibility.

Re:about security holes

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

You mean like systrace? ;)

Re:about security holes

[geniusj]

This can usually be achieved through Mandatory Access Control (MAC). I know FreeBSD 5.x has a MAC implementation, though I haven't used it myself. There are or have also been various linux MAC implementations available. Something to get used to though is that generally with MAC, there is no such thing as 'root'.

Re:about security holes

[Geekboy(Wizard)]

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

systrace(1)

Re:about security holes

[evilviper]

If you call chroot a poor kludge, you're obviously not a security guy.

Not true, I'm "a security guy", and I'd say he's right (although I would phrase that differently).

Granted, it's not perfect, but it does help a little.

From everything I've seen, it hurts more than it helps in 99% of cases.

Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do?

Yes, and Chroot seems to be prevnting people from actually doing that.

The huge majority of network services do not need to be root, except to open a port <1024... If it was not for that, most programs could run as an unprivlidged user, and NEVER need root access.

Remember, with chroot, you have to trust your program to only do what it needs to do as root, and be secure about it. Then you have to trust that it is dropping privlidges as soon as possible. You have to trust it is setting up the chroot correctly, and that it is dropping privlidges correctly. There have been several instances where services have been exploitable because they did not properly drop privlidges. (IIRC, samba was one of them)

So, shouldn't the people be educated about what it solves and what it doesn't, then?

Okay, everyone, chroot solves nothing. You use it only if no other security measure are possible, such as is the case with OpenSSH.

Just a solution to one problem: filesystem namespace visibility.

It is not a solution to that. First off, access to any of the files on a system (except for suid/sgid files) is not a security risk AT ALL.

Second, and most importantly, it is possible to break out of a chroot, so it's not providing much security.

Of course it's out

[Russellkhan]

I just downloaded 3.4 yesterday.

Re:"single remote hole"

[RPoet]

Yes, it would of been hard, but I bet it could of been done. I of no idea if anyone of done it yet, but yes, they could of.

Of a nice day.

Documentation

[Alioth]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq. The manual page is clearly written, has good examples, and provides the information you need.

I run Linux on my main workstation (and having been a Linux user since the 0.12 kernel days, Linux is close to my heart), but I'm increasingly impressed with OpenBSD as a firewall - the documentation is light-years ahead of Linux iptables documentation for a start, and then there's the new capabilities of pf with 3.5. It's not far off challenging the big boys like CheckPoint FireWall-1 (whose only advantage for our particular network is a pretty GUI configuration tool). With OpenBSD 3.5 with carp and pfsync, the CheckPoint box's days are numbered - I can get better reliability/redundancy with OpenBSD now. The OpenBSD documentation is better. The mailing lists for OpenBSD are more informative than the CheckPoint ones. The hardware is a lot less expensive, and you don't have to pay annual software rental like you do with FW-1.

Re:Documentation

[lemonjelo]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq.

I'd also throw in that the file system layout is very consistant with OpenBSD. There's even a hier(7) man page describing the layout. When I'm working on another OS I find myself digging around, even for configuration files, way too often.

Re:Documentation

[ImpTech]

Hear hear! I *still* can't really do iptables all that well, but I picked up pf in virtually no time. Its not only the better documentation, its that pf is so much less cumbersome to work with. Though I guess I should say I've never bothered to learn the new-fangled iptables-save/iptables-restore system, but why bother when I can just use OpenBSD on the firewall box?

Um, no.....

[tomasdore]

From the netcraft FAQ
"Operating systems that do not provide uptime information include;

• NetBSD/OpenBSD"

FreeBSD and OpenBSD

[Dionysus]

How does FreeBSD compare to OpenBSD? I realize that OpenBSD has a security focus, but I was thinking more from a user point of view. If a program runs on FreeBSD, does it automatically run on OpenBSD (without recompile) etc?

Does FreeBSD support more hardware? What's the difference?

Re:FreeBSD and OpenBSD

[lyberth]

While i haven't run FreeBSD that much i have been running OpenBSD for a while. While not all freebsd programs will run on OpenBSD automatically, most will ether by compiling it on OpenBSD or through the excelent binary emulation. So go try it out (all normal things like apache, perl, sendmail, postfix, samba kde, mozilla, joe, vi, emacs, and a lot more will run on openbsd). go go go

Re:FreeBSD and OpenBSD

[grub]

I use OpenBSD on my desktop at work. There's a FreeBSD and Linux (among others) binary compatibility option which work great for me. I use the Linux Citrix client binary to connect to a Citrix server across the country just fine. I don't think I've ever run a FreeBSD binary but I install from ports usually so the port-meister of that particular software takes care of issues.

OpenBSD supports a load of different architectures, far more than FreeBSD. However I think you're really asking about supported hardware on i386. In that area FreeBSD is ahead but most stock hardware runs OpenBSD just fine.

Jump in, the water's fine!

Re:FreeBSD and OpenBSD

[ArbitraryConstant]

FreeBSD supports a bit more hardware, and usually sooner. Performance is no comparison (favors FreeBSD), neither is ease of use (favors OpenBSD).

OpenBSD supports binary emulation of FreeBSD binaries, and I believe FreeBSD supports binary emulation of OpenBSD binaries. They should be almost completely source compatible. In practice you'll usually install something from ports and you won't care where it came from.

OpenBSD is missing a lot, which is why it tends to get used for firewalls that operate transparently. I don't think it's suitable as a general purpose OS. It's my favorite OS, but it's not good at everything.

FreeBSD is heading towards the ultimate webserver/workstation platform. OpenBSD is heading towards the ultimate router/firewall platform. In a lot of ways, these goals are mutually exclusive. They're both very well documented and easy to learn, so it's worth it to try them both out. I went from no experience to moderately skilled expert in about 4 hours on both of them, significantly less time than it took me for any Linux I've tried.

Looks like an excellent release!

[ninjaz]

I picked up OpenBSD with version 2.3 and started using it seriously with version 2.5. During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS to a compelling system with a wide range of complementary features.

The ones that stand out for me are -

Chrooting and dropping privileges for BIND by default (kept me feeling fairly safe through a few vulnerabilities, and without the extra work of maintaining my own bind built for chroot)

Picking up ssh and releasing a good, free version

Coming up with the nicest firewall I've used, taking it from nothing to ready for release within 6 months (That still amazes me!)

spamd - After breaking 400 spam messages a day directed at my inbox, wiring Spamhaus SBL into the firewall and tarpitting a good portion of the traffic is a nice bonus. Noticing a week after setting that up that OpenBSD 3.5 has graylisting is a nice surprise.

Propolice stack protection built into the OS and integrated for the long haul

Now with CARP, I can feel comfortable getting all this in any environment - I think failover support really opens up a lot of possibilities for the future of OpenBSD.

All in all, OpenBSD has all the attributes I like in an OS -

regular 6 month releases (production quality doesn't have to mean stale),

cohesiveness (no waiting for glibc to catch up to a new kernel feature, or vice-versa),

a real commitment to free software (as demonstrated with OpenSSH, pf, and now CARP)

really delivering - as opposed to various Linux security projects that I've seen integrated with mainstream distros, then apparently forgotten about or relegated to a special option marked with a warning label, OpenBSD is a real tested system.

As a system, it can progress toward its goals through every aspect of the system (eg., the pervasive privilege separation), rather than a patchset to a mainstream distro, which has inherent lag time and may be working at cross-purposes to that distro or the numerous projects that make up the distro it's trying to secure. I've seen a few patchsets come and go over the years, too, while OpenBSD keeps adding to the foundation they've built.

Thanks, OpenBSD team, for all the great releases... (and all the fish ;)

Now I'm off to explore my new OpenBSD 3.5 system, where make build just finished. :-)

Re:Looks like an excellent release!

[evilviper]

During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS

I have to say, I think you've got it backwards. I was using OpenBSD back in the day myself, and from the first install, it was impressive. Unlike all the other OSes, any hardware you had installed would just work, with absolutely no user intervention (assuming it was supported). You could shutdown, swap your soundcard with something completely different, reboot, and with no changes at all, your new soundcard would work.

More than that, though, was the elegance of the whole system.

On Linux you have a huge bundle of programs designed very differently, and thousands of configuration scripts all over the system.

With FreeBSD, the situation isn't as complex and unintuitive as Linux, but there is still dozens of individual scripts you may need to edit for even a small configuration change... Programs in the base system don't always work consitently, or at all (I can't remember the last time 'cu' worked right).

With OpenBSD, you have rc.conf, which is very simple to edit, and features 95% of the configuration you might want to change. The other 5% is in only a handful of other configuration files, so any system change is much simpler in OpenBSD than any other OS I've ever used. The programs all work very well, and consitently. Throughout the whole base system, the same varibles work on all the different programs... Any command arg that does the same thing in different programs is almost always the exact same string for all of them.

In my opinion, the best things about the system have been around from the beginning. The majority of the significant changes over the past 3 years have been added hardware support, more ported programs, and additional security. There have been a few significant changes, like the addition of PF, but significant changes like that one have been relatively uncommon over the past ~3 years.

Re:Downloadable ISO?

[roka]

$ mkdir -p OpenBSD/3.5/i386
$ cd OpenBSD/3.5/i386

Then get the following files from a mirror:
CKSUM
MD5
base35.tgz
bsd
bsd.rd
bsd. rd-a.out
cdrom35.fs
comp35.tgz
etc35.tgz
game3 5.tgz
man35.tgz
misc35.tgz
xbase35.tgz
xfont35 .tgz
xserv35.tgz
xshare35.tgz

$ cd ..

And optionally also fetch these files:

ports.tar.gz
src.tar.gz
sys.tar.gz

$ cd ..
$ mkisofs -J -r -T -V "OpenBSD_3.5" -b 3.5/i386/cdrom35.fs -c boot.catalog -o ../OpenBSD-3.5.iso .

live cd

[Knights+who+say+'INT]

Hey, why don't you come up with a live-cd that can be installed to hard-drive with one command like Knoppix and that FreeBSD project?

Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.

Of course, I _could_ use better performance.

We don't need no steenking moving parts

[Dammital]

Build your OBSD firewall in a Soekris box. Low power, low noise, runs from a CF card (or boots via PXE). Some models accept power-over-ethernet. And Soekris directly supports FreeBSD, OpenBSD, NetBSD and Linux.

Upgrade Mini-FAQ

[Mysteray]

Upgrade Mini-FAQ

Re:Downloadable ISO?

[incabulos]

There are unofficial ISO complilations of OpenBSD available is you want to search around for a bit. Or you could buy the official 3 CD pack and support the project that way.

I think the easiest way to do an installation ( I ran 3.5 up on an old p-166 this evening ) is to download the arch-specific install files ( ie everything under /i386 for run of the mill x86 cpus ), and set them up on a local web or ftp server. 'dd' the boot floppy image to a spare disk ( floppy35.fs will suit 90% of cases ), boot up with this on the system, and simply follow the prompts for the ftp/http install. Or you could simply do a ftp install from a local OpenBSD mirror across the internet.

For detailed info on the install, see the FAQ.

The Errata page should be checked regularly too. Unlike the 3.4 release that had a number of bugfixes that needed to be applied as soon as it was officially released, 3.5 has no need for further patching at this point in time.

Os with *ZERO* remote holes since longer ago....

[Junta]

Their claim of one remote hole in the default install is lame, *I* run a platform that has *never* had a remote hole in its default install...DOS!

... how about load balancing? CARP do that yet?

[sudog]

I understand there's some kind of arpbalance program which allows two machines to answer to the same arp request, and by doing so the hope is that some clients will see one arp, and some clients the other;

However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?

For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend. :)

Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.

Re:Breaking backward compatibility?

Does OpenBSD 3.5 break backward compatibility with all previous releases, like every other OpenBSD release does?

That's utter bullshit. Read the upgrade mini-FAQ, FOLLOW IT and nothing should break. I've updated remote machines that I've never been within 2000 KM from and have never had a problem.

Re:Breaking backward compatibility?

[sudog]

I'm talking about 3rd party binaries, built to target a specific OpenBSD version, breaking when the next version of OpenBSD becomes available. I'm NOT talking about in-place binary upgrades of the system.

NetBSD has Kernel options "COMPAT_16" or "COMPAT_15" so the kernel itself will support binaries which are targetted at older releases and thus can run software from (decades?) ago without much more than installing the older libraries it was linked against.

OpenBSD, as I recall, has no such functionality to speak of. Or does it now?

(English.. do you speak it?)

Re:Ok., who has a free iso

[nocomment]

Since he doesnt allow direct downloads.... who has a torrent of the 'real thing'...

Torrent, and Source torrent.

It's called sarcasm

[b00m3rang]

The parent (I meant to post as a reply to the existing reply) implied that they concede the fact that firewall rulesets with Linux and iptables are so unwieldy that a GUI interface is required, but still asserted that this is superior to pf which is easily manageable via a text session.

I don't honestly believe you think I was advocating replacing an OpenBSD firewall with a Windows machine under any circumstances. Windows ISA Server is by far the worst firewall I've ever had the misfortune of deploying.