Slashdot Mirror
OpenBSD's PF Developers Interview
An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@).
Start reading from the first half and continue with the second part."
Aside from the fact that netcraft said that all these people are dead, there is one thing that bugs me about this interview.
Just like BSD, its all done in parallel!
2 Unices, too!
pf.conf is cryptic? The manpage and demo files in
Trolling is a art,
> dead or dying OSes
Presumably that was a joke. Otherwise you must be pretty damn ignorant.
I'd rather read the second half first, then the first half can be like a prequel.
I don't try to be right, I just try to make people think
Could you at least try finding it out yourself?
PF is the Packet Filter in OpenBSD, kind of similar to iptables/ipchains in Linux.
Packet filtering, you might think that would be mentioned in the summary... or the article. But then it wouldn't be Slashdot.
Ahh but this is a BSD article so the slashdot effect doesn't apply; the only people here will be people that actually care, and people who just want to flame about BSD dying. So the people in the first group (all 6 of them) actually will rtfa!
One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.
It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I've read the same thread myself, but I don't think Theo's temper is a problem for OpenBSD.
Quite the contrary, actually.
He has a project that's rock solid, and he doesn't want forks polluting OpenBSD's good reputation.
I don't see why that's a problem. After all, OpenBSD is _his_ baby, and it's his call what to do with it.
I'd probably do the same if I were in Theo's shoes.
I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.
Hmm. Do you think that Ryan is a clean room implementation of Darl, or has another serious breach of SCO's intellectual property taken place?
If I were Ryan, I'd take to the hills before David Boies slaps him with a five billion dollar lawsuit
yea, it is his 'baby' but it is released under and open license, why SHOULDN'T i be able to fork openbsd if i want? If Theo wants an unforkable OS, he shouldn't have started by forking netbsd in the first place!
Sure, go ahead! That's what the MirBSD people did after all...
It's 11pm, do you know what your deamons are up to?
I tend to agree. After the first sentence I was lost, so they are either damn smart, or a great job of (que: jon lovitz) acttt-tinggg in the interview.
I did like that os filtering idea.
Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)
- mritunjai
i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.
also maybe add in some ebtables+iptables stuff as well
Nothing more offtopic than responding to a line in the topic.
I don't try to be right, I just try to make people think
Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)
In most cases, the fork should be named "BrokenBSD" by default.
I'm sorry; I apologise for my comment. I just get irritated when people say bad things about OpenBSD.
BSD is not dying!
pf has been available in ports for quite a while. Although it only works on the 5.x branch, I'm running it as my firewall on an old 166mhz Pentium.
Personally, I find FreeBSD easier to deal with, but that's just me.
Merde, il pleut encore!
I think you forgot the third group - random strangers (probably it's only me)
authpf allows you to authenticate remote users, and change the firewall rules. And it's all done by ssh'ing in with authpf as the user's shell.
Useful if you want to hide services from the outside world (except for selected users), but you don't want the complexity of ssh tunnels/vpn. (ie: I want to give some people access to my ftp server but hide it from the rest of the world, and not give them vpn access to the whole network)
I use Macs to up my productivity, so up yours Microsoft!
See the man-pages.
In Soviet Washington the swamp drains you.
Isn't not liking a project because of the license it's under a `nerd politic'?
-If God wanted people to be better than me, he would have made them that way.
Spreading technology, not ideology...
Each time some BSD code is incorporated in a proprietary product the world is likely a better place, you don't want everyone and his dog coding an IP stack, if it was the case it would not be some unpatched windows boxes that would be used as attack launch points, the would be everything from your fridge to your car...
BTW the license does not discourage anything, it just does not make it mandatory. Common sense makes contributing back a good thing, as maintaining a fork is likely more expensive that contributing back your valuable intellectual property would cost you.
Don't you people understand... It is not possible for Netcraft to gather any statistical data on how many BSD machines are being used, simply because no one is *forced* to make their machine identify as a BSD machine! Quote from : "There are some, even large, companies that use BSD as routers, firewalls and even servers, without people noticing. That is a reason why no one can give current usage statistics for BSD, because no one is forced to say he is using BSD at all, or in which number." http://mirbsd.bsdadvocacy.org/?bsd-intro Drawing conclusions from statistical date without proper knowledge on the subject is Bad Practice..
You never implicity stated that you disliked it, although you could hardly call a comment like "why would you use something like bsd when you can find all the goodstuff in superior products without all the silly egos and nerd politics." friendly.
You disliking it was strongly implied, and then supported by you calling it a failure right now.
Of course, you believe that it is the `weak' license that made it a `failure', but you clearly do not understand the goals of project.
The Goal's of the BSD projects include making software that will be usable. Usable in any sense. If a commerical company incorperates 70% of OpenBSD into a project, it wouldn't change OpenBSD any. Since it doesn't change OpenBSD, you couldn't really consider it a failing point of the OS. Good code is now in wider circulation. This is one of the BSD goals. Now to call a project a failure because it is meeting a goal that you don't agree with, that is, I believe, a `nerd politic'.
I personally don't care if code gets contributed back. They aren't after World Domination. They just want something that you apparently do not understand: Universally better software. I use Microsoft software, and I appreciate every bit of BSD code that has been incorperated into it.
Anyway, I question on what grounds you actually deem it to be a failure. It is still developed, it still has a userbase. One that is, in fact, growing, despite the whining of all the trolls. I use it because I find it incredibly useful. Why do I use it instead of Linux? The question of the day for the trolls. Why would I use Linux instead of FreeBSD? You can answer that question for me if you want. I probably won't pay attention because I've looked at most of the Free Open Source OS's myself, did my research, and picked a winner. You banging on the table calling it a failure does not make it one.
-If God wanted people to be better than me, he would have made them that way.
heh this is slashdot. answer troll replies with troll replies too.
...until pf is ported to run on XP?
Why was my post modded to troll?
It was a compliment to OpenBSD. If you mess with
it, you'll probably break it. Hence, some crack
pot trying to branch his own BSD release should
name it 'BrokenBSD'.