OpenBSD's PF Developers Interview

An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@). Start reading from the first half and continue with the second part."

Re:So the world wants to know...

Packet filtering, you might think that would be mentioned in the summary... or the article. But then it wouldn't be Slashdot.

PF can Filers By OS

[zulux]

One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.

It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)

Re:PF can Filers By OS

The OS fingerprinting really has limited usefulness, because it's so easy to fool it.

Block external Windows clients? But I'm behind an OpenBSD firewall running pf myself, so connections from my Windows machine will look like OpenBSD. (synproxy ;)

And what happens when Longhorn starts using a TCP/IP stack indistinguishable from OpenBSD? (not that that's likely...)

What are the chances of someone attacking (let along successfully) an OpenBSD machine from Windows anyway? More likely they're on Linux or something else and have the ability to spoof any OS they want.

You can't rely on it at all, and the rest of OpenBSD is secure enough that you don't really have to.

I suppose you can use OS fingerprinting to enforce internal policy ("no Windows machines on out network"), since you really need 2 machines to evade that, but that's kinda silly.

Re:OpenBSD problems

I've read the same thread myself, but I don't think Theo's temper is a problem for OpenBSD.
Quite the contrary, actually.

He has a project that's rock solid, and he doesn't want forks polluting OpenBSD's good reputation.
I don't see why that's a problem. After all, OpenBSD is _his_ baby, and it's his call what to do with it.
I'd probably do the same if I were in Theo's shoes.

Wow

[222]

I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.

Re:Wow

[0racle]

I personally have a lot of respect for the OpenBSD team, and the pf developers in particular, some time in the next week I'll be replacing my little Linksys with a OpenBSD pf firewall, and when I sat down to write the rules for it, it was amazing and appreciated how simple it is to write the rules, and that they're understandable at the same time. Comparing it to iptables that I saw once, the ease of writing the pf rules would have been enough for me to switch over. They also have that reputation thats not bad either.

Re:OpenBSD problems

[burns210]

yea, it is his 'baby' but it is released under and open license, why SHOULDN'T i be able to fork openbsd if i want? If Theo wants an unforkable OS, he shouldn't have started by forking netbsd in the first place!

Re:OpenBSD problems

[CherniyVolk]

Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)

In most cases, the fork should be named "BrokenBSD" by default.

Re:pf vs ipf vs ipfw vs iptables

[jimi1283]

I can tell you, pf/ipf syntax is so easy when compared to iptables. And pf takes ipf even further by adding shortcuts to common tasks. For example, rather than setting up block rules to stop spoofing, you just do "antispoof for interface" and you're done :)

I love OpenBSD for firewall/vpn duties... now if they'd just hurry the hell up and implement NAT-t for isakmpd i'd be a happy camper...