Slashdot Mirror
OpenBSD's PF Developers Interview
An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@).
Start reading from the first half and continue with the second part."
Aside from the fact that netcraft said that all these people are dead, there is one thing that bugs me about this interview.
Just like BSD, its all done in parallel!
pf.conf is cryptic? The manpage and demo files in
Trolling is a art,
Could you at least try finding it out yourself?
PF is the Packet Filter in OpenBSD, kind of similar to iptables/ipchains in Linux.
One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.
It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I've read the same thread myself, but I don't think Theo's temper is a problem for OpenBSD.
Quite the contrary, actually.
He has a project that's rock solid, and he doesn't want forks polluting OpenBSD's good reputation.
I don't see why that's a problem. After all, OpenBSD is _his_ baby, and it's his call what to do with it.
I'd probably do the same if I were in Theo's shoes.
We are probably the only 2 people that read this article. I'm with you though. I'm currenly running all Gentoo switched from some use of FreeBSD. I'm seriously considering switching my firewall box to OpenBSD, the features sound awesome.
Understanding is a three-edged sword. -- Kosh Naranek
I personally have a lot of respect for the OpenBSD team, and the pf developers in particular, some time in the next week I'll be replacing my little Linksys with a OpenBSD pf firewall, and when I sat down to write the rules for it, it was amazing and appreciated how simple it is to write the rules, and that they're understandable at the same time. Comparing it to iptables that I saw once, the ease of writing the pf rules would have been enough for me to switch over. They also have that reputation thats not bad either.
"I use a Mac because I'm just better than you are."
For an example of setting up firewall for home or small office, have a look at the execellent PF User Guide> .
Tired of sucky download performance when you max your upload on your ADSL connection? Well, PF solves that with packet queueing and prioritization.
pf has been available in ports for quite a while. Although it only works on the 5.x branch, I'm running it as my firewall on an old 166mhz Pentium.
Personally, I find FreeBSD easier to deal with, but that's just me.
Merde, il pleut encore!
authpf allows you to authenticate remote users, and change the firewall rules. And it's all done by ssh'ing in with authpf as the user's shell.
Useful if you want to hide services from the outside world (except for selected users), but you don't want the complexity of ssh tunnels/vpn. (ie: I want to give some people access to my ftp server but hide it from the rest of the world, and not give them vpn access to the whole network)
I use Macs to up my productivity, so up yours Microsoft!
Spreading technology, not ideology...
Each time some BSD code is incorporated in a proprietary product the world is likely a better place, you don't want everyone and his dog coding an IP stack, if it was the case it would not be some unpatched windows boxes that would be used as attack launch points, the would be everything from your fridge to your car...
BTW the license does not discourage anything, it just does not make it mandatory. Common sense makes contributing back a good thing, as maintaining a fork is likely more expensive that contributing back your valuable intellectual property would cost you.
I second that about altq, I have torrents, web browsing and streaming audio all going on my crappy cable modem (upstream sucks) and the day I setup the queueing it was like putting in a second broadband connection that didn't stall or drop out. Highly recommended.
Don't you people understand... It is not possible for Netcraft to gather any statistical data on how many BSD machines are being used, simply because no one is *forced* to make their machine identify as a BSD machine! Quote from : "There are some, even large, companies that use BSD as routers, firewalls and even servers, without people noticing. That is a reason why no one can give current usage statistics for BSD, because no one is forced to say he is using BSD at all, or in which number." http://mirbsd.bsdadvocacy.org/?bsd-intro Drawing conclusions from statistical date without proper knowledge on the subject is Bad Practice..