Which BSD for an Experienced Linux User?

Bruce C asks: "I'm a software developer with 28 years commercial experience. Although my day job is mostly on Windows software, I've been using SuSE Linux for 6 years at home. Before that I worked on HP/UX. I've no pressing plans to abandon Linux, but I am interested in experimenting with a BSD style operating system. My current motivation is largely curiosity. Of course, I might end up being converted, but that isn't my intention. I'm wondering which of the various *BSD systems would be the 'best' introduction for a person like me. The workstation I'm planning to use is a generic beige box: Celeron 1.2, 768Mb RAM, 120 Gb IDE, with about 80Gb free. It's on a LAN, behind a firewall. The live CDs for FreeBSD (Freebsie), DragnoflyBSD, and NetBSD all booted and started on it. I haven't tried an OpenBSD CDROM. Which BSD should I pick?"

FreeBSD

Given that you know Linux, you'll find FreeBSD to be the best one to try. I would recommend the 5.x series if you're feeling ambitious, or the 4.x series if you don't want to put in too much effort. I say this because of my own past experice with Linux and BSD. Have fun.

What do you want?

[twilight30]

A quick rule of thumb is generally ...

OpenBSD for security, NetBSD for portability and FreeBSD for diffusion in the wider world (ie, comparable to Linux).

I have no need for portability, and FreeBSD didn't appeal to me, so OpenBSD it was -- five years ago. I don't think you'll go wrong with any of them, though. If I did it again to experiment I'd probably try FreeBSD out this time.

BSDs do generally have more thorough online and internal documentation than Linux for the core basics, so you won't miss with any of them.

Re:What do you want?

[Cecil]

I agree that he'll be fine whichever he chooses, but your statement that they are all more or less the same in terms of security is very wrong. OpenBSD is not the same as the other BSD's in terms of security. It really, really isn't. If you think so, you're naive. The entire development process revolves around security; code is audited, settings and defaults are carefully crafted. OpenBSD did not start simply because they wanted to include one piece of software and FreeBSD wanted to include another. The whole purpose of OpenBSD is to be the most secure OS on the planet.

To suggest there is no difference is not only untrue, but vaguely insulting to the project.

Re:What do you want?

[molnarcs]

However, Apache isn't auditted.

Do you know what you are talking about? It seems more and more likely you don't. OpenBSD devs had a number of problems with the apache project. One was licencing issues, so they don't have apache2 included in the base system (you are still free to install it via ports). The other gripe was (and this is quite well known for it was publicized a few times even here on ./) that apache.org was slow/reluctant to include all the security fixes the openbsd project submitted - after auditing the code. The apache 1.3.x version is a security enchanched version of the normal 1.3-release.

And that was just one example of your ignorance. Now, would you be so kind as to stop posting crap please? There is a difference between the security of say linux (or even FreeBSD) and OpenBSD. OpenBSD isn't completely secure, no one claims that. It is more secure by default even if you allow services. Not to mention the fact that pf eats iptables for breakfast (now also part of FreeBSD's base system).

Re:What do you want?

[Homology]

However, Apache isn't auditted. DHCP isn't auditted. The FTP server, I'm fairly sure isn't auditted. Nothing they don't actually write themselves. If you install an OpenBSD machine on the internet and actually turn on services, you'll have just as many security problems as anyone running Linux. OpenSSH has it's fair share of security problems (written by pretty much the same people who wrote OpenBSD). Although with priveledge separation it should have even fewer problems that are actually exploitable to become root.

You entire post shows that you know very little about OpenBSD. Everything that is part of the base install is audited, and that includes programs like Apache httpd, BIND, Sendmail, DHCP and SSH. For the 3.6 release, the DHCP server and client underwent a major cleanup to improve security. In addition there are security enhancments as well (like privilege separation, chroot).

While it probably has a more secure kernel, most exploits out there in the world involve exploiting a user process that is running as root.

Very few deamons are running as root on OpenBSD. Most are running under their own unique, chrooted and privilege separated if possible.

The OpenBSD team has done alot to lessen the impact of exploits. Yes, even programs running on OpenBSD can be exploited, but there is a difference. An attempt to exploit a buffer overflow on OpenBSD is likely to just induce a crash, and thus not work.

OpenBSD strengths.

[far_star]

Here are some reasons you should consider OpenBSD's strengths.

Easy Install (and perhaps one of the quickest I've ever seen)
Very Secure OS. (You mihgt just find the OS all of your future servers run)
Ports System. - Like other BSDs, the ports system is truly a marvel. Software installation could not be easier.
Good license standpoint - OpenBSD has a rather purist stance on the licenses for software they ship. It might seem extreme at first, but there is some good reasoning behind it.
Documentation - OpenBSD's offical FAQ is very helpfull and answered 99.9% of the questions I had as a beginner.

Re:OpenBSD strengths.

[SuperBeaker]

I would also add firewalls, routing, and packet queueing. I haven't found anything that compares with the power and ease of OpenBSD's pf firewall ruleset. It provides all of the features that you could possibly need in a firewall including stateful packet filtering, packet normalization, and packet shaping - all with and extremely easy-to-understand interface. For routing, you can support RIP, OSPF, and BGP. BGP is supported with the new OpenBGP server. I have a few OpenBSD boxes set up in my home lab that are linked with various Cisco routers running OSPF. But which one is actually cheaper . . . ? :) Finally, the OpenBSD dev team is militant on the security front. All servers are chrooted by default. Stuff just works out of the box securely. I can't tell you how easy and quick it is to set up a secure, chrooted web server with OpenBSD.

Easy? Free*; Education? Open*; Experiment? Net*

[QuietRiot]

I'd suggest *starting* with OpenBSD (or NetBSD though I've got no personal experience myself) and later trying a FreeBSD install. If you've been on Linux for 6 years and have run HP/UX I'd have to say you're qualified to run one of the less candy coated BSD's to get yourself integrated into the "whole BSD 'thang." DragonFly will be cool (someday) but I can't suggest it for someone new to BSD. Same with Darwin.

OpenBSD would be great to learn on as it will definately push you into the documentation and get you used to some of the conventions used (slices v. partitions, startup scripts, etc.). I'd suggest you use an older or spare computer if you've got extra or can pick one up cheap. You could also just set aside space on those 80 gigs you've got. READ UP ON PARTITIONING, USE OF LARGE DRIVES, ETC. BEFORE YOU START ANYTHING!

Once you get some OpenBSD under your belt, put a box in service at your network connection (right behind you cable/DSL connection?) and learn to setup pf (packet filter - built in). Experiment with AltQ and get yourself a good firewall/NAT in place (junk the Linksys). Not too much trouble and the docs at OpenBSD - pf are quite good. Here you could experiment with adding a web server or MTA (if you don't have tons of boxen to keep your "real" services in some kind of dedicated DMZ). My home OpenBSD box forwards BitTorrent, Freenet, VNC and SSH to a variety of machines in my house. I also prioitize packets in the following order: 1st to tcp_ack_out, Vonage telephone, ssh_interactive, everything else, freenet, and finally ssh_bulk. Keeps my phone line crisp and prevents freenet from destroying my ssh sessions' latency. You can do this with other products but I've had a good time (and have learned quite a bit) constructing my /etc/pf.conf file. (Yes. I've got a life otherwise :)

Then build youself a FreeBSD box. This should be cake. 5.x should install without a problem for you and you've got access to all the ports you could ever imagine. Your experience with OpenBSD will help you understand some of the differences you'll encounter. Makes a great desktop. OpenBSD will work fine as a desktop machine but I've never done it. Same for NetBSD I suppose. Give it a whirl. I'm sure you'll learn a ton and be quite happy with whatever you decide.

Don't short yourself on learning OpenBSD. It is awesome, security aware and has some wonderful features (need encrypted swap case the feds might knock down your door at any minute? check.). It may just serve all your needs and knowing it is surely going to be useful to either yourself or others in the future. Use it for utility and the ability to sleep at night with your data behind it. (still better go with RSA keys on sshd though). Check out http://undeadly.org/

Don't short yourself either on checking out FreeBSD. I moved from Linux to "the beast" some 5 years ago and haven't looked back since. The 4.10 machine I use everyday has been up 168 days as of today. I had at shutdown the machine previous to that due to a scheduled power outage. It sits fully exposed on an unprotected IP and runs user apps, a web server and mail. Not a single problem in years. FreeBSD has certainly served me (and some clients of mine) well.

If you're a system developer or like playing with things at the driver level or experimenting with new code, new systems or want to put your toaster on the network, don't deny yourself a NetBSD 2.x install. Wonderful features at the leading edge. Very capable and I hope to get some more experience with it myself one day.

Learn OpenBSD. You won't regret it.