Bug Busters! OpenBSD 5.1 Released

An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "

7000 Ports?

Will one of those 7000 ports run on my dishwasher?

Re:7000 Ports?

[nurb432]

They might if you chose NetBSD instead.

Re:7000 Ports?

[mirix]

OpenBSD ports are a set of makefiles that will build packages, not OS 'ports' like you are thinking.

Re:7000 Ports?

Then this is the site for you

Re:7000 Ports?

[X0563511]

Since he said "run" I would think he knew that. One doesn't "run" a network socket.

Re:7000 Ports?

[Shaiku]

Neither one of them were talking about network socket "ports." The first thought "port" as in "port the OS to another architecture." The second tried to explain that in *BSDspeak, "port" doesn't mean port the OS, it means port a 3rd party software to the BSD build system. This involves applying BSD specific patches to build and install according to BSD-specific paths etc. You can also build the source into a redistributable binary "package."

Re:7000 Ports?

[X0563511]

I know what a port in BSD is, thanks. So does the original poster. Mirix didn't think so, and I pointed out why it should be obvious to one who knows the difference.

Re:7000 Ports?

GP was implying that there are 7000 hardware ports, hence why it would run on his dishwasher.

Re:7000 Ports?

[X0563511]

No, GP was implying that his dishwasher was a rare architecture that most if not all of the 7000 available ports would not run on.

Open BSD confirms it

[future+assassin]

Netcaft is dead....

Re:Open BSD confirms it

[HyperQuantum]

That must be in Soviet Russia...

YAY!

[nurb432]

I think..

Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?

Re:YAY!

[Frank+T.+Lofaro+Jr.]

Honestly is OBSD relevant any more

No.

Re:YAY!

OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.

Re:YAY!

I think..

Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?

I could say the same thing about every other OS. You're weird man.

Re:YAY!

[101percent]

Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.

Re:YAY!

[nurb432]

you misunderstood the use of the term 'grand scheme'. It was not that OBSD had one, but the rest of the world has one, and wasn't sure if OBSD fits in there anymore.

It was relevant in the beginning but now, it doesn't seem like it so much.

Re:YAY!

[gman003]

In the Grand Scheme of Things? No.

But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.

So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.

Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.

Re:YAY!

Can you name another OS that's as secure as OpenBSD is? They did finally after a decade find a security hole in the base install. But, how many other OSes can claim that, even if you just limit it to more than a year?

It's still very much relevant to anybody that really cares about security. Other systems can be hardened, but they don't have a similar track record.

Re:YAY!

[pipatron]

What has changed since the beginning that made OpenBSD less relevant?

Re:YAY!

[tck42]

As a network appliance type device at least I'd say it's still very relevant. I still prefer configuring / maintaining pf over iptables (or any other competitor I've tried) for any non-trivial ruleset, the documentation is IMO much better than most of the other stuff out there, it's relatively secure and relatively stable, and the performance and compatibility with older hardware has been great (in my experience). I use it for my gateway device and have never had any problems. I briefly used Linux for the same task and found myself spending more time messing with it. I could easily see it replacing all sorts of expensive commercial solutions at my workplace but managers like commercial vendors. It's just well put together and does what it's built for quite well. I think there's room for all sorts of stuff in the "grand scheme", not just shiny and popular stuff.

Re:YAY!

[mirix]

This is true, but the base install is pretty limited, so it's hard to compare, really.

(I think it's been three holes since the dawn of OpenBSD, by the way).

That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.

Oh, and the documentation is a work of art compared to linux. That's a really nice feature.

Re:YAY!

The news is certainly relevant to me, as I'm a FreeBSD user with a number of production servers hosting services to various corporate clients and I like to read about these bug fixes as OpenBSD bug fixes cross pollinate with FreeBSD bug fixes.

Re:YAY!

everything else.

Re:YAY!

Makes a better router than linux or windows....

Re:YAY!

[teknopurge]

it's probably the most relevant OSS OS project out there. How many other projects have cultivated as much new software? Hell, most of the new shit in the Linux Kernel came from OpenBSD....

Re:YAY!

Yeah, totally agree that OpenBSD is relevant today. I would even say OpenBSD is becoming more relevant today than it has been in the past, as we will receive more backdoors in open source projects that rely on binary distribution methods. I really hope OpenBSD sticks around, since it is the only truly stable open source distribution. I have used it since 2.6 and have always enjoyed the no-bullshit approach to having reliability and security together. The OpenBSD doesn't make the poor decisions that are so common in Linux distributions (the plymouth OS process on Ubuntu is a good example of common Linux stupidity). Also, OpenBSD doesn't have the hardware pressure of NetBSD, nor the feature pressure of FreeBSD, so they can focus on security and reliability. OpenBSD is relevant to those of us that require a quality operating system.

Re:YAY!

[Nutria]

most of the new shit in the Linux Kernel came from OpenBSD....

That requires documentation.

Re:YAY!

[Just+Some+Guy]

This is true, but the base install is pretty limited, so it's hard to compare, really.

That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.

That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:

$ ps ax
PID TT STAT TIME COMMAND
1 ?? Ss 0:00.01 /sbin/init
21888 ?? Is 0:00.00 syslogd: [priv] (syslogd)
11594 ?? I 0:00.01 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
18652 ?? Is 0:00.00 pflogd: [priv] (pflogd)
16925 ?? S 0:00.01 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
4551 ?? Is 0:00.00 ntpd: [priv] (ntpd)
12960 ?? S 0:00.01 ntpd: ntp engine (ntpd)
15118 ?? I 0:00.00 ntpd: dns engine (ntpd)
8253 ?? Is 0:00.00 /usr/sbin/sshd
32235 ?? Ss 0:00.01 sendmail: accepting connections (sendmail)
1749 ?? Ss 0:00.00 /usr/sbin/cron
23675 ?? Is 0:00.05 sshd: kirk [priv] (sshd)
25682 ?? S 0:00.04 sshd: kirk@ttyp0 (sshd)
17102 p0 Ss 0:00.19 -zsh (zsh)
17713 p0 R+ 0:00.00 ps -ax
8581 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
4910 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
25709 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2
12308 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3
19809 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5

So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.

Here's the list of open sockets that an external user can connect to:

tcp 0 0 127.0.0.1.587 star.star LISTEN
tcp 0 0 127.0.0.1.25 star.star LISTEN
tcp 0 0 *.22 star.star LISTEN

So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.

It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!

Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.

Re:YAY!

[Just+Some+Guy]

I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

Re:YAY!

[LurkerXXX]

Yeah, I mean what good do they do except for all that silly security stuff, like providing us with SSH and stuff.

Re:YAY!

[identity0]

>Theo just has lost patience for people

fixed.

Re:YAY!

Don't get sucked in by the trolling of the Linux folks. Most of them haven't realized there's more Kool-Aid than just Apple's.

Re:YAY!

[LurkerXXX]

sigh, posted as plain text and lost the snark.

Re:YAY!

[Clarious]

The base install is limited, they did a great job auditing the code. But the moment you install something from the port, if that software contains bug, then OpenBSD is no more secure than Linux running that software. Or even worse, as OpenBSD refuses to have some kind of MAC implemented, Linux has SELinux/AppArmor/Tomoyo while FreeBSD has TrustedBSD. While those aren't silver bullet to every problem, they help in limiting the damage caused when your potential unsecure software gets compromised.

Re:YAY!

> Theo just has lost patience *with* people.

Properly fixed, i.e. not in nigger speak.

Re:YAY!

[TheRaven64]

OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.

The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.

Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain

It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.

Re:YAY!

[serviscope_minor]

Theo just has lost patience for people

That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.

I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

Re:YAY!

[GioMac]

Is that a joke?
Nobody cares about base install.
In this case we care about updates, immediate patches, commercial support and strong, quality community and commercial background with experience.

At first, *BSD market is too small to have this on appropriate level.
At second. What do you call "security"? Patching holes? No no no. Security is a hard thing;
* it's about hardening too
* it's about writing policies
* it's about having consistent directory structure
* it's about easy and ensured, certified audit
* it's about ease of maintenance
* it's about consistency checking
* it's about access limiting
* it's about support from various vendors etc.
* It's about enterprise integration

*BSD lacks that. I see no future in here for production corporate environment.

I'm not yet talking about possibilities of other operating system and software suite, I'm just telling that BSD is even worse than Windows in here.

When I hear "*BSD is secure operating system" or "*BSD is a good thing" (c), I don't hear any other arguments. Please prove.

Re:YAY!

[rvw]

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

This is my experience as well. When I ask a question online, I always try as many solutions as I can think of before asking. And I mention those attempts as well, so people see that I'm serious and take the time for it. Doing this I have solved many problems myself before it came to an online post...

Re:YAY!

[1s44c]

I care about the base install. It's all you need to make a highly secure firewall. I want as little as possible running on my firewalls.

PF is actually easier to setup and maintain complex sets of rules than iptables is. I know there isn't much you can't do with iptables but pf makes most of it way easier. Plus the iptables concept of a forward chain really is a bad thing.

You claim *BSD lacks all kinds of things but most of these look like big company process things that could be applied to the BSD's in just the same way they are applied to windows. Access limiting for example.. Well were do you think openssh came from?

OpenBSD works fine in my 'production corporate environment' thanks.

Re:YAY!

[1s44c]

I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

s/sonicwall/pfsense/ and I did the same. It worked great.

I don't get why anyone wants stuff like pfsense. If people can't understand pf's easy syntax they can't really understand the network traffic it's manipulating.

Re:YAY!

That's basically as many processes as my stock debian install (if you don't choose every package like an idiot) and then install a mail gateway. Why not talk about their approach to security instead? Most of us don't run the latest Fedora Core on our mail servers, so we don't have 200 processes running either.

Re:YAY!

[MikeBabcock]

Its limited scope is precisely why its relevant.

Ferraris have a more limited scope than OpenBSD but nobody counts them out. OpenBSD is very good at what it does and very useful to those who use it.

Re:YAY!

Speaking of updating? How does one install patches on OpenBSD? Is there a tool like apt-get or yum that gets the new patches?

Re:YAY!

[GioMac]

In fact, you will never get SECURE firewall, especially HIGHLY SECURE if you don't follow updates. This is a fact.

Also, tell me when did you saw firewall security related bugs last time. On *BSD, or on Linux.

Compensate control (access limiting) doesn't do anything good, it's not the security, it's a workaround to do something that is enough for some time.
Compensate control only applies to internal personnel.

OpenBSD cannot pass audit even in my preproduction corporate environment, because we just won't pay a 100000$/year to hire coders and make it comparable to Linux features every time we need it.

It does not matter where openssh came from, it matters where distribution/software suite comes from and how is it maintained. In my case I have no problem, while both community and enterprise vendor (RH) are providing instant updates - one in the form of version updates, which may include features and possibly bugs and configuration-changes (harder to track, not enterprise), and in the form of release updates/patches, with only security and other important bug fixes with less possibility of do something bad in my infrastructure.

Regarding what is better PF or iptables - both are fine for me - I can manage both. If I need a firewall that is easy to manage via GUI - there are hundreds of interfaces.
iptables is not complex, you just have to read a short manual. There is nothing wrong, nothing hard. Really.

And forward chain concept in iptables is the "pedantic" and correct way, it's flexible and can do maany interesting things that will come to you in larger environment (ex. NAT load balancer). If you want to have BSD firewall at home, just forget about it, I don't believe you need it and it's worth of it.

iptables is effective, functional and proven solution, I see no reason to not to use it.

So, where openssh came from? That's not an answer, that's a troll. Major part of OSS software you use inthere is maintained not by *BSD guys and by Linux service/distro vendor companies. Fact.

Another fact: openssh guys are mad men, they are like separatists, stating about users:
"This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests)."

In fact, there is no good way to contribute to openssh.

Openssh is just a remote access thing for me. I can use IPSec with telnet.

Re:YAY!

[Just+Some+Guy]

And I mention those attempts as well, so people see that I'm serious and take the time for it.

That can't be over-emphasized: if you're stuck, tell what you've already tried. Not only does it save everyone else the time of suggesting something you've ruled out, but it demonstrates intent. It says, "I'm coming to you as a last resort after trying the self-help options, not as my first step because I don't value your time."

Re:YAY!

This used to be impressive.

A RHEL6.2 / Centos 6.2 minimal install (pick minimal instead of default when choosing software) has less listening ports. (It doesn't listen on 587 by default),
RHEL6.2 has 1 extra default process, but if you are using RHN Classic you can stop two of those, so centos has 1 less process.

Re:YAY!

[1s44c]

You are claiming that either there are no updates for OpenBSD or they are too hard to apply? Read the OpenBSD website, they have errata for each release.

You think the IPtables forward chain make more sense than having comming and outgoing rules for each interface!? You don't get how firewalls work.

You use GUI's to configure a firewall!? You really don't get how firewalls work and should not be allowed anywhere near them.

IPSec with telnet? If you are trying to say that's better than OpenSSH?

Your sentence structure makes your post really hard to read.

You are either trolling me or you are a prime example of why security in big companies is one large bag of fail. I've worked with 'security' departments before that understood nothing but their arbitary rulebook and you do sound pretty much like them.

Re:YAY!

[smash]

marketing

Re:YAY!

[smash]

That requires documentation.

That's a linux epidemic...

Over 7000 ports

[pathological+liar]

... unless you don't feel like putting X on a server, in which case building from ports is unsupported and sometimes obviously broken.

Re:Over 7000 ports

[e9th]

There was a brief time, four or five years ago, when something (expat maybe?) was mistakenly placed in xbase, so you had to install the xbase set for a whole bunch of ports/packages. That situation didn't last. And even then, you didn't have to run X.

Re:over 7000 ports

[JustOK]

just use port 4000 twice. It's all binary.

Re:over 7000 ports

[machine321]

No, the ports are chmod 7000. They're setuid, setgid, and sticky.

Re:over 7000 ports

[stderr_dk]

just use port 4000 twice. It's all binary.

4000 ain't binary. It's at least base 5.

Re:over 7000 ports

what's binary for "whooosh"?

Re:over 7000 ports

[CrashandDie]

1110111 1101000 1101111 1101111 1110011 1101000,

or 011101110110100001101111011011110111001101101000, depending on how you take your coffee. Mine's with milk.

Re:Over 7000 ports

[jawtheshark]

Depends. I was playing around wth rrdtool on OpenBSD 5.0 and there was a library it required in xbase. I just extracted it and put it where needed, but it sure was a pain.

Re:over 7000 ports

[jones_supa]

The parent had three of letter 'o' there, so you're missing one.

over 7000 ports

What if someone needs to use port 8000?

Who ya gonna call?

[Billly+Gates]

Bug busters!

Thank you, Soulskill

[oldhack]

You know, you can write a robust, rumbunstious, attention-grabbing headline without being a deceiptful troll-weasel (cough sanzem-something), like soulskill has done here.

Only 7000?

Only 7000 ports? But NetBSD has OVER NINE THOUSAAAAAAAAAAAAAND!

Re:Only 7000?

Nine is bigger than seven.

Re:Only 7000?

Only 7000 ports? But NetBSD has OVER NINE THOUSAAAAAAAAAAAAAND!

Wow, and openbsd has only half the number of developers.... what an achievment.

Re:Only 7000?

[JustOK]

depends on the font

Re:Only 7000?

[knuthin]

7 eats 9.

LSD can help you imagine how broken OpenBSD really

http://wideopenbsd.org/

Obligatory

[ChunderDownunder]

Seven of Nine

Human-readable changelog

[Nimey]

Anyone got a human-readable changelog with highlights? The linked one is a dump of everything that's changed.

Re:Human-readable changelog

[dolmant_php]

The first link in the story is the human-readable changelog.

Re:Human-readable changelog

[Nimey]

You are right.

I can only say that this is /. and one does not simply RTFA.

This one goes to 65535...

Pfffttt... Only 7000 ports?

The OS I'm using has 65536 ports.

Re:This one goes to 65535...

[Just+Some+Guy]

The OS I'm using has 65536 ports.

And if you're running Windows, there's a good chance they're all in use.

Re:This one goes to 65535...

[Hillgiant]

NetBSD? Is that you?

Where is the P2P distribution?

So many people (apologists?) use downloading different distributions of *nix operating systems as justification for P2P applications.

How come OpenBSD isn't using P2P (BitTorrent specifically) to help spread the wealth? I understand they're affiliated with many Universities and hence "free bandwidth", but honestly it's 2012 now.

Why no torrent?..

Re:Where is the P2P distribution?

The full install CD is only 240MB, which is probably related.

Security...

[QuietLagoon]

I use OpenBSD as one of the layers that protect me from the evils that lurk on the Internet. OpenBSD works quite well as my firewall and router and ntp time server and DHCP server and DNS server and....

.

An awesome periphery and utility server OS.

relevance is overrated

[epine]

Why does no one ask about the relevance of the porn industry? OpenSSH was the biggest thing since Debbie does Dallas. Few have more than that to their credit.

Bearded fellow: Let he who is without sin throw the the first stone.
Crazed villager [inspecting charismatic sinner]: Theo, is that you?
Crazed villager's wife: Who does this bearded guy think he is?

Here's the thing about security. If you have to ask about relevance, you can't handle the truth.

contributions to other apps and OS

[br0ked]

I would like to see the number of contributions from OpenBSD that are currently in other applications and/or other operating systems as compared to other *nix....

Choices of s/w & IPv6 support

[unixisc]

I had a look at it, and found some things interesting.

Under highlights, it mentions that it supports GNOME 3.2.1 (fallback mode), but for KDE, it supports 3.5.10. For GNOME, this is the first time I have seen any BSD support GNOME3 - in fact, there was some discussion in the past about how GNOME3 wouldn't run on BSDs due to systemd being a requirement. The other interesting aspect of this is that it goes for the latest, much publicly disparaged version of GNOME, but for KDE, which is much improved, it's @ 3.5. They could have either gone for KDE4.8, or if they didn't like that, they could have ditched KDE altogether and gone w/ Trinity.

The other thing I noticed throughout the notes was improvements in support for IPv6, such as fragment handling, but what I haven't figured out is how mature is OpenBSD's IPv6 support compared to FreeBSD? FBSD is currently second to none when it comes to IPv6 support (I'm not sure how it compares to Windows 7, which has been innovative for IPv6 on its own, w/o relying on the BSD layer 3 stack as it did for IPv4), but I was curious about OBSD. If someone wanted to create an IPv6 firewall cum router w/ OBSD as the management OS, does the OS have whatever it needs for this purpose?

On a separate note, I did find it interesting that they include software that's now GPL3 - such as Emacs, GCC, Libre Office, among others. In the case of the compiler, they didn't offer LLVM/Clang, and nor do they seem to prefer BSD software to others - for instance, Apache is the web server that they offer, and not Nginx. In short, I found their choices of default software pretty interesting, given all the recent discussions regarding GPL3 vs BSDL and so on.

Re:Choices of s/w & IPv6 support

they dont include the gpl3 versions of the software you mentioned . also the ipv6 support is great.

Re:Choices of s/w & IPv6 support

Nothing you say makes sense. FreeBSD's IPv6 support is second to none only if you exclude OpenBSD.

They still have Apache because OpenBSD is extremely conservative. They forked Apache 1.3 over a decade ago and notwithstanding Apache's rough edges, has been rock solid (many of the recent Apache 1.3.x security issues were fixed or mitigated in OpenBSD's fork long ago). Nginx is in trunk already but OpenBSD is reticent to switch over until they're convinced it's worth the risk.

Likewise with Sendmail. They have their own MTA in the pipeline but are extremely conservative about switching over. They forked sendmail long ago.

This conservatism means two things: security vulnerabilities are exceedingly rare (newer code is always riskier), and system administration is a breeze. Very little changes from one release to the next. Administering OpenBSD is almost exactly the same today as it was 10 years ago, the biggest change being the addition of /etc/rc.d a coupe of cycles ago. The easier administration means the more likely one can keep a tight ship.

One thing OpenBSD is not conservative about is documentation, standards support, and the networking stack. All of these things are under constant development, but OpenBSDs philosophy is incremental improvement, which means you rarely see announcements about huge features. Features are completed gradually and more-or-less silently rolled out as a finished product.

Re:Choices of s/w & IPv6 support

[mfwitten]

I do not think the word 'reticent' means what you think it means.

Re:Choices of s/w & IPv6 support

[spirat]

The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html
I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

OpenBSD's IPv6 stack is one of the most mature stack. I bet its code is already somewhere else (free license => not wasting engineering efforts). You might want to read about Packet Filter if your especially interested in tunning/handling IPv6 traffic.

Apache is actually an old version of apache, before the license sucked, and it underwent a lot of changes. Don't compare it to nginx. You can get it in the ports/package sysem if your not happy with the shipped apache.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

Re:Choices of s/w & IPv6 support

[the_B0fh]

umm, there was a recent report that compared ipv6 stacks of a bunch of OSes, and OpenBSD (5.0) came out #1 in terms of compliance to standards. Stands to reason, since these guys sticklers for doing things right.

IPv6 support

[unixisc]

How is OBSD's IPv6 support superior to FBSD, which is what your first statement above seems to suggest? I've checked their site - for instance, their Networking FAQ, and there is nothing there that suggests that OBSD has embraced IPv6 and supports it in a big way. There is no mention of any DHCP6 support, even though they have a major section on DHCP support, and in all the examples that they provide, they use only IPv4 examples, implying that equivalent IPv6 support either doesn't exist, or at best, is nowhere near as ready. Except in the section that describes ifconfig, there is nothing that suggests that IPv6 is even supported, if one goes by just this section of the FAQ.

I agree that their improvements would be incremental, but for your claim that it exceeds that of FBSD, I'd need to see that 5.1 supports everything about IPv6 that FBSD9 supports - and more. At least going through their above documentation, nothing seems to suggest that this support is there. Only thing about FBSD - some of its derivatives, like pFsense, which is purely an FBSD firewall and router, does not support IPv6, despite FBSD supporting it. Which is a real disappointment.

Re:IPv6 support

[HonIsCool]

I have run OpenBSD as my firewall since forever, and have since set up a tunnel to give my LAN IPv6 connectivity. There has been absolutely no problem with IPv6 at all in OpenBSD[*]. Every application I've messed with, from packet filter to tunneling to DHCP to nameserver supports it. Granted my usage is probably very limited still, but my impression is that IPv6 is supported pretty much everywhere that IPv4 is. I can't say how this compares with FreeBSD though, because my experience with it is restricted to a brief laptop install circa 1998 (although, I was briefly considering installing it on a desktop machine this weekend actually!)

[*] Well, actually, one of the remote holes in the default install actually was in the IPv6 implementation, but that was before I set up my tunnel fortunately!

Re:IPv6 support

Are you on crack? The BSDs have been supporting IPv6 for over 10 years and were the first to support it. This might be hard to understand for Linux weenies. It's not advertised as much because it's a given.

Re:IPv6 support

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Re:IPv6 support

[unixisc]

I pretty much cited what seemed to be a shortcoming of OBSD as far as IPv6 support goes - you really need to read the provided links, which are right from their home site FAQ. IPv6 itself hasn't been around for 10 years - the protocol has been constantly undergoing modifications, so if I'm on crack, you're on meth. FBSD support for IPv6 started w/ the KAME project, and in FBSD9, IPv6-only options have been added for the first time. Nor is IPv6 there on all BSDs - check out pFsense, which is an FBSD based firewall cum router, and it supports only IPv4, not IPv6. That's despite FBSD supporting IPv6 for a while now! Oh, and another point - nowhere did I say a thing about Linux - that was not even there in this conversation.

So be more specific, instead of just a handwaving exercise. Does OBSD include a DHCP6 package, the same way they include DHCP4? Note that DHCP and DHCP6 are completely different, so just b'cos OBSD has a built-in DHCP4 client and server does not imply that it supports DHCP6 the same way. Same question regarding the firewalls - does pF include IPv6 filters? Do IPv6 versions of IPv4 routing protocols, such as RIPng, or OSPF6, or EIGPR6, get supported here? Or is all that currently a work in progress, targeted for some future release of OBSD?

Note: NetBSD is completely different, and not what my question was about in the first place. It says squat about the current state of IPv6 support in OBSD.

Re:IPv6 support

[unixisc]

Tunnelling IPv6 over IPv4, if that's what you meant, doesn't imply IPv6 support, which was my basic question. Here, one would simply be encapsulating IPv6 packets in IPv4 and running them over the network. That's pretty much the status quo, and could be done anyway - an OS doesn't need to have any IPv6 support to enable that.

I was asking whether one could set up an IPv6 network using an OBSD gateway acting as a router and firewall. Imagine that the external network (think Comcast or HE) was IPv6 as well, and imagine that this network, for the sake of this discussion, was using only IPv6 addresses, and various scopes of addresses, be it global unicast, local-link, site-unique and so on.

I read up a bit on pF, and seems like it can process filtering rules for IPv6, unless I'm mistaken. My question, which I posted to the AC below, was whether OBSD has a DHCP6 client the same way it has a DHCP client, whether it supports IPv6 versions of the supported IPv4 routing protocols, and so on. In other words, if somebody was setting up an IPv6 based network and wanted to use OBSD, w/ its famed security, as the gateway, does OBSD have all the IPv6 support to do that w/o any fallback to IPv4?

Re:IPv6 support

[HonIsCool]

OpenBSD does include a DHCP6 package (or maybe it's in ports, I honestly don't remember, but anyway, it works). PF does support IPv6 filters, exactly the same as IPv4 as far as I can discern. As for routing protocols, I have no experience with them, but OpenBGPD does appear to support IPv6.

Re:IPv6 support

[HonIsCool]

What I meant was that I set up an IPv6 over IPv4 tunnel on my openbsd box which then acts as a IPv6 router for my LAN. IPv6 packets are routed to and subjected to the OpenBSD firewall just like IPv4 packets. I also have DHCPv6-server running to deal with computers on the LAN getting proper IPv6 addresses. In other words, my setup sounds pretty similar to what you are asking about. If my ISP offered native IPv6, that would actually simplify things as it would mean one less step as I wouldn't need the tunnel anymore.

Re:IPv6 support

[unixisc]

Sorry, I did a search throughout the site, and found nothing to suggest that there is any DHCP6 client or server included the way there is for DHCP4. But you're right about pF - the packet filters do seem to be supported.

Re:IPv6 support

[unixisc]

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Okay, checked out that page. Seems to be more of a history lesson on IPv6 support in NetBSD. One key thing I noticed - all the BSDs, be it FreeBSD or NetBSD seem to prefer the autoconfiguration as far as IP addresses go, and typically don't support DHCP6. So anyone who has issues w/ EUI-64 is SOL. They mention that routers can't be autoconfigured, and that nodes should not be manually configured. But this is one of the reasons that DHCP6 is more important in IPv6 than DHCP4 was in IPv4.

Re:IPv6 support

WTF is pF? Is this some I'm-a-unique-snowflake bullshit where you invent some spelling that has no relation to reality?

It's called PF, moron.

Re:IPv6 support

[unixisc]

You're right hon, I somehow had the pFsense spelling in my mind, and wrote it as pF. It's nice that you could catch that, since you could not answer any of my other questions about IPv6 support, which doesn't seem to be evident from reading the site itself.

Re:IPv6 support

[unixisc]

Ok, thanks, that does make this clearer. Did the DHCP6 server come as a part of the package - reading the OBSD website, there is nothing there to suggest that it is included. Or did you get it separately from elsewhere?

Re:IPv6 support

[HonIsCool]

I think a DHCP6 client/server might not be included on the same level as DHCP4, but there absolutely is an option to install a working one, since I'm indeed using it. A quick scan shows the "wide-dhcp6" in packages, but I'm not quite sure if this is the one. I can check later when I get home if you want?

Re:IPv6 support

[ifrag]

Note: NetBSD is completely different, and not what my question was about in the first place. It says squat about the current state of IPv6 support in OBSD.

OpenBSD was originally a fork of NetBSD. However, possibly too long ago to be directly relevant to the topic here.

Re:IPv6 support

[Bengie]

I wonder how OBSD would compare to FBSD for firewall throughput using 10Gb interfaces and a 6 core Xeon.

Re:IPv6 support

[HonIsCool]

It appears the FreeBSD packet filter is actually a port of OpenBSD's PF. If nothing's changed, OpenBSD's PF is single-threaded, so if all the box is going to do is to filter packets, more cores won't improve things. I don't know if FreeBSD have threaded their port, or otherwise made performance improvements.

Re:IPv6 support

[AbrasiveCat]

I have used OpenBSD running IPv6 through pf. Same rule seem to apply, but I am not sure that NAT works with IPv6. Don't know, haven't tried DHCP6. I think OpenBSD imported the same KAME IPv6 as Free and about the same time. The packages being able to support IPv6 have trailed.

Re:IPv6 support

[unixisc]

Thanks. Doing a search for wide-dhcpv6 on the OpenBSD page, it takes one to a page where one can download that software. Okay, so they do have it. Maybe they should update the documentation of their networking section to describe how they also support IPv6, or else, who'd know?

Re:IPv6 support

[unixisc]

Oh, NAT doesn't work w/ IPv6 - if one follows any discussions on IPv6 here on /., one would see that. The only time NAT is involved in IPv6 is when it comes to translating addresses b/w IPv6 and IPv4. For some OBSD activities, such as load balancing, one would have to do those things w/o NAT, since it's not there in IPv6.

Re:IPv6 support

[HonIsCool]

Packages are not part of the base system, so it's not so strange that the documentation doesn't refer to the wide-dhcpv6. I have checked now and it was indeed wide I was using. But I have actually disabled it now and using ipv6 autoconf instead.

Re:IPv6 support

[the_B0fh]

Kame was well supported on OpenBSD. That Japanese guy was the only guy with write permissions into the kernel source code for a large number of OSes from linux to darwin to all the *BSDs.

Re:IPv6 support

[unixisc]

Packages are not part of the base system, so it's not so strange that the documentation doesn't refer to the wide-dhcpv6. I have checked now and it was indeed wide I was using. But I have actually disabled it now and using ipv6 autoconf instead.

That brings to mind another question. In the BSDs - particularly FreeBSD - a particular autoconfiguration mode, called EUI-64 is used, which uses the MAC address of the ethernet card as a part of the IPv6 address. Does OBSD do this as well? For an OS so focussed on security, it would seem odd if it did, since normally, one's MAC address does not go outside the network and gets translated at the switch, but here, it would go as a part of an EUI-64 created address and be subject to any scanning that could pick it up.

Re:IPv6 support

[Bengie]

I think the EUI-64 address is not meant to be routed on the internet, but to be used as a local "static" IP are MAC address are supposed to collide. It can/does happen though.

Either way, IPv6 is really meant to have many IP address per machine. Use DHCP/static for servers as you need to know their IP address anyway for DNS reasons.

Re:IPv6 support

[AbrasiveCat]

Oh, NAT doesn't work w/ IPv6 - if one follows any discussions on IPv6 here on /., one would see that. The only time NAT is involved in IPv6 is when it comes to translating addresses b/w IPv6 and IPv4. For some OBSD activities, such as load balancing, one would have to do those things w/o NAT, since it's not there in IPv6.

I don't know that NAT doesn't/can't work with IPv6. As I remember there was no NAT for IPv4 when I started messing with it either. I expect that someone will or has created a NAT for IPv6. They will claim security if nothing else(, or they will create it because they can. Long live the spirit of the Internet.)

Re:IPv6 support

[AbrasiveCat]

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Okay, checked out that page. Seems to be more of a history lesson on IPv6 support in NetBSD. One key thing I noticed - all the BSDs, be it FreeBSD or NetBSD seem to prefer the autoconfiguration as far as IP addresses go, and typically don't support DHCP6. So anyone who has issues w/ EUI-64 is SOL. They mention that routers can't be autoconfigured, and that nodes should not be manually configured. But this is one of the reasons that DHCP6 is more important in IPv6 than DHCP4 was in IPv4.

I went back to check, KAME seems to have been imported into the kernel and released at 2.7, which was back in 2000. Not long behind NetBSD. http://www.openbsd.org/plus27.html

Re:IPv6 support

[unixisc]

IIRC, EUI-64 is used to assign the interface ID to global unicast addresses - I'm not sure whether they're also used for either link-local or site-unique addresses. For the latter 2, there wouldn't be a problem, but for the first, any rogue scanners out there would simply have to look for certain patterns within an address to figure out the MAC address.

I agree that DHCP6 is the way to go for IPv6 address assignment. For IPv4, since there were only a handful of addresses depending on the subnetting done, a manual assignment was fine, and a DHCP4 worked well if dynamic addresses and address pooling was needed. But in IPv6, given that devices can have multiple addresses, DHCP6 is the right address management tool for the job.

Re:IPv6 support

[unixisc]

Unless the IETF folds and acquiesces to having a NAT66, such creations are not likely to be recognized by the overwhelming majority of routers, firewalls and OSs that build in support for IPv6. This has been an unending debate, though, so they may well have it just to eliminate that bit of resistance.

How well does it run on VMs?

[billstewart]

Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm mainly interested in using the firewall bits and IPSEC tunnels, and maybe also the http servers for things that need security more than they need flashy content management.

Re:How well does it run on VMs?

[jawtheshark]

It should work. Do remember that it's not paravirtualized. While not VMWare, I've run it in VirtualBox sessions. If VirtualBox can do it, so should VMWare.

Partitioning scheme: Not more complicated than on the bare metal.

ISO: You can do that, but you'll have to create the ISO yourself (which isn't hard - they might even provide downloadables these day... I wouldn't know, you'll see why), or you just buy the official CD (recommended version). Me? I don't bother with CD's anymore. Just use the PXE-boot (netboot) method and be done with it.

VMWare tools: What VMWare tools? I'm pretty sure, there aren't any... You don't need them. You're not going to run X on it anyway, are you? Once you have ssh running, you probably never will use the console again. Besides, I'm sure VMWare can handle serial-port connections. My OpenBSD box doesn't even have a graphics card. RS232 is enough.

Re:How well does it run on VMs?

[ifrag]

OpenBSD work on top of VMware?

In my experience (not very recently) it wouldn't run at all. I think it hung somewhere around disk probing, and I tried all the options that made sense to try to fix it. However for the same old version of VMware, and corresponding old OS versions, I had no issues with FreeBSD or NetBSD.

So maybe OBSD will run virtualized, but if not _some_ version of BSD will probably work. I think the reality is the OBSD developers probably don't really give a damn if it does run virtualized. I've also run into problems on OBSD with real physical disks / controllers as well, so it could just be they've emulated a piece of hardware that didn't work in the first place.

Re:How well does it run on VMs?

[1s44c]

It works fine however if you run this stuff under vmware you are destroying the security advantage that OpenBSD gives you.

I'm not running everything under vmware anyway. I have a few production servers under KVM but most of it is on bare metal.

Re:How well does it run on VMs?

Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm mainly interested in using the firewall bits and IPSEC tunnels, and maybe also the http servers for things that need security more than they need flashy content management.

I have VMware ESXi 4.1 installed with 2 Gentoo VMs (each running 32- and 64-bit) and OpenBSD 5.0 x86 on a six-core home server. I allocated about 10GB for the system and I have 2 NICs attached to it, one that's connected to the Comcast modem and another to the LAN. I am using OpenBSD strictly as a firewall that replaced my Linksys router+wireless AP and it works great overall but I am having some issues trying to fix my brother's xbox live connection reporting NAT type as strict. I haven't dedicated more time to the pf policies to troubleshoot it but no problems with internet browsing, downloading, etc.

Re:How well does it run on VMs?

[Nikademus]

It works fine on vmware, but it seems some other virtualization software don't work as well. It puts much strain on the virtualization.
You can install the full base OS in under 4 minutes like I did here https://www.youtube.com/watch?v=28ujY4vlz4c

Re:How well does it run on VMs?

[X0563511]

Those VM tools allow the management system to do things like tell the guest operating system to reboot or shutdown cleanly, and provide an interface for the host to read back what the guest believes is free memory etc.

While not mandatory, they can be damn useful.

Re:How well does it run on VMs?

[X0563511]

You must be thinking of the 'desktop' vmware offerings.

Re:How well does it run on VMs?

[smash]

there's a port for freebsd at least, open-vm-tools - that does most of the vmware tool stuff with open-source code. should be available for openbsd too i would suspect?

Re:How well does it run on VMs?

[X0563511]

Last I had to play with it ('cause something moved and broke stuff in... i think 2.6.32?) there was a lot of kernel-specific stuff in those open-vm-tools. Porting that away from Linux would be quite a chore!

No idea if someone's done it. If so, kudos to them!

Quality Control with Balls!

...the base install is pretty limited...

The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.

That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?

DEs and software

[unixisc]

The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

This was said to be true about GNOME3, where it was rumored that one linux daemon systemd was required - but OBSD seems to support GNOME3 in fallback mode. The fallback mode support for GNOME3 seems to be due to the requirement that in GNOME3, the GNOME shell requires 3D accelaration to work, as it requires graphics composition. That brings into focus the fact that most graphics cards don't include open source drivers, and while that's not a roadblock for FBSD, it does seem to be more of one for OBSD. On the FSF side of things, some of the FSF endorsed Linux distros, like Trisquel, had the same issue, and they too defaulted w/ this fallback mode GNOME option.

Was this ever a problem in KDE4? While KDE4 had initial problems due to Qt4 being unready at the time, KDE4.8, as it stands today, is reasonably mature. KDE5 and beyond will support Wayland in addition to X, but OBSD needn't go that route if it doesn't want to. At any rate, does KDE4.8, like GNOME3, require 3D accelaration to get going? I've never heard of KDE having such a requirement.

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

Okay, why does this page seem to suggest that Emacs and Libre Office are included? Very strange!

OpenBSD's IPv6 stack is one of the most mature stack. I bet its code is already somewhere else (free license => not wasting engineering efforts). You might want to read about Packet Filter if your especially interested in tunning/handling IPv6 traffic.

Apache is actually an old version of apache, before the license sucked, and it underwent a lot of changes. Don't compare it to nginx. You can get it in the ports/package sysem if your not happy with the shipped apache.

I listed my questions about IPv6 support above, under the discussion I renamed 'IPv6 support'.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

It doesn't use the normal BSD license like other BSDs?

Re:DEs and software

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

Okay, why does this page seem to suggest that Emacs and Libre Office are included? Very strange!

They are available as convenient packages but not included in base.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

It doesn't use the normal BSD license like other BSDs?

New code in OpenBSD receives an ISC-like (don't ask) license, which is similar to the BSD license in spirit.

Re:DEs and software

Nice troll.

Okay, why does this page seem to suggest that Emacs and Libre Office are included? Very strange!

So you understand, they are included as in the sentence "iPhone includes Angry Birds".

It doesn't use the normal BSD license like other BSDs?

Other BSDs use it too. It removes unnecessary terms from the classic BSD license. OpenBSD uses a version the FSF doesn't aprove of as it could be interpreted by very obtuse lawyers to mean you can't distribute unmodified copies, which would be inconvenient the next time a GPL project lifts ISC code.

Most used FOSS program

Given that OpenSSH alone is the most used FOSS program,

I doubt OpenSSH is WITHOUT qualifications the most used FOSS program. We can safely assume that OpenSSH doesn't exist in most Windows installations. So the primary market for OpenSSH should be *n*x users. And among Unix/Linux users, Apache is probably installed in more systems. There are also probably more total Linux kernel installs if we count embedded systems.

I don't know though if OpenSSH makes the grade as the most used "end-user" FOSS.

About diabetes

About diabetes - causes (low blood sugar, glucose, insulin levels), Symptoms of diabetes in women, risks, diagnosis, types (type 1, type 2) and Treatment of diabetes , Medicine , diet, exercise, and other lifestyle changes.
http://publichealthsystem.blogspot.in/2012/04/diabetic-issues-causes-signs-and.html