Slashdot Mirror
OpenBSD 5.2 Released
An anonymous reader writes "OpenBSD 5.2 has been released and is available for download. One of the most significant changes in this release is the replacement of the user-level uthreads by kernel-level rthreads, allowing multithreaded programs to utilize multiple CPUs/cores."
Yeah, Netcraft confirms it is dying, yadda, yadda, yadda, etc... Linus said they were masturbating monkeys, the 1990s called, and they want their rthreads back, etc... etc...
Seriously, folks, if you haven't tried OpenBSD before, give it a spin, you might like it. Sure, it ain't no penguin, but that nice pointy fish is stable, solid, secure and quite a nice little beast to work with. I have had nothing but good experiences with that OS.
Just my US$ 0.02.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Users are the worst security threat around.
http://michaelsmith.id.au
Everyone can learn from that real world-class asshole... he totally dissed a friend of mine in a semi-professional environment, and I figure that a man *that* amazingly, butt-clenchingly unprofessional is just not worth the time of day. To hell with them.
Well guess that makes me number four. I use an old SGI O2 as light www duty. Its a small secure OS that comes with a bare minimum of bloat. Whats not to like about that? I don't care what attitude Theo has, I've never met him. To the average person on the street RMS speaking would resemble a crazy homeless person.
Only the State obtains its revenue by coercion. - Murray Rothbard
Outside of homeless I am pretty sure most people would consider RMS crazy, most zealots are.
Get your PostgreSQL here: http://www.commandprompt.com/
i used to use it a lot
it doesnt' have much going for it, in the scheme of modern unix-like operating systems.. it's a bit of an underdog. it doesn't have fancy high-performance schedulers, its io layer is slow.. it's missing drivers for lots of commodity hardware, some of them because of principles.. theo is an asshole sometimes, with his constant 'im always right and you're always an idiot' thing.. but..
for one, the documentation is beautiful. whoever maintains the documentation should get a medal. there are few typos, everything has a man page, and every man page has EXAMPLES and is easy to understand. better than any other operating system out there. and that's a big plus: if you try any linux distribution and find an unfamilar file in /etc, you have a 50/50 shot of it being documented properly. with openbsd, it's garunteed
because their entire mission is based on thorough auditing, they make sure their code is very well documented and easy to understand. that's a big bonus too. modifying and developing on openbsd, as a platform, is a very nice experience
openssh is a very beautifully written piece of software. it's nice to use, and it's nice to read the source code. when is the last time it gave you any problems? openbsd is an entire operating system written with the same standards.
give it a try if you haven't, it wont hurt you.. virtual machines don't cost anything..
If Theo hadn't systematically pissed off everyone in large corporations that he's come in contact with, they might have written some drivers.
Linus is pragmatic, manages a team of experts well and the so the corporations are happy to work with him.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
RMS is amazingly useful that way.
Standing next to him, all sorts of people look sane. Get enough like-minded people together, Open Source might even start to seem (gasp!) normal.
I believe that the flow of digital information will shape the human landscape as powerfully and inexorably as water carves continents.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
NetBSD people are not famous for pissing anyone, but that did not caused manufacturers to write drivers for them.
True. The difference is that if a NetBSD developer emailed me to ask about using RdRand in the kernel (A thing I would know about) I would happily enter into a technical discussion and help them out. If Theo emailed, I would have to refer the email to the lawyers.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Have you looked at the power usage of that thing recently? It's a 15 year old system that has less processing power than my cellphone & probably draws a few hundred watts with minimal power saving features. It's probably costing you $10-15/month to run that beast - how long would it take for a modern, low-power ARM or Atom box take to pay itself off?
my sig's at the bottom of the page.
Who the hell cares about how Theo treats other people?
Did Steve Jobs piss people off? Did he not treat other people like shit on numerous occasions?
Yet people still lust after Apple products.
You buy/use the product for the sake of the product.
I can set up my OpenBSD server and forget about it for a year, with almost a guarantee that it hasn't been hacked.
That's why I use OpenBSD.
And if Theo is an asshole then Steve Jobs was a much bigger one.
There are two replies to this:
1) OpenBSD supports tons of hardware. Click on one of the supported platforms. First you'll notice is OpenBSD runs on more than x86. Second, click through. You have to work hard to find a class of hardware that doesn't have some support. Most mainstream hardware is supported with many vendors to select from. When you do find missing hardware it's due to the point 2 below.
2) There may be some truth to the claim that Theo has pissed-off some vendors but it plays a small part. A more significant reason there aren't tons of corporate drivers for OpenBSD is the OpenBSD community won't accept any undocumented code (settings that use magic numbers), binary blobs (other than micro code or firmware) and won't sign NDAs to get the info. For code to go in the base it also has to be licensed under a BSD or ISC license.[1]
Many vendors want us to buy their hardware and trust their giant binary blob won't crash our systems. That's their call. Refusing to buy their hardware is ours.
Because of Theo's and the developer's stand against binary blobs OpenBSD base is one of the freest OSs you'll find. If that means a few missing drivers then so be it. Our systems run fine without them.
[1] The only GPL licensed code in base I can think of is gcc.
Question...as someone who has never made a *BSD firewall, what makes it better to go that way as opposed to buying a Sonicwall or Cisco? What features are worth the extra expense required to use a computer as a firewall, VS just using a prebuilt ARM one?
As someone who has never homebuilt a firewall I'm curious, is it just because you want to save some old hardware? I've got an old Sempron I use as a nettop so I know that feeling,but is there more to it than that?
ACs don't waste your time replying, your posts are never seen by me.
I'd equate it to the difference between being a Windows Admin, and a Unix Admin... The two are worlds apart.
First off, PF syntax is heaven compared to all else. Linux's IPTables syntax is a utter nightmare. Cisco's NAT and ACL syntax is ugly, very limited, so abstracted in syntax and terminology from what it's really doing that it can be impossible to understand without a book of Cisco's own reference material, etc. Juniper's Netscreens are even worse. If anyone tells you otherwise, start asking a few questions about setting-up multi-homed internet service, multicast routing, or trying to determine whether/why a certain connection is being rejected by that 2,000-line ACL rule-set (or failing somewhere else). And this black-box isn't an issue of amateurs who just don't read enough... There really aren't any publications detailing more complex use-cases, and I've exchanged many words with Cisco support managers after multiple level-2 technicians put in explicit writing that some specific multihoming scearios were NOT POSSIBLE on their gear, only to try it out and find it does, in-fact, work exactly as it should.
This isn't something you're likely to hear network admins complain about, because using something better like OpenBSD is never an option they've had, and they know they MUST learn the insane ways of Cisco, to be able to support routers, switches, etc., anyhow.
PF's syntax for ACLs and NAT is dead simple, and as flexible as it can get. What's more, you edit it locally, with your choice of text editor, can syntax check it with a short command, and atomically apply it with all changes (no down-time at all). You've also got unlimited options for commenting it as you choose, making backups, generating it from some dynamic system, including dynamic lists of IPs in a rule that are added/removed by, say, a mail server tracking spammers, or having entire rulesets that are applied only when someone SSHes in to the box, to allow specific services or whatever you want. These are things that network admins DO bemoan on a continual basis... Some network software won't let you insert ACL rules above others (line editing), instead requiring erasing everything below where you want it, then inserting the ACL, then restorting the previous. Others may allow line-editing, but only for permit/deny rules, tossing-out the option of using remarks to properly comment your ACLs.
Network monitoring, debugging, and packet tracing is unimaginably easier. You can run tcpdump, pktstat, or any other utilities RIGHT ON YOUR FIREWALL, telling you EXACTLY what's happening, and where. Easy to filter down to what you want to see, yet can be focused to the point giving you complete packet headers and payloads if you so desire. Cisco pretty recently saw that omitting this functionality can make certain scenarios absolutely impossible to get through, and ASAs now allows generating a pcap/tcpdump/wireshark file, but it must by transferred off to a real computer for analysis in delayed, non-real time.
Anybody using a firewall "appliance" is PROBABLY also using a Unix box to support it in real-time as well... On either side of that ASA / Sonicwall / etc. is a switch configured for "port mirroring", to duplicate ALL that traffic to a Linux box, running SNORT and probably lots of other software, too. That Linux box getting copies of traffic still only provides a modicum of the monitoring, debugging, and reporting options that running your firewall on an actual, full-fledged Unix system can provide, but at least it makes a network admins' difficult job even POSSIBLE to do.
While home "routers" really aren't in the same class, there are MANY reasons you'd want something GOO
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Aren't Juniper's OS BSD based?
Juniper was a fork of an old FreeBSD. They've recently realised quite how expensive maintaining a fork is and have started pushing most of their stuff upstream and minimising their divergence. We just granted commit access to another Juniper person (sjg@), who is going to work on bringing their improvements to the build system back into the mainline.
All BSDs, from what I understand, use PF
Yes, although OpenBSD is the only one to remove the other firewalling mechanisms. I think we now have 3 firewalls in the FreeBSD kernel and there was some talk of importing npf from NetBSD, making it 4. On of my projects for the next few years is to look at some of the packet filtering infrastructure and make ipf, pf, and friends all simple compiler front ends to the same generic packet filtering infrastructure.
how is OpenBSD better than other FreeBSD based distros
I'm on the FreeBSD Core Team, so I have some fairly obvious biases, but there are a few reasons to prefer OpenBSD. Historically, they've been a bit more proactive at enabling things like stack canaries, no execute, and address space randomisation by default. On the other hand, they don't yet have anything like capsicum, so by FreeBSD 10 you'll see a lot more privilege-separated code on FreeBSD than on OpenBSD. Performance for OpenBSD was a bit better for firewall applications than FreeBSD's import of pf, because we had an older version. I'm not sure if that's still true: Netflix has contributed a lot of performance improvements to our network stack recently (it turns out that they shift quite a lot of packets using FreeBSD) and so this may no longer be true.
I ran OpenBSD on a router for a little while because it was easy to admin via ssh. pfSense uses PHP for the web interface, which consumes 20-30MB of RAM for every action. On a router with 64MB of RAM, this is basically a deal breaker.
I am TheRaven on Soylent News
Yes, Juniper runs a FreeBSD kernel, but that's about the only similarity. You certainly don't have a full-fledged computer, or a working userland you can access. You get the kernel booting-up their proprietary CLI interface, with their own configuration and command syntax. In fact Cisco's IOS was based on BSD as well, back in the day, but it's diverged substantially at this point, as Juniper's OS probably will if they survive for as many decades as Cisco has.
http://www.freebsd.org/doc/handbook/firewalls.html
The FreeBSD firewall used-to be IPFW, and I assume that's still more-or-less the default option. You can see IPTABLES is there, as is PF.
PF is an option on FreeBSD, but it tends to be either missing a few features, or otherwise just lagging behind what's available on OpenBSD, where it is developed.
Honestly, I don't care... With OpenBSD versus Cisco ASAs / Netscreens, or Linux firewalls, or low-end ARM-based "routers", there was a huge gap between the options that I tried to explain. But comparing OpenBSD vs FreeBSD, you're really splitting hairs. And in the end, it doesn't matter, because the corporate world will continue to insist on using expensive trash like ASAs which has been severely hobbled to fit Cisco's traditional model. Some day I'm sure I'll see it come crashing down, like every other industry that lived on arbitrary restrictions. I'd be perfectly happy using PF (or even the ancient IPF) on FreeBSD or OpenBSD or even PF on Linux if it ever gets fully (sup-)ported, to avoid more hours on proprietary crippled hardware devices. But if given the choice between an ASA and a Linux system running IPTables, I'd struggle with it, and probably shoot myself at the depressing prospect of working with either one for serious work...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Abusive asshole creates (copies?) a closed system, expensive, mobile phone - world wide hero
http://www.awfullybigmoustache.com
...film at 11.
We all know that. But do not confuse "the man" with "the OS". Theo probably maintains less control over OpenBSD than Linus does over Linux (a lot of what he does involves maintaining the project's resources and logistics so that the developers can get on with their work rather than dealing with hardware and sysadmin stuff). Yes, he's the founder & leader of the project, but OpenBSD developers are amazing and could easily continue the project without him if required (not that that's at all likely to happen any time soon). Corporations would kill to have this consistent level of developer talent.
Which is why I've been using OpenBSD for 15 years for critical systems, and have no plans to change that.
BSDs have their advantages over Linux, but portability ain't one of them, given that Linux has been ported to far more platforms than NetBSD.
Linux has only been ported to more platforms because of the sheer number of people working on it, but that's no reflection of the portability of the code. NetBSD was designed with portability from the start, whereas Linux was and still is in many areas designed for an x86-centric world. Many Linux ports never reached maturity, and even some of those that did are now broken.
Any modern car you will buy will get better milage than a '57 Chevy. I'd still love to own and drive a '57 Chevy.
If Theo hadn't systematically pissed off everyone in large corporations that he's come in contact with, they might have written some drivers.
But he doesn't even want those corporations to write those drivers, he just wants the documentations so he (and other devs) can do it themselves.
The difference is that Theo has acted in a way in the past that has caused us to route all communications from him directly to the lawyers. It's not to do with divulging secrets. It's to do with past behavior.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Theo and the OpenBSD developers and users don't want your crappy binary blob. They want documentation so they can write an open, secure, stable driver.