You're right. Who has time to check out every little "fact" and "detail"? I mean, it's hard. It's not like anyone's getting paid to run this web site. What's next, requiring everyone who reports the "news" to devote valuable brain cells to their work?
If your clients can't have access to all ports outbound without opening up all ports inbound, you need better firewall software. It's called "stateful packet filtering", "keeping state", or "shortcuts". It's common in NAT, where the translation host needs to keep track of the TCP/UDP/ICMP connections it supports.
All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?
This sounds easy to hook into MAPS Realtime Blackhole List (a realtime list of mail abusers). All mail systems should be configured to reject mail from hosts appearing in the RBL. Configuring Apache to do similar would be easy, but would generate an enormous amount of extra traffic for each web server (currently, each lookup in the RBL consists of a DNS lookup into the RBL domains). Surely large sites could work out a better distribution mechanism (they could use an eBGP4 subscription and do caching locally).
I think you've touched on a very important point. BSD is a cult; the development is done by a closed group of people who keep running inside-jokes, reject anyone who knows less than they do, and envy those who know more. The code isn't closed, the group is. It's a popularity contest at its absolute worst. The attitude is "do something for us or go away." The BSD license is perfect for these people. No social conscience--"just give us the code, and leave quickly so we can do very important things with it."
Fortunately, the people who get the most work done are least interested in raising a blue ribbon ego, or "op" status on the IRC channel, or guru of the mailing list. Unfortunately, these people rarely get the recognition they deserve, but are still recipients of any derision towards the group.
If the high school mentality ended at the so-called "development" level, problems would be confined to the results of that group, but it doesn't. Users do occasionally come into contact with "developers," and when they're told to bugger off unless they've got a patch, that's when the BSD bit in the user's brain flips to 0.
If ESR was "right", the cliche would be "it's Open Source as in Open Source-dom, not Open Source as in beer." There is free software and there is gratis software.
Inferior ports?! You are just completely wrong! Tell me which "inferior ports" you've actually _used_ (installed, used, and maintained). Projects you've "heard about on Slashdot" do not count. I'll wager you haven't actually used Linux on real hardware (something that's evolved since 1980, like the Alpha, Sparc, or PowerPC, or MIPS, or PA-RISC), or you'd know just how exactly ignorant your assertion is.
I wrote this comment on a 333 MHz PowerBook running Linux 2.3.22, in X at 1024x768 at 32 bpp, with all the software I need to get all my work done. Every piece of hardware is supported, and it's a better laptop value than any Intel-based offering. The 56K internal modem works, the 10/100 Ethernet works, the 14.1" screen is beautiful, the media bays (batteries, CD-ROM, DVD-ROM) work great, power management is superb (5 hours off a single battery), audio in and out, two completely useful USB ports (one of which runs a Logitech mouse when I'm parked at a desk), and even S-Video _and_ VGA output, and external SCSI. All of this with no "docking stations" -- the ports are right on the back. And they're $2499.
I also use Linux on the Alpha, and the Alpha architecture is supported as well as, and possibly better, than the PowerPC architecture.
That's why I said I did not know if NetBSD supported IP Filter.:) Thanks for the pointer. It's good to know I've got another BSD if FreeBSD-STABLE is still losing connections. I'm running NetBSD (1.3) on a Sun 4/110 I have, and it makes a perfectly good workstation out of it.
The OpenBSD GNATS DB already has a case open on my problem. I cannot comprehend a "serious firewall" operating system that would completely fall over when given a perfectly valid route to remove from its table. "Experienced security professionals" type "route" an awful lot, and if wishes to remove one, cycling the power on the box should not be the last step of that process.
I'd like to know why you wouldn't consider anything but OpenBSD for a "serious firewall." A "serious firewall" sits in a physically secure location, runs no network services (and firewalls these ports to itself), allows no remote logins, and logs everything to a local device (serial connection to log host, line printer, etc.). Linux can do this perfectly well, just as FreeBSD and OpenBSD can. When it came down to it, I needed routing capabilities Linux did not have, so I chose from the other two. To my knowledge, NetBSD does not support IP Filter.
Not to slam OpenBSD, but it hasn't been very stable from a configuration point of view. Last month I installed OpenBSD 2.5 from CD, onto a machine that was supposed to be a firewall. It has two network cards (Intel EEPro 100 PCI). These devices are fxp0 (1.1.1.1) and fxp1 (2.2.2.2).
Adding a host route like the following is allowed (although not very useful; this was a typo on my part):
route add 1.1.1.1 1.1.1.1
No problem, I thought, I would simply delete this route like:
route delete 1.1.1.1
But then I got a kernel panic and a kernel debugger prompt. I put FreeBSD 3.2 STABLE on there instead, but it fails to correctly keep state on IP Filter'ed ports every 6 or 7 days, and requires a reboot.
I've never had Linux (1) give me a kernel panic from any network operation or (2) just stop doing network filtering correctly. If Linux had the IP Filter package (so I could do stateful packet inspection) that firewall would be running Linux.
This kind of ruins the joke, but if you look at ispell's history, you'll see that it pre-dates the entire PC industry. From the README:
Who Wrote Ispell?
Ispell is a very old program. The original was written in PDP-10 assembly in 1971, by R. E. Gorin. The C version was written by Pace Willisson of MIT. Walt Buehring of Texas Instruments added the emacs interface and posted it to the net. Geoff Kuenning added the international support and created the current release. Many, many other people contributed to the current version; a complete list (with a much more detailed history) can be found in the file "Contributors".
Actually, these days, it's rare to write the only compiler for a new platform in assembly. It's very time-consuming. Most compilers (for new platforms) are developed as back-ends for existing compilers; cross-compilers are used to create the native compiler excutable for that new platform. Of course other binary utilities are needed to make the round trip. GCC is, to my knowledge, the most ported compiler in use today, and Cygnus has done plenty of this sort of work.
Of course intimate knowledge of the new platform's architecture (including its assembly vocabulary) is required to write an effective back-end to the compiler, but little application development is done in pure assembly. Browse through the GCC source tree some time.
First off, start yourself on a real architecture (one designed and implemented cleanly and completely) like an Alpha. Then, buy a good book on Alpha assembly hacking. Linux and the GNU assembler will work fine. It's quite a bit of fun, and learning about a nice, powerful architecture is a joy in itself.
It appears you didn't read the article (or the FAQ it linked to), or even the complete (but incorrect) summary. V2 is not "free". You can download some source code (its license was not covered in the FAQ or from the main page; it's probably accessable), but the essential parts of the operating system are closed. It's definitely not "Open Source".
Personally, I can't understand why this project exists. Speed? Hardware is fast, it's always getting faster, and existing operating systems are as fast as you make them. Being the speed king matters for all of 7 months, when Intel releases a new revision of their processor that negates all your hard hacking. Well, if they're having fun writing it, I guess it has a place.
And why limit their users to a legacy 32-bit architecture, and make themselves completely non-portable at the same time? This is DOS for 1992, instead of DOS for 1980. I have a perfectly good 64-bit Alpha by my desk at work, and I intend to buy more of them in the future. Apparently these guys intent on using their Pentium II's in 2005.
I have the feeling you've never actually tried Debian, and I can fully understand your "support" of Red Hat if that's the case. Debian's distribution mechanism (not any specific release, but the development model) is, by far, the most advanced out there. Red Hat won't soon equal the number of packages and flexibility of Debian, billions of dollars or not, because they just don't have the masses of developers.
I find it odd how you make a training wheels analogy, and single out Red Hat (these days, the "first" distribution of the masses) as the company most likely to take them off.
There is an incredible difference beween the "bloat" introduced by a list of developers in 7-bit ASCII and a program that simulates the physics and visuals of flight over a modeled terrain!
I own Apple hardware, but I don't use any of their software. Just because they're spending their time fighting over the order of bits in the show_about_box() function doesn't mean the G4 isn't a monster of a chip. Throw LinuxPPC or Debian or something on it.
Theo can't release binaries of qmail; Dan's license prohibits that. Such a restriction would rather hamper its adoption as a primary mailer for any operating system. If you want a better replacement for Sendmail, try Postfix. It's license is very nice, it's configured similarly, and I don't lose any sleep over it.
After browsing a few more comments, I realized I had forgotten to address two points.
When id left the backdoor in Quake/QuakeWorld servers (I don't remember which), that was just stupid. Honest mistakes happen, but sometimes people have other motives. However, I can't see what id wants with Joe Random's week-end QuakeWorld server, so I can hardly attribute malice or an underhandedness to their actions.
My second point is that Quake 3 is proprietary software, and as such, you (the user) get what you get, and no more. If proprietary software has deliberate back-doors, bugs, gaping security holes, well, you can just wait. If I had the code for Quake 3, I'd leave in the code that sends those UDP packets with my OpenGL vendor's tag to id (you, personally, could remove that code), but I would be able to run it on my PPC Laptop (which is something I can't do now). Oh well, I have no choice, such is proprietary software.
Slashdot Mirror
You're right. Who has time to check out every little "fact" and "detail"? I mean, it's hard. It's not like anyone's getting paid to run this web site. What's next, requiring everyone who reports the "news" to devote valuable brain cells to their work?
--
All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?
--
And Lake Springfield. And Shelbyville (IL) isn't far away either.
--
Go to 11? But couldn't you just make them go to 10, and make 10 be louder?
--
This sounds easy to hook into MAPS Realtime Blackhole List (a realtime list of mail abusers). All mail systems should be configured to reject mail from hosts appearing in the RBL. Configuring Apache to do similar would be easy, but would generate an enormous amount of extra traffic for each web server (currently, each lookup in the RBL consists of a DNS lookup into the RBL domains). Surely large sites could work out a better distribution mechanism (they could use an eBGP4 subscription and do caching locally).
--
You, sir, have several obvious and insulting flaws. Please prove that you are perfect, and then I will put you on par with other humans I know.
--
You didn't even read the article. The Chinese people are allowed to use it. Go read the article.
--
I think you've touched on a very important point. BSD is a cult; the development is done by a closed group of people who keep running inside-jokes, reject anyone who knows less than they do, and envy those who know more. The code isn't closed, the group is. It's a popularity contest at its absolute worst. The attitude is "do something for us or go away." The BSD license is perfect for these people. No social conscience--"just give us the code, and leave quickly so we can do very important things with it."
Fortunately, the people who get the most work done are least interested in raising a blue ribbon ego, or "op" status on the IRC channel, or guru of the mailing list. Unfortunately, these people rarely get the recognition they deserve, but are still recipients of any derision towards the group.
If the high school mentality ended at the so-called "development" level, problems would be confined to the results of that group, but it doesn't. Users do occasionally come into contact with "developers," and when they're told to bugger off unless they've got a patch, that's when the BSD bit in the user's brain flips to 0.
--
If ESR was "right", the cliche would be "it's Open Source as in Open Source-dom, not Open Source as in beer." There is free software and there is gratis software.
--
Inferior ports?! You are just completely wrong! Tell me which "inferior ports" you've actually _used_ (installed, used, and maintained). Projects you've "heard about on Slashdot" do not count. I'll wager you haven't actually used Linux on real hardware (something that's evolved since 1980, like the Alpha, Sparc, or PowerPC, or MIPS, or PA-RISC), or you'd know just how exactly ignorant your assertion is.
I wrote this comment on a 333 MHz PowerBook running Linux 2.3.22, in X at 1024x768 at 32 bpp, with all the software I need to get all my work done. Every piece of hardware is supported, and it's a better laptop value than any Intel-based offering. The 56K internal modem works, the 10/100 Ethernet works, the 14.1" screen is beautiful, the media bays (batteries, CD-ROM, DVD-ROM) work great, power management is superb (5 hours off a single battery), audio in and out, two completely useful USB ports (one of which runs a Logitech mouse when I'm parked at a desk), and even S-Video _and_ VGA output, and external SCSI. All of this with no "docking stations" -- the ports are right on the back. And they're $2499.
I also use Linux on the Alpha, and the Alpha architecture is supported as well as, and possibly better, than the PowerPC architecture.
Have you run any of these?
--
That's why I said I did not know if NetBSD supported IP Filter. :) Thanks for the pointer. It's good to know I've got another BSD if FreeBSD-STABLE is still losing connections. I'm running NetBSD (1.3) on a Sun 4/110 I have, and it makes a perfectly good workstation out of it.
--
The OpenBSD GNATS DB already has a case open on my problem. I cannot comprehend a "serious firewall" operating system that would completely fall over when given a perfectly valid route to remove from its table. "Experienced security professionals" type "route" an awful lot, and if wishes to remove one, cycling the power on the box should not be the last step of that process.
I'd like to know why you wouldn't consider anything but OpenBSD for a "serious firewall." A "serious firewall" sits in a physically secure location, runs no network services (and firewalls these ports to itself), allows no remote logins, and logs everything to a local device (serial connection to log host, line printer, etc.). Linux can do this perfectly well, just as FreeBSD and OpenBSD can. When it came down to it, I needed routing capabilities Linux did not have, so I chose from the other two. To my knowledge, NetBSD does not support IP Filter.
--
Not to slam OpenBSD, but it hasn't been very stable from a configuration point of view. Last month I installed OpenBSD 2.5 from CD, onto a machine that was supposed to be a firewall. It has two network cards (Intel EEPro 100 PCI). These devices are fxp0 (1.1.1.1) and fxp1 (2.2.2.2).
Adding a host route like the following is allowed (although not very useful; this was a typo on my part):
route add 1.1.1.1 1.1.1.1
No problem, I thought, I would simply delete this route like:
route delete 1.1.1.1
But then I got a kernel panic and a kernel debugger prompt. I put FreeBSD 3.2 STABLE on there instead, but it fails to correctly keep state on IP Filter'ed ports every 6 or 7 days, and requires a reboot.
I've never had Linux (1) give me a kernel panic from any network operation or (2) just stop doing network filtering correctly. If Linux had the IP Filter package (so I could do stateful packet inspection) that firewall would be running Linux.
--
Who Wrote Ispell?
--
But the keyboard is so small! I never got used to typing with both just two keys.
--
Of course intimate knowledge of the new platform's architecture (including its assembly vocabulary) is required to write an effective back-end to the compiler, but little application development is done in pure assembly. Browse through the GCC source tree some time.
--
First off, start yourself on a real architecture (one designed and implemented cleanly and completely) like an Alpha. Then, buy a good book on Alpha assembly hacking. Linux and the GNU assembler will work fine. It's quite a bit of fun, and learning about a nice, powerful architecture is a joy in itself.
--
They've clearly just re-invented DOS for the 90's. Unfortunatly, for them, the 90's are almost over.
--
It appears you didn't read the article (or the FAQ it linked to), or even the complete (but incorrect) summary. V2 is not "free". You can download some source code (its license was not covered in the FAQ or from the main page; it's probably accessable), but the essential parts of the operating system are closed. It's definitely not "Open Source".
Personally, I can't understand why this project exists. Speed? Hardware is fast, it's always getting faster, and existing operating systems are as fast as you make them. Being the speed king matters for all of 7 months, when Intel releases a new revision of their processor that negates all your hard hacking. Well, if they're having fun writing it, I guess it has a place.
And why limit their users to a legacy 32-bit architecture, and make themselves completely non-portable at the same time? This is DOS for 1992, instead of DOS for 1980. I have a perfectly good 64-bit Alpha by my desk at work, and I intend to buy more of them in the future. Apparently these guys intent on using their Pentium II's in 2005.
--
Go get Emacs and CVS (both available for BeOS, your proprietary operating system). Start writing code for the BeOS FE.
--
I have the feeling you've never actually tried Debian, and I can fully understand your "support" of Red Hat if that's the case. Debian's distribution mechanism (not any specific release, but the development model) is, by far, the most advanced out there. Red Hat won't soon equal the number of packages and flexibility of Debian, billions of dollars or not, because they just don't have the masses of developers.
I find it odd how you make a training wheels analogy, and single out Red Hat (these days, the "first" distribution of the masses) as the company most likely to take them off.
--
There is an incredible difference beween the "bloat" introduced by a list of developers in 7-bit ASCII and a program that simulates the physics and visuals of flight over a modeled terrain!
--
I own Apple hardware, but I don't use any of their software. Just because they're spending their time fighting over the order of bits in the show_about_box() function doesn't mean the G4 isn't a monster of a chip. Throw LinuxPPC or Debian or something on it.
--
Theo can't release binaries of qmail; Dan's license prohibits that. Such a restriction would rather hamper its adoption as a primary mailer for any operating system. If you want a better replacement for Sendmail, try Postfix. It's license is very nice, it's configured similarly, and I don't lose any sleep over it.
--
After browsing a few more comments, I realized I had forgotten to address two points.
When id left the backdoor in Quake/QuakeWorld servers (I don't remember which), that was just stupid. Honest mistakes happen, but sometimes people have other motives. However, I can't see what id wants with Joe Random's week-end QuakeWorld server, so I can hardly attribute malice or an underhandedness to their actions.
My second point is that Quake 3 is proprietary software, and as such, you (the user) get what you get, and no more. If proprietary software has deliberate back-doors, bugs, gaping security holes, well, you can just wait. If I had the code for Quake 3, I'd leave in the code that sends those UDP packets with my OpenGL vendor's tag to id (you, personally, could remove that code), but I would be able to run it on my PPC Laptop (which is something I can't do now). Oh well, I have no choice, such is proprietary software.
--