Learn From Robert Watson Of FreeBSD And TrustedBSD

Robert Watson is a core developer for FreeBSD, and a member of the TrustedBSD project. He is one of the best people in the world to ask about FreeBSD security, and about FreeBSD development in general. Please post your questions below. We'll send 10 of the highest-moderated ones to Watson by email, and post his responses verbatim as soon as we get them back.

TrustedBSD and OpenBSD

[Parise]

What similarities and differences do you see between the TrustedBSD project and the type of security work undertaken by the OpenBSD team? How do their goals and philosophies differ?

Nice link

[Siqnal 11]

It's not that fucking difficult. [freebsd.org]

--

TrustedBSD With VMS Features?

[Anonymous Coward]

I was reading some documentation on VMS the other day (don't ask), and found out something really interesting. VMS has per-thread security. Thus, a multi-threaded database application could still have ridged security even though it is one process.

I'm a UNIX admin, and don't wish to admin VMS, but this blew me away. Are there any other VMS you are or are considering adding to make TrustedBSD a more solid and extendable OS?

OS X based on FreeBSD

[Kevinv]

OS X's Darwin is based on FreeBSD. How good a member of the Open Source movement has Apple been? Have they contributed anything back to the FreeBSD project (code/money/t-shirts/etc...)?

Correct FreeBSD Link

[mholve]

I think you meant here - http://www.freebsd.org [freebsd.org]

USB support and the future

[CoBoLwArRiOr]

Being a newbie, I've set up FreeBSD on a different box than my everyday box. Someday I hope to have it on my everyday box, but I have a lot of USB products on my machine. What does the future hold in terms of USB support in FreeBSD, and what are 3 of the biggest ideas / projects / etc. that the FreeBSD crew are looking at for the next release?

-=-=-=-=-=-=-
The COBOL Warrior

Re:OS X based on FreeBSD

[Nohea]

I thought Darwin was from NetBSD.

Why another BSD?

[smooc]

With so many implementations around of the various *nix/*bsd flavors why another one?
Is there enough distinction between OpenBSD and TrustedBSD to justify it?

And most importantly How do you get some much time to devote it *two* projects?

Nevertheless I congratulate you (and am kind of jealous ;) ) with the work you have done.

Bolke.

Isn't FreeBSD now part of BSDi?

[Tymanthius]

Quick questions:

Isn't FreeBSD now part fo BSDi?

And if so, how is this affecting your development, support, etc. ad nausem?

bsd color scheme

[Anonymous Coward]

what happened to the bsd color scheme?

Why would you... ?

[SonOfSam]

FreeBSD development is obviously a big part of your life. I have noticed that peoples reasons for using a free OS are often not simply because its better, but because of some view or stance on freedom that they have.

I am a Windows guy, only because my job says so.

What I want to know is, how would you go about convincing me, a Win2k user, to consider using a *BSD. I am interested in learning a new OS... always. But, what makes it stand out from Linux/Win2k/MacOS?

Kinda Does

[mholve]

Without the hair, maybe.

Re:Nice link

[Bastian]

Hey, Rob, it's called the "preview" button.

Why will people continue to use FreeBSD?

[Siqnal 11]

If they can't operate it (or administrate it), they simply won't. New users won't even try a system if they can't understand how to install it. A good solution to this is something like Max OS X -- you know, the BSD system that actually looks good.

Sure, anyone can install WindowMaker on BSD, but they can't control the entire system seamlessly, like you can with Mac OS X, NT, or for that matter, the Red Hat control panel.

Yes, I'm going to get flamed for this, but the fact is, FreeBSD needs to think about its future a little more competitively. Ever wonder how Linux, a much younger operating system, got so far so fast? You should see the graphical installation programs, which help you partition your drive, and then easily install the stuff you want.

So, what do you think can be done to keep FreeBSD alive?

--

Re:why *BSD is dying

[Bastian]

What are these market forces, and why should they hurt an OSS *BSD project any more than they hurt GNU/Linux?

From what I can tell, I don't know about FreeBSD (it seems that many people just see it as a Linux with less hardware support), but OpenBSD seems to be doing well because of its repuptation for security, and NetBSD is the only option for people who want to be running a *nix (or a Free OS) on many machines that are simply ignored by most every other software project.

FreeBSD Distribution

[proxima]

Do you think FreeBSD is hurting in its distribution in comparison with Linux and commercial OSes? Not only are they available from numerous online stores, one can usually find them at simple retail outlets like Best Buy. On the contrary, FreeBSD distribution seems much more limited, with less retail and shrink-wrap options.

I have noticed, however, that linuxmall.com sells FreeBSD CDs, has the FreeBSD community recieved much support from the Linux community over distribution (such as mirrored FTP from mostly Linux servers)?

The future?

[jmenezes]

What do you see in the future for *BSD, with the huge amount of popularity that linux keeps on receiving, not to mention attention, esp. from our buddy Bill Gate$...
Do you think it will remain the strong, viable but simply less popular free OS it is now, hiding behind the limelight of linux, or will it come up in popularity, esp with the codebase for Apple's Darwin, which is all BSD based?

decent literature

[boog3r]

instead of asking you a few questions directly, i would like to solve them on my own with the best set of tools. what publications or literature would you recommend for:

• the *bsd newbie or learner
• the *bsd uber-know-it-all-i-dont-need-any-docs

i am trying to cut the signal/noise ratio out of understanding bsd. specifically, what security documentation have you found useful day-in/out?

Question Please!

[Brew Bird]

Can you explain, in some detail, the overall goals of the BSDs you particpate in?
Please try and direct your answer to people who continue to proclaim that *BSD is dying, and point at some made up marketing numbers.

IPSO

[killer_pelican]

Do you have any opinions about the CheckPoint IPSO implementation of FreeBSD?

Bah.

[Enahs]

Just when you think the BSDs are going to diverge and die, something like Open Packages [openpackages.org] comes along. Sure, it's not even close to an alpha stage yet, but they've even expressed some limited interest of allowing Linux into the fold. A Linux "make world", here we come! :-)

BTW, nice troll. Is that from some sort of Web-based marketing-speak script? It's so devoid of content. It's hilarious. :-)

Question for Mr. Watson

[packphour]

Do you prefer to be called Bob or Robert?
(never underestimate the importance of someone's name preference)

Biggest problem / Best advice

[mosch]

Everybody knows there's no such thing as a perfect system. As such, what do you think is the most, and least perfect points regarding security in FreeBSD.

Also, in terms of security, what do you think the most common dangerous behaviours are by FreeBSD users and admins? What would you change about the FreeBSD userbase if you could?

--
"Don't trolls get tired?"

Security System

[jstepka]

Are there plans in the future to add an automated security update system? I see this as a database your system would check against to see if you are running any installation level security problems.

Re:

[account_deleted]

Comment removed based on user account deletion

Do you think all boxes will get hackd eventually?

[wmulvihillDxR]

I was installing portsentry [psionic.com] from Psionic Software [psionic.com] and somewhere in one of the files about using the software the author discusses the inevitability of being cracked. He believes that system admins can't keep up with constant updates and that eventually some hacker will find an exploit using their server. That is, the exploit will first be found on their box.

Do you, as a member of a widely trusted BSD distribution, think that eventually all computers will be hacked in some way?

Second question, do you think FreeBSD (and Linux) should ship with the tightest security possible at all times? Some reasons not to would be, usability by the "average" desktop user and being a hassle to set up for admins who want, say, ftp enabled.

Mandatory Access controls

[Chalst]

There seem to be a proliferating number of proposed extensions to
*NIXes with ruleset-based mandatory access controls. Is
standardisation important? What influence do you see of NSA's
recently released `security enhanced linux' having on other systems
(like that in TrustedBSD)?

what do you do for *money*??

[gskouby]

While perusing the mailing lists for -hackers, -stable, -current, etc. etc., I often wonder what people like yourself, Mike Smith, Greg Lehey, and the other core members do to pay the bills. Unless something has changed recently with the BSDi takeover, I can't imagine that the FreeBSD project keeps the food on the table. So how about a little insight into your and the other core members "real" jobs. (As if there is such a thing as a "real" job). But anyways, thanks for all the hard work for little pay!

TrustedBSD and NSA secure linux

[Xuther]

How does TrustedBSD compare with NSA secured linux (http://www.nsa.gov/selinux) in terms of new and or improved security features? And are there any plans to eventually integrate the rest of the TrustedBSD features back into the shared BSD source tree (the extended attributes already have been committed)? How would using TrustedBSD instead of FreeBSD impact clustering applications?

And just for my information, where did all the packages for clustering BSD go? All I can seem to find anymore is the linux stuff. And personally I don't like redhat and their rpm distribution method, all anyone wants to distribute anymore is rpms which is not near enough to standard and compatable accross the board as tar-gzip for my purposes. (One primary difference being that I can open a tar-gzip on a windows box at work during break to browse through source, and to my knowledge no one has bothered to create a "winrpm")

Openpackages?

[Enahs]

What's your opinion on the Open Packages project? [openpackages.org] Even though I'm not currently a *BSD user, it sounds great on the surface--there's even been interest expressed in patches for Linux!--but I've got to wonder what sort of complexities need to be worked out to maintain a set of packages for FreeBSD, NetBSD, OpenBSD, Darwin...

More OS X

[Auckerman]

What is the exact relationship between the Darwin Kernel and the FreeBSD kernel? How much FreeBSD code is in Darwin and how much Darwin code is in FreeBSD?

Unified Ports Tree?

[SecretAsianMan]

A while ago there was some hubbub in our community regarding the concept unifying the ports trees of the the different BSD flavors. It seems to me that this would be a mostly good thing, reducing duplication of work and making the ports both more plentiful and of a generally higher quality. Has there been any discussion of this in core? If so, does it look like this will ever happen?

--
SecretAsianMan (54.5% Slashdot pure)

Cross-pollination with Linux security efforts?

[Coz]

There's been quite a bit on Slashdot about Linux (and BSD) security. Bastille Linux is about "hardening" standard Linux installations, the NSA has their own version that they've been mucking about with internally. So, questions:

Is there a need for something like Bastille for FreeBSD? There shouldn't be a need for it with TrustedBSD, should there?

Have you looked at what the NSA did to Linux and attempted to extract from it? Are there modifications they made that apply to TrustedBSD, either in source code or in spirit?

Re:Interbase Backdoor?

[kperrier]

Were either of the BSD distributions affected by the interbase backdoor?

Only if the *BSD box was running Interbase.

Kent

What is next:

[drenehtsral]

I've got a FreeBSD box that i want to bolt down and harden. It's a Dual PIII 800, and i want to use it for development and testing of a server program i'm writing. The server runs as nobody, so i'm not worried about that.
I've closed stuff off such that an nmap from localhost, tcp, syn, and udp shows only sshd, dhcpc, and syslog. I'm currently running the verson of openssh that comes with FreeBSD 4.2.
I'm planning on installing tripwire on the machine at some point as well. I also plan to write something that will mail me a diff of the setuid log between the current day and the previous day, as well as a similar thing for the password file. Any other suggestions?

Christians?

[redbird]

Do christians (or, other religions, too) have a problem with using any of the BSDs you've worked on due to the daemon mascot?

Re:USB support and the future

[CoBoLwArRiOr]

It does, but I have a couple of other things that will not work at all

-=-=-=-=-=-=-
The COBOL Warrior

Good question above

[rppp01]

Why should an NT user switch to BSD as opposed to Linux? Sure, BSD can run most Linux binaries, but what does BSD offer in the way of applications that Linux doesn't?

OSS Philosophy

[Auckerman]

What do you think of Stallman's distinction between "Free" software and "Open Source" and his appearant refusal to deal with anyone who wants to discuss Open Sourcing their application until they speak in his language on these issues?

Re:OS X based on FreeBSD

[weston]

I believe OS X started life (back in its OpenStep
days) from BSD 3.2 put on top of Mach. It's now probably a 4.x on top of Mach. This means its codebase really isn't directly inherited from FreeBSD or NetBSD, AFAIK.

However, that might not stop it from contributing. The Apple-open OS X distro Darwin [darwinfo.com] may have a tip or trick to contribute back, and likely incorporates a bunch of *BSD stuff as well.

--

(OT)Interviews color scheme

[yerricde]

Each Section of /. has a color scheme. This article is in the interviews Section [slashdot.org]; therefore it has the interviews colors (which happen to be identical to front_page colors), not the bsd Section [slashdot.org] colors.
Like Tetris? Like drugs? Ever try combining them? [pineight.com]

Process?

[rice_burners_suck]

Hi,

I'd like to thank you for all the work and effort you and your fellow developers are putting into this project. I currently use FreeBSD and have plans to try out your work on my next server configuration.

Could you give us a short overview of the process you're taking to make FreeBSD more secure? In particular, how does the TrustedBSD project compare with OpenBSD, which has been undergoing a line-by-line security audit for years? Most importantly, what are the advantages of choosing TrustedBSD over OpenBSD (besides the obvious project-loyalty factors)?

Kindest regards,
NGH

Re:Is it just me?

[atrowe]

No, it's not just him, or No, it doesn't look like Bart?

Stargazer!

[anacron]

Man .. I used to hang with Watson. He used to run a BBS called Starlight. I was a fellow sysop that used to run a BBS called Celestial Happenings. Props to Perry and the Ritual de lo Habitual creww, and Props to 'gazer and the rest of the DC WWiV crew.

Anyway, here's my question:

Security has traditionally been viewed as more of an architecture of denial than anything else -- stop people from getting where they are not supposed to get. However, these days security has more impetus because of the sheer amount of intellectual property that's being housed on publically accessable computers. Do you think's it's theoretically possible to ever build a 'crack proof' system? I'm famaliar with FreeBSD's track record, and use it for my firewall at home. But should the onus of security be placed on the sysadmins of the server, or on the people that make the operating system the server runs?

anacron (aka Surface)

Re:TrustedBSD and NSA secure linux

[rwm311]

I don't want to get into a holy war about what package manager is better, but I think is a rather weak argument. Instead of downloading the binary rpm you simply download the source rpm (SRPM) and install it, then you look in /usr/src/redhat/SOURCES to see the source.

I build rpm's on a daily basis and while it does lack some robustness in the dependancies arena, I think it's overall A Good Thing. And by the way, RPM != Red Hat... I can't stand it when people use the two interchangably.

rwm

Re:TrustedBSD With VMS Features?

[borgboy]

You know, the OS [microsoft.com] from the company y'all love to hate took some hints from VMS [k12.ca.us], and it also implements per-thread security. [microsoft.com]

FreeBSD and X-Windows

[bsdbigot]

Given that X is an inherently insecure system (though great strides have been made to rectify this), how do you see the relationship between X and FreeBSD going forward? xfree86 v3.x is nice, v4.x is nicer (though it hasn't made it to the "default" windowing system for FreeBSD, presumably because of some gaping security holes). Surely, for the mindless masses, X (or some derivative) is a necessary part of the complete OS distribution. What does the core feel is a reasonable tradeoff between security and functionality, WRT this issue, and to what extent will the core move to "correct" any serious problems (non-platform specific) with future releases of X?

Re:FreeBSD Distribution

[Marasmus]

Just to be a nitpicking annoyance, I wanted to point out that most large distribution sites are running a variant of BSD. :) a handful (such as sunsite.unc.edu) run solaris, but most of them (cdrom.com, freesoftware.com, many of tucows.com's mirrors) are hosting from BSD :) It may be more accurate to view BSD as supporting Linux's distribution :)

How does TrustedBSD compare to Eros?

[jemfinch]

Eros [eros-os.org], unfortunately, doesn't look like it's actually going to arrive (at least not in a timely manner), but I've read several of the papers on capability-based security and they were all very interesting.

What do you think about Eros? What's your opinion (and your perception of the security community's opinion) about capability based security?

Thanks, Jeremy

Re:TrustedBSD With VMS Features?

[hch]

<i>I was reading some documentation on VMS the other day (don't ask), and found out something really interesting. VMS has per-thread security. Thus, a multi-threaded database application could still have ridged security even though it is one process.</i>

Linus has this feature, too (and FreeBSD using the linuxthreads port). But many people consider this a bug and not a feature ....

Re:Cross-pollination with Linux security efforts?

[Chalst]

I think `hardening' a distribution is (partly) orthogonal to what
TrustedBSD is up to: the TrustedBSD folks are aiming to provide tools
to make it possible to ensure that a distribution satisfies a security
policy, whilst Bastille is meant to check a given system for obvious
holes. A Bastille project for a TrustedBSD system would make sense.

What is part of FreeBSD and what is not ?

[f5426]

I run FreeBSD on 3 machines here. I felt in love with it.

One thing I was wondering about is how decision are taken about what goes in the real system (/usr/src) and what does not. For instance, rcp is in the base system, while rsync is in the port tree. When I started, less was not in the distribution, but now is. Why ? Will FreeBSD grow and accumulate more and more tools in /usr/src ?

Something somewhat related that bother me is that as soon as I get away of the base system, things are much less clean. Even if the port tree is wonderfull, there is no simple command that will enable me to stay in sync with non-standard stuff. I would love beeing able to do something analogous to cvsup + make world to keep an up-to-date X / gnome / mozilla installation, with a defaut window manager and configuration that make sense. Is there any work in that direction ?

Cheers,

--fred

A few important questions:

[Bob Abooey]

1) Do you ever plan on moving away from the slow and resource intensive method of VMS style paging for memory address resolution

2) Are there plans to rewrite the TCP/IP stack to be multi threaded

3) Will BSD ever migrate away from UFS to a more modern file system?

4) With serious POSIX compatablity issues are there plans to use code from POSIX compliant OS's to become more commercially attractive to major corporations

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Christians?

[dhuff]

Well, I'm an Episcopalian and also run FreeBSD, drink coffee out of a BSD-logo mug, wear FreeBSD t-shirts at times, etc... Go to FreeBSD's site and read Evi Nemeth's explanation [freebsd.org] of the daemon mascot.

Just wanted to make it known that not all Christians get their panties in a twist about silly stuff like cartoon daemon logos :)

Are you mad?

[_ganja_]

Did you SHAG widly last night and did someone KISS you goodbye THIS MORNING.

Oh sorry, this isn't the Andre's Hedrick interview.

Re:TrustedBSD and OpenBSD

[platinum]

Actually, FreeBSD regularly integrates OpenBSD's fixes into the system (and vice versa). The nice thing about having the 3 open-source BSD's (along with MacOS X and BSD/OS) is that much code is shared, and is available for the others to use.

Re:Why another BSD?

[platinum]

It you actually read what TrustedBSD [trustedbsd.org] is about, you would see that it is an extension to FreeBSD and should be integrated into FreeBSD-proper before 5.0 is released.

BSD Security

[ahknight]

I've heard a lot about BSD being inheirently more secure than Linux, but have yet to see some concrete reasons why. So far, it comes down to code review from what I understand. What difference, then, is there between "secure" BSD distributions and, say, Immunix?
--

Changing face of security

[QuantumG]

Do you think there is ever a time when you can declare a system "secure"? Assuming you dont, do you think it is even possible to objectively rate the security of a system?

Re:Christians?

[ahknight]

Amen, brotha'. ;-)
--

BSD hackers vs GPL hackers

[Arandir]

I've heard it said numerous times that "Linux is more successful than BSD because of the license". The argument is that hackers prefer the GPL because their code can't be "stolen", whereas nothing stops Microsoft from using the BSD licensed code. I've even seen some Linux advocates point to Darwin as the ultimate example of exploitation.

What are your views on this from a perspective as a BSD hacker? Can free software really be stolen? Is BSD open for exploitation (in the negative sense)?

Re:FreeBSD and X-Windows

[EverCode]

FreeBSD 4.2 has a security level setting (during installation), and if you set it above normal (default), X will not run.

IMHO, this is about all that can be done. X = security problems, no matter what.

Secure programming

[emir]

I would like to learn more about secure programming under *nix. I have decent knowledge of c, cpp and java.
Where should I start?
What book/doc/faq do you recommand me reading?

OS X and FreeBSD

[gagganator]

apple states [apple.com] that mac os x/darwin is based on freebsd 3.2. how complete an implementation is this? has darwin contributed any new ideas/code/features to bsd?

Re:FreeBSD question

[Rogue Orion]

From what I understand (And please correct me if I am wrong), FreeBSD has a completely different kernel than Linux (which Mandrake is just a distribution of).

On top of that kernel, you can run X-Windows, and then a common window-manager (like GNOME, KDE etc.)
In theory, you could have a system that looks identical to Mandrake(linux) that runs on top of the FreeBSD kernel. Some argue that the BSD kernel is more stable and "industrial strength".

Re:Good question above

[mr]

At this time, some benchmarks done by some people show BSD running 10-30% faster than the linux distro of the month. Even the linux compatibility mode runs faster. Given the speed of machines these days....such matters little today.

The design methodology of a group of people VS linus is an advantage. (FreeBSD gets out releases once a quarter. the linux kernel has been delayed) Because of the design of BSD, updating a BSD box goes like this:

become root
cd /usr/src
make update
make buildworld
make installworld

And the BSD license is a difference. If Micro$oft 'attacks' GNU/Linux, Micro$oft will use the GPL as the vector of the attack.

Applications: Rate shaping for TCP/IP traffic is an example. How about Office 2001 for MAc OS X? (the whole Mac OS X stuff)

Re:FreeBSD Distribution

[mph]

Yeah, it would be nice if you could buy FreeBSD at Best Buy... [bestbuy.com]

Re:Why will people continue to use FreeBSD?

[SoupIsGood Food]

Mac users still get uncontrollable giggle fits when people talk about the "User friendly Windows interface". If you need a seemless, integrated UI for total control over the presentation and creation of complex data (Graphics, sound effects, bad screenplays, etc.) you need BeOS or a Mac.

Unix in all its many splendored flavors is good for when you need stability and performance. This is why it's usually paired with the =really= sexxxy hardware you need a government grant to buy. Unix boxes are at their finest as tools, accessories. Big, expensive shared peripherals that serve a specific, tailored purpose.

In my case, I've got a Sparcstation LX running OpenBSD for a purpose: I need to host a private web forum. It has to be robust, able to cope with large loads, and dirt cheap. Including the OpenBSD CD(with stickers!), the setup cost me $50. I don't need a windowing environment...I have my MacOS Powerbook on a network with it. After the initial install, I can administrate it better sitting on my couch than I can sitting on the terminal...the Mac's tools for editing bits of text from a usercentric standpoint are second to none. Perfect for tweaking configuration files.

And you will need to tweak configuration files. By hand. Might as well start off that way rather than continually correcting what the GUI administration applications assume is what you want. This is where BSD's shine. Their systems are simple and unsophisticated, well documented with clearly written manpages and FAQs, thus shallowing the learning curve if you need to get into the nitty-gritty of networking, soft-raid, security auditing, etc. You know...the stuff Unix is =good= at.

Linux is too chaotic, the distros vary too wildly from one to the other to make low level administration and automation easy. They cram everything but the kitchen sink into your system, none of it documented very well. This is fine if your hobby is computer science and you need a toy to play with, or you need a robust workstation environment, or you want to compete with Windows to be the hottest Mac rip-off arround. Not so good if you're trying to track BBS users by IP to filter out the trolls and bots.

There just isn't a GUI front end for that sort of stuff. Fancy windowing environments soak up valuable processor cycles and RAM. If you need a robust and fast server tailored to meet a specific utility, you need *BSD.

SoupIsGood Food

FreeBSD and Operating System Ports

[Matthew Luckie]

Hi

You might not be the best person to ask, but what are the difficulties in porting FreeBSD to other operating systems?

The alpha port seems to have been struggling somewhat recently with all the different motherboard configurations (alphapc for one) that make the alpha an almost completely different CPU in some critical points.

Theres also the sparc port, which doesnt appear to have made lots of progress at all.

Here comes the questions:

• What is it about NetBSD's architecture that makes it more simple to port to other platforms compared with FreeBSD's?
• How is the IA64 port progressing? What are the major issues in changing parts of the base of FreeBSD to take advantage of some of the new features. Has intel even supplied you with the appropriate hardware required?

Re:Isn't FreeBSD now part of BSDi?

[MadAhab]

I won't explain the "part fo BSDi" thing; do the reading yourself.

I will say, however, that so far I've noticed nothing in -stable. Still works great and is easy to maintain and administer, still doesn't support devices as broadly as linux. No changes significant enough to change anyone's reasons for using or not using FreeBSD, in my view.

In the -current version, however, there appear to be lots of changes afoot. FreeBSD 5 is supposedly going to come with a lot of the SMP stuff from BSDi merged in, which would be a huge plus for FreeBSD.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

File Transfers

[pboulang]

As a protocol, FTP is one of the worst. Open a control channel on port 21, then if using active FTP, choose a random port.. (actually x*256+y where x and y can be predicted) and have the server initiate a data channel from port 20 to that port. If you are using passive FTP, then the client initiates a data channel to the random port on the server.

Now really, does that make any sense? It means that behind a firewall (BSD, of course) running NAT, a client must run passive FTP, since there is no way an outside box should be able to initiate into the client box at a high port. However, what about that server? Do I really want to allow high port access to that box?

Finally, my question is this: How does one properly configure FTP between two NAT'd boxes without opening up lots of high ports?
Better still: Where do I write my congressman to make FTP illegal!?

--paul

Re:FreeBSD question

[The_Rift]

That and the kernel and userland come together. In FreeBSD the userland is designed around the kernel and vice versa. Unlike a Linux distro such as Mandrake where you get a Linux kernel + a userland built out of various GNU and whatnot software.

As to your comments on X-windows, that's a seperate piece of software to the OS and would look more or less the same on any platform it runs on. (and it runs on a lot more than just Linux and FreeBSD).

Re:USB support and the future

[AntiBasic]

FreeBSD has had USB support since 3.3 iirc. Go check LINT, search FreeBSD.org [freebsd.org], look at FreeBSD Diary [freebsddiary.org] and the FreeBSD Handbook [freebsd.org] for further information about setting up your FreeBSD box. I'm sure you'll see just how solid it is.

Ports Unification

[Christopher B. Brown]

A unified "Ports" tree would almost certainly be helpful to FreeBSD and NetBSD in diminishing duplicated efforts.

On the other hand, for OpenBSD and TrustedBSD, the "fuzzyness" of sharing the code base may make it more difficult to "warrant" the security of packages.

Would it be sensible/preferable to have a "fork" whereby there might be a set of Trusted Ports that would represent a (perhaps limited) set of software that undergoes more comprehensive code auditing, as well as the Unified Ports containing software that hasn't undergone such testing?

Re: A few important questions:

[reg]

Only important questions if you are trolling...

1) Do you ever plan on moving away from the slow and resource intensive method of VMS style paging for memory address resolution

FreeBSD's paging code is extremely fast, which is why FreeBSD performs so well under load. It is fairly resource intensive, but the requirements for page tables etc are proportional to your RAM size, so FreeBSD will still run in low memory configurations.

2) Are there plans to rewrite the TCP/IP stack to be multi threaded

Once again, this is a buzz word issue - the TCP/IP stack performance is very good (ie can staturate whatever network you happen to plug in). But the entire kernel is being multi-threaded for 5.0, to provide fine grained SMP support.

3) Will BSD ever migrate away from UFS to a more modern file system?

The UFS file system is being continously upgraded. It has features which Linux and most other commercial FSs would love - like softupdates, and new utilities to grow filesystems (and shink them too hopefully soon). Just because Linux has had to rewrite it's FS because of poor reliability doesn't mean that the BSDs have a bad file system.

4) With serious POSIX compatablity issues are there plans to use code from POSIX compliant OS's to become more commercially attractive to major corporations

POSIX compatibility is also something which is always being improved. But I think that you're wrong about POSIX compatibility being an issue for major corporations. They are far more concerned with stable APIs, and at the moment they want stable APIs for things like windowing services. This is why people code for Windows, not POSIX compliance.

Regards,
-Jeremy

A very long, complete answer

[mosch]

You can find an exceptionally detailed answer at http://people.freebsd.org/~alex/libh/ [freebsd.org] which should give you a very good idea of where the FreeBSD distribution is headed, in the manner of granular, custimizable upgrades. JKH wrote a wonderful paper that covers this.

--
"Don't trolls get tired?"

The future of gaming on BSDs, GNU/Linux, Darwin

[Angelwrath]

Many companies producing the popular gaming titles for Windows seem reluctant to support the Open Source, FSF and MacOS platforms with their products. However, Apple is about to join the BSD party with Darwin, offering the potential to add several million new BSD installations over the next few years. With that in mind, adding up the various *BSD communities and Darwin yields a large, growing group of users. Add GNU/Linux, and that total becomes even larger. Growth of these platforms is significant, as is the potential for game sales.

What can these communities do to allow a game developer to write one title and port it easily across platforms, while retaining performance and quality?

Can you comment on what would be required to put something like this together, in terms of software, standards and effort on the part of the developers?

Thank you, and good luck with your TrustedBSD efforts.

common misconception alert!

[Clover_Kicker]

The ports are 3rd party software.

The OpenBSD/FreeBSD/NetBSD team has no direct control over the s/w in the ports collection.

There is no organized effort to audit everything in the ports collection.

The OpenBSD audit is only concerned with the base OS, that in itself is a huge job. They don't have the resources to audit the thousands of apps in the ports collection.

The ports team does what they can to keep up with bugfixes from the various apps, but they aren't auditing the ports.

Once you install some 3rd party software, it's up to you to keep up with bugfixes for that 3rd party s/w.

Re:Good question above

[Petrophile]

Office for MacOS X, and pretty much every other MacOS X application are built on the proprietary Apple Carbon API and has nothing to do with MacOS X's BSD compatibility server.

But, if it was said on Slashdot (OS X == BSD), it must be true!

Re:Good question above

[Petrophile]

Oops - proprietary Apple Carbon and Cocoa APIs

Re:decent literature

[MochaMan]

If you understand the basics of operating systems and you want a great reference to BSD, a GREAT book is "The Design and Implementation of the 4.4BSD Operating System", written by the original authors of 4.4BSD and published by Addison Wesley.

It covers basically anything you need to know, and makes a great reference if you want to understand the source code itself.

An overview of the book is at this location [awlonline.com].

Re:File Transfers

[jmcneill]

If you're using IP Filter (and not natd, I don't have experience with it) you can add the following to the _top_ of /etc/ipnat.conf:

map ep0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp

To allow active FTP through the NAT, assuming 192.168.0.0/24 is your local network and ep0 is your external interface. I use this on my NetBSD NAT machine and it works great.

FreeBSD 5.0?

[cpeterso]

the entire kernel is being multi-threaded for 5.0, to provide fine grained SMP support.

Where can I find more info about plans for FreeBSD 5.0? Is 5.0 include the integration of BSDI code? Freebsd.org doesn't seem to mention much.

chris

FreeBSD & Directory Services

[willy_me]

Microsoft has Active Directory.
Novell has NDS.
NextStep has NetInfo.

Will FreeBSD be supporting any type of directory service? I know there's always DNS but I was thinking of something a little more powerful.

What I (and most network admins) would like is a nice central way to manage users, computers, or any other network "object". In order for this to work well the service will probably have to be added to the distro - not just supplied as an external package (hence your envolvement.)

I was thinking that since NetInfo has been opensourced it might be a good solution. I know a Linux port already exists.

Making xxBSD easy to setup and administer would greatly increase its appeal to network administers. During the install procedure you should have the option "connect via NetInfo" where everything is done for you - you shouldn't even have to assign it a root password. All administration, and I mean everything, should be done from a central location. (I know most UNIX gurus probably want their commands like "adduser" - but some type of directory service should still be an option.)

Aah, network nirvana...
Willy

Info on SMP status in FreeBSD 5.0

[cpeterso]

http://people.freebsd.org/~jasone/smp/ [freebsd.org]

Re:TrustedBSD With VMS Features?

[Guy Harris]

It sounds as if the person who asked the question to which you responded was saying that VMS allows different threads in a process to have different privileges. The NT per-thread security described by the stuff to which you linked isn't per-thread security in the sense of "what the thread is allowed to do", it's per-thread security in the sense of "what other processes are allowed to do to the thread".

Common criteria and TrustedBSD

[ajv]

Robert,

The common criteria [nist.gov] are far more than the old orange book [ncsc.mil] controls (B1, B2, C1, ...). Part two of ISO 15408 has many things that I'd really like to see (and I'm prepared to help, too).

Why even bother with the old style Orange book stuff, which barely work in a networked environment, when the new style CC definitions are available for free?

Also will you be providing a framework such that deployed TrustedBSD systems are ready for CC evaluation?

Lastly, any plans for a NetBSD version? Want some help?

Re: A few important questions:

[Pinball Wizard]

Bob, you forgot to ask a few things in your post. I don't quite understand since you've apparently attempted to submit patches to the BSD project and had them rejected for no reason.

So, I've taken the liberty of reposting your last BSD post. Here is the original post [slashdot.org] if you want to see it.

***Bob Abooey's Last BSD Post: ***

Couldn't agree more. In fact I'm really tired of the whole BSD camp acting like the red-headed bastard stepchild. BSD just flat out fails due to the Amiga type zealotry which impedes clear thinking in many cases.

I have submitted a well ducumented and heavily tested patch for BSD which provides code and a clean interface to remove the hard limit of 2000 maximum processes, but it was rejected for no good reason. I guess they really don't want to play in the big leagues when it comes to big iron servers. I have also re-written chunks of BSD code which I run on my own personal RDBMS back-end which fixes many of the *real* problems with BSD, namely the file system which is slow and rife with corruption, the fine grain low level context switching which kills any sort of performance you might get by using multi threaded apps (that's true multi-threaded apps, not the "forking PID" type). Yeah, why don't the BSD zealots ever address the kernel space addressing scheme which still relies on the old VMS paging concept which does nothing but increase the kernel-space overhead.

I could go on and on but I won't. It's not often I make a real post so I hope you guys understand that I'm really upset here. Thanks

***End Bob Abooey's last BSD post***

Wow, impressive. So Bob, when are you releasing that RDBMS that you wrote yourself that replaces the BSD filesystem? Can we expect to see it on freshmeat any time soon?

Also, if FreeBSD's paging system and TCP/IP stack leave so much to be desired, where can I turn to find a better system?

Bob?

Basis for Trusted BSD

[TarPitt]

To what extent did you borrow from the Common Criteria for your project? Which protection profiles did you use? Have you found any of the Orange Book series to be useful as well?

A biger question - to what extent are these formal, committee-design secure systems criteria relevant to securing an open source product? What is good about them? What specifically do you find flawed or totally useless? What did you have to improvise because the methodology didn't cover it?

Re:TrustedBSD With VMS Features?

[Tassach]

The basic NT security *model* is excellent (particulary compared to the Unix owner/group/world model). It is the *implementation* of that model which sucks rocks. If it actually worked as designed, NT's security would be impressive.

Compare this to OpenBSD. OpenBSD may be based on a dated security model, but it is a ROCK SOLID implementation of that model. It dosn't take a rocket scientist to figure out which one to use where security is critical.

Re: A few important questions:

[Tassach]

Even a goat-sexing troll is capable of an occasional moment of lucidity. The comment about the attitudes of the *BSD camps is dead on target. Speaking as a proud ex-Amiga user, I can see a lot of similarities between the attitudes *BSD'ers and Amigans. It's very disheartening to see a well-engineered, elegant system be eclipsed by a more popular but technically inferior one, particuarly if you have devoted a significant amount of mental energy mastering said system.

That being said, I don't think any of the BSD projects are in any danger of dying. While there are some valid differences of opinion as to design philosopy between the various BSD projects, I think there is also a huge amout of hubris and rampant egos at work that keep the core teams from working more closely with one another. (Not that the Linux community is much better with it's perennial distribution and desktop manager catfights)

Diversity is a good thing. A good engineer picks the best tool for the job at hand. The choice of an operating system (or any other piece of software or hardware, for that matter) depends on what you want to do with it. No one tool is right for all jobs, regardless of what sales drones or fanboys want you to believe. As software engineers, we can't let our political views or personal enthusiasiams get in the way of making sound technical decisions.

Re:FreeBSD question

[Nugget94M]

The only part of this comment that is "utter bullshit" is the part where he implies that someone would be stupid enough to be using telnet in this day and age. Surely we're all smart enough now to know that telnet is a giant sucking chest wound of a security hole. Nobody is actually stupid enough to still be using telnet these days, right?

Damn, people. It's not like OpenSSH [openssh.com] is a big secret.

I still say that backbone providers should throw all port 23 traffic on the floor just on principle. It's no different than hiding your friend's car keys until he sobers up.

Debian vs BSD

[Odinson]

Licence flamewars aside...

Kernel vs Kernel
Gnu tools vs Gnu tools
this goes here, this goes there

All of these can become moot details to an experianced admin.

The real question for me is...

Any plans on porting to dpkg and apt?

Re:OS X based on FreeBSD

[bugg]

Not 3.2BSD on top of Mach, FreeBSD 3.2 on top of Mach. There was never a version 3.2 of Berkeley UNIX- AFAIK it went straight from 3BSD to 4BSD.

If you actually look at Darwin source, you'll see that there's also a lot of the userland taken from NetBSD.

Anyhow, Apple has definetly been a good neighbor to the open source world. Look at Darwin- people can take work from there back to FreeBSD or any other OS. They've also taken an interest in OpenPackages [openpackages.org] and it'll be interesting to see where, if anywhere, they go with that.

Re:OS X based on FreeBSD

[bugg]

They're using FreeBSD on Mach, which provides quite a bit of low level harwdware specific services. I'd imagine that all they had to do is write or port drivers for the hardware that they're running on..

Re:Ports Unification

[bugg]

You should also note that TrustedBSD is a patchkit to FreeBSD that will most likely be fully merged with FreeBSD in the near future. It's not an OS, and it doesn't do any "auditings" that would concern it with the ports system. It's working to provide better security through smarter security, not just safer (but powerful) binaries like OpenBSD.

Re:USB support and the future

[AntiBasic]

Yes, FreeBSD does have usb, but its (as of 4.1)

Uhmm....no. *BSD support for USB was done NetBSD a while back and merged into project from there. This was done back in mid '99. Dont say as of 4.1 as that is mere FUD.

When I installed RedHat 7.0...

You're actually using RedHat 7.0!??! Are you on coke? You obviously didn't read about their shitty gcc version they packaged with it. If I remember correctly, Linus called RH7 "Unsuitable for any use". It's ok you're a newbie.

So does FreeBSD have usb support, Yes. Is it as clean and complete as it should be, not yet.

My God thats incorrect. If you have even bothered to follow any mailing lists you'd see you were woefully wrong. Go spread your unsubstantiated FUD elsewhere.

Where do Free/Trusted BSD stand with InfiniBand?

[soldack]

One of the knocks on many the free operating systems was a lack of support for enterprise technologies. I work at a company working on InfiniBand hardware. We will be supporting Linux, as Intel will be releasing IB host drivers for it. It is not known how this code will be released, although Intel seems to be indicating the source will be available. We don't know how, though. For example it may require membership in the IB Trade Org. We are totally willing to release drivers for other OS's like *BSD, but are not willing to write a full OSVerbs InfiniBand driver for it. How and when do FreeBSD and TrustedBSD plan to implement IB support, if at all?

Conclusion about /. moderators

[dcs]

They can't spot a troll when they see one.