OpenBSD 3.0 Release, Interview with Theo 307
mvw writes: "Here is an interview with OpenBSD's Theo de Raadt. Interesting is his comment on Soft Updates and the comparison to the rivaling Journaling file systems technology. Further he links to a very interesting paper by some Soft Updates researchers." And although OpenBSD 3.0 has an "official" release date of December 1 for whatever reason, it seems to be available by FTP or CD already. Lots of changes since 2.9.
This is a very good thing! (Score:3, Informative)
For those running OpenBSD, especially as a gateway/firewall/NAT box, this is an important fix. I am running 2.9 with this patch added, and my snort [snort.org] logs tell me (judging from the number of attempts) that this exploit is a fairly commonly tried one. In November alone, there were at least 30 lpd overflow attempts on my machine. Granted, not most people have lpd open to the world, but I can imagine a few people might want to do remote printing from work, etc.
Fixes (Score:3, Informative)
Here is the list: http://www.openbsd.org/errata.html [openbsd.org]
Don't forget to update to OpenSSH 3.0.1
-J
The origin of OpenBSD (Score:5, Informative)
If you haven't read them before, it's quite a read, and a good lesson of how personal politics can fragment a collaborative project.
Here's the link: http://zeus.theos.com/deraadt/coremail [theos.com]
pf : an excellent packet filter (Score:5, Informative)
pf seems to be very stable so far. Just don't forget to apply the related errata if you're planning to use IPv6.
Another great feature of OpenBSD 3.0 regarding network filtering/routing is the integration of AltQ, that brings quality of service to your IP traffic. It basically has the same (but very flexible and efficient) algorithms and class system that Linux has. But it's very nice to see it in OpenBSD.
ISO download (Score:5, Informative)
As usual, ISO images here [zedz.net].
Re:file systems (Score:5, Informative)
http://www.usenix.org/publications/library/procee
http://www.osnews.com/story.php?news_id=153 [osnews.com]
http://www.freebsd-fr.org/docs/fr/others/systeme-
http://www-106.ibm.com/developerworks/linux/libra
http://docs.freebsd.org/44doc/smm/05.fastfs/paper
Re:As much as I (Score:2, Informative)
Re:When I installed... (Score:1, Informative)
http://www.tuxedo.org/~esr/jargon/html/entry/wh
Re:file systems (Score:3, Informative)
But the users moaned "speed, we must have more speed" and indeed their call was echoed by the admins. So write ahead caching was invented so the users calls would return sooner, and once again all was peaceful with filesystems.
But then one day someone tripped over the power cable and the OS died. On recovery it was discovered that the filesystem was completely borked (due to some of it being in the write ahead cache when the power died) and lots of data was lost. There was much wailing and gnashing of teeth so the journal was invented. A journal writes a list of things that the file system will do when it gets around to it, but writes this list to the drive so it doesn't get lost when the power is lost. Because the list is all in one place the journal is fast and once again there was peace.
Over the years slowly everyone, even Microsoft and even the Linux kernel made themselves journals but the BSD hackers (Greg Lehey?) realised you didn't really need one if you were careful about the order in which you wrote to the disk. And hence softupdates were invented, and are (arguably) very slightly faster. But mostly just different. Like Reiser, but that's another story entirely.
Gottit? Synchronous writes good, but slow. Async writes bad, but fast. Journaled writes good, and fast. Softupdates good and fast without a journal.
Dave
Re:pf : an excellent packet filter (Score:5, Informative)
OpenBSD 3.0 has a transparent ftp proxy called "ftp-proxy". You have to run it through inetd (or any super server. I use it with tcpserver) . It listens to a local port, and you just have to redirect outgoing traffic for port 21 to the local ftp proxy port. It allows active and passive connections to NATed internal hosts.
If it can help, my
rdr on vr1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
nat on vr0 from 10.1.1.0/24 to any -> 195.132.209.36
I start ftp-proxy like this :
*WARNING*
ftp-proxy has a nice security feature to only accept anonymous sessions (-A). But don't trust it : clients can bypass the restrictions with some buggy servers (the flaw works with proftpd and ncftpd. it doesn't work with pureftpd) .
* For firewalling (without NAT) :
You have to explicitely open some ports for active connections. For the minimum number of ports : choose at least twice the max number of simultaneous sessions you need. Open them on the firewall. Then, force your FTP server to only use these ports. On Pure-FTPd, it's with '-p
pure-ftpd -4 -p 50000:51000 &
(don't forget '-4' for OpenBSD) .
The reason for the early release: (Score:3, Informative)
Btw, the headlines from this site are available as a slashbox, just check the box in your
Snake_dad (who runs Linux, Winedose, Novell 3.12 and
Re:Donations have slumped? (Score:1, Informative)
It is too bad that OBSD lists/newgroups are often frequented by impressionable Theo-wanna-be's that are under the misimpression that it is cool to be rude. Theo acting alone would just be a curiousity
As to the lack of SMP support, the OBSD core group's reasoning is pretty sound. They feel that it will introduce security complications, and isn't a big advantage in the roles OBSD generally serves (e.g. firewall; basic web-server; OBSD enthusiast desktop). Since security is their priority, it is ridiculous to critize them for slow progress in SMP support. I believe the official line is the unreligious statement 'if you truely need or want SMP, look elsewhere for now'.
Re:file systems (Score:2, Informative)
Re:ISO download (Score:2, Informative)
Re:This is a very good thing! (Score:3, Informative)
1) logging to paper; so the cracker can't totally erase his trail
That doesn't require lpd. Just add the line printer's device name as an additional target in syslog.conf.
Or run a teletype console, and log everything important to the console. (I've actually seen a setup that used that. In production. In 1996.)
Even if you do use the Unix print spooling subsystem on your firewall, you should not have the lpd port (515/tcp) open on the public network interface(s).