Forgot your password?
typodupeerror
Security Operating Systems BSD

OpenBSD 3.5 Released 345

Posted by michael
from the security-takes-work dept.
pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"
This discussion has been archived. No new comments can be posted.

OpenBSD 3.5 Released

Comments Filter:
  • Excellent (Score:5, Insightful)

    by mastergoon (648848) on Saturday May 01, 2004 @12:02AM (#9025844) Homepage
    I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers. I can't wait for SMP support to be working.
    • Re:Excellent (Score:2, Interesting)

      by Anonymous Coward
      >> I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers.

      what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

      • Re:Excellent (Score:2, Informative)

        by klasikahl (627381)
        I think you're forgetting about the NSA funded SELinux project. It's also a kernel level MAC security patch. I prefer SELinux over GrSec for many reasons, one of which is the fact a team of well trained NSA kernel hackers coded SELinux. (As opposed to GrSec whose head coder and inventor is a punk who uses his security knowledge to keep his exploits as 0days. Sounds pretty fishy to me; I won't trust anything that has his name on it.) SELinux is in the official 2.6 kernel branch. Check it out here [nsa.gov].
      • Re:Excellent (Score:5, Insightful)

        by Homology (639438) on Saturday May 01, 2004 @02:38AM (#9026311)
        what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

        I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

        As long as this state of affair exists, GRsecurity will not be a viable option for the majority of Linux users.

        On OpenBSD you have similar technology integrated with the OS. No need for patches or other stuff to use it.

        • Re:Excellent (Score:3, Interesting)

          by EvilAlien (133134)
          Using the 2.6 kernel on a system with security as the primary goal isn't wise anyways. Part of having a well-secured system is staying away from the insufficiently audited and tested code, i.e. the new stuff.

          Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they ge

      • "Every security alert or audit contains the IP of the person that caused the event"

        That sure is impressive!
        I did not even know a person had an IP.

        Or do they mean "Intellectual Property"???
    • Re:Excellent (Score:4, Interesting)

      by Lord Kano (13027) on Saturday May 01, 2004 @12:26AM (#9025929) Homepage Journal
      How much traffic are you handling if you really need SMP on a firewall/router?

      LK
      • Re:Excellent (Score:3, Interesting)

        by amix (226257)

        Dont' think so mainstream. Think exotic:

        • VIA C3 (C5P core). Has double-RNG and AES hardware integrated. Perfect for VPN and WLAN.
        • At 1.2GHz it is not very fast (due to architecture) but consumes very (!) low energy and is coolable passive. Perfect for a home-server, that is 24/7 and in your living-room
        • is SMP capable

        a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall. [cyberguard.com]

        While o

    • > I can't wait for SMP support to be working.

      I would rather the OpenBSD team concentrated on things other than SMP. For the large proportion of cost-effective routing/firewall systems, SMP isn't a priority.

      What is a priority is (a) continual stripping out of GNU licensed artifacts, (b) continual code "securisation", (c) continual security features (i.e. CARP, etc).

      SMP sounds like a nice bit of candy: but I'd prefer the healthy food first.

  • Security (Score:2, Interesting)

    by Anonymous Coward
    The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows

    So if I want optimal security, how do I choose which packages to use?

    • Re:Security (Score:5, Insightful)

      by Anonymous Coward on Saturday May 01, 2004 @12:09AM (#9025877)
      Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it. Usually a port that has an absolutely horrible track record might not make it in, or if it has a gaping security problem it might be marked as BROKEN.

      Use common sense, chose packages of software you have faith in to not suck.
      • Re:Security (Score:3, Insightful)

        by evilviper (135110)

        Chose only the packages you will be using, not the ones you might use some day but aren't absolutely needing it.

        This is lowsy advice. You can have all the programs you want installed, and it won't make your system any less safe.

        The only exception is suid/sgid programs.

        It always drives me insane when I read another "security" tutorial on the web that suggest deleting unused programs, or your compiler, will make your system more secure, somehow.

        Incidentally, ports do include patches, and most maintainers

  • pfsync/CARP (Score:4, Interesting)

    by ArbitraryConstant (763964) on Saturday May 01, 2004 @12:09AM (#9025879) Homepage
    OpenBSD is the Cisco killer.

    It's now suitable for replacing a lot of the Cisco gear out there.
    • Re:pfsync/CARP (Score:5, Insightful)

      by astrashe (7452) on Saturday May 01, 2004 @12:20AM (#9025912) Journal
      Isn't a lot of Cisco's appeal on the hardware side?

      I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

      Wouldn't the computer architecture make an OpenBSD router less stable?
      • Re:pfsync/CARP (Score:5, Interesting)

        by ArbitraryConstant (763964) on Saturday May 01, 2004 @12:52AM (#9026007) Homepage
        I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

        OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

        Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

        Wouldn't the computer architecture make an OpenBSD router less stable?

        Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.
        • Re:pfsync/CARP (Score:2, Interesting)

          by mrchaotica (681592)

          OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

          They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) a

          • So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!

            It is also the ultimate silent multipurpose computer! Doing maintenance work in a machine room full of these would be a dream!

        • Re:pfsync/CARP (Score:5, Insightful)

          by pe1chl (90186) on Saturday May 01, 2004 @04:17AM (#9026547)
          >Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

          All but the high-end Cisco boxes are very short of central processor power. Look at boxes in the 1700, 2600 and 3700 lines. They need additional co-processor cards to help with tasks like encryption and compression, where a PC could perform these easily without any help.

          And when you need only little bandwidth but need a nontrivial amount of interfaces, you are forced to buy quite a large box. (the 1700 series accomodates only 2 interfaces, and on the 2600 series there is the possibility of 4 interfaces but only for Voice, not for Data. so very quickly you will need a 3725, for applications where a PC could still easlily handle the load)
      • by Dammital (220641) on Saturday May 01, 2004 @08:40AM (#9027183)
        Build your OBSD firewall in a Soekris box [256.com]. Low power, low noise, runs from a CF card (or boots via PXE). Some models accept power-over-ethernet. And Soekris [soekris.com] directly supports FreeBSD, OpenBSD, NetBSD and Linux.
      • Re:pfsync/CARP (Score:5, Insightful)

        by drinkypoo (153816) <martin.espinoza@gmail.com> on Saturday May 01, 2004 @08:57AM (#9027242) Homepage Journal
        The sad part is, that the Cisco stuff ain't all that stable. Plus, the fact that they have been known to offload some of the work into firmware on the chassis means that sometimes something needs to be upgraded and it can't be, or they won't do it - and since it's (obviously) not open source, you can't fix it either. For instance, the catalyst 5000 switches (but not 5500s) are not considered Y2K compliant with any supervisor module, even a III.

        The only really special thing about Cisco hardware as compared to a PC is that their backplane has traditionally been much faster than anything a PC has had to offer, and they have offered network cards (or blades in the Cisco parlance) with more ports (since they are larger) and with additional processors on the cards which do routing themselves. (Layer 3 switch blades, for example.) It's nothing you couldn't do on a PC, though, there just hasn't been a reason to. The most modern PCs have an extremely fast bus however, in the form of 66MHz/64 bit PCI, and now PCI-Express is coming along and the wider versions of that are even faster from what I understand.

        Anyway, since when do routers not have moving parts? Every Cisco product beyond the SOHO level has at least one cooling fan. A cat5k (I pick on it a lot because it's what I have most experience with) has, like, eight plus one per power supply. Meanwhile, there are PCs without any moving parts - A cisco PIX 520 would be one of these, if it didn't have a power supply fan, because it's just a PC in a custom rack case, with an expansion card with a flash ram disk on it, and some Intel EEPro 100/B Management Adapters in it. (Someone told me once that tulips work too, as they were used in older pix 520s, but I've never seen that before.)

        So the short form is "no", the computer architecture won't make an OpenBSD router less stable than a Cisco one. The only thing that might would be OpenBSD itself.

    • Re:pfsync/CARP (Score:5, Informative)

      by PatJensen (170806) on Saturday May 01, 2004 @12:22AM (#9025921) Homepage
      When you can do the following, OpenBSD will be a Cisco IOS killer.
      • Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
      • Store the configuration in solid-state flash memory.
      • Upgrade the entire OS by TFTP'ing a single file.
      • Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
      • Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
      • Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
      • Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
      When the only tool you have is a hammer, everything looks like a nail.

      -Pat

      • by Schubert (5172) on Saturday May 01, 2004 @01:55AM (#9026185) Homepage Journal
        When the only tool you have is an axe, everything looks like fun. :-)
        • by kfg (145172)
          When the only tool you have is an axe, everything looks like fun. :-)

          Yeah, they made us shout that in group before trust building exercises at the Borden Institute of Family Relationships.

          KFG
      • Re:pfsync/CARP (Score:4, Informative)

        by pacman on prozac (448607) on Saturday May 01, 2004 @03:37AM (#9026468)
        IPv4 routing in Cisco is done by software not hardware.

        This already is a Cisco killer for one simple reason, VSRP is crap.
      • Actually I think that keeping everything as monolytic as it is now is finally going to kill Cisco.
        You have to select an IOS version that includes all the features you need, fits in the memory you have, and does not have any of the bugs that are blocking to you. This is becoming increasingly difficult.
        A more modular approach (a base kernel with drivers and features loaded as modules) will be required to be able to move forward without keeping all that archaic stuff forever.
      • Re:pfsync/CARP (Score:5, Insightful)

        by Anonymous Coward on Saturday May 01, 2004 @07:13AM (#9026900)
        Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
        One file, more files, what is the difference? If the config files are well organized, which they are, there is no reason to have it all in one file.

        Store the configuration in solid-state flash memory.
        Get a CompactFlash card and a CF-to-IDE adapter.

        Upgrade the entire OS by TFTP'ing a single file.
        Could be done, you would need twice as much disk (CF) space as you need for a single installation, then download the new OS, unpack it on a free partition, swich default partition for booting, reboot. Ok, perhaps noone has done this until now. Perhaps it's because noone really needs it, not even the people who use OpenBSD on all their routers.

        Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
        Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
        Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.

        Why do you need to do all this in hardware? Most of this stuff can be done in software a strong enough CPU and IO. The rest that can't be done in software is probably not used by majority of Cisco users (see below for more).
        Really, you are building these requirements in such a way that OpenBSD cannot comply. It's a bit like saying that OpenOffice will replace MS Office if the third submenu in the 'File' menu is 'Open', when you click on it, go 102 pixels down and 53 pixels left, click, select the third option, and it reads 'Microsoft Word (.doc)'. What you really need is that it opens a .doc file, no matter how it is done.

        Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
        Not everyone needs those, and the majority who do not can use OpenBSD. The rest will probably use Cisco anyway, but it may just not be enough for Cisco to survive. Thus "Cisco killer".

        In fact I don't think this will happen, as the strong Cisco feature is that they sell everything in one package, unpack and plug and play :). And they have some tech support, too.
      • Re:pfsync/CARP (Score:4, Insightful)

        by evilviper (135110) on Saturday May 01, 2004 @01:32PM (#9028780) Journal
        Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.

        This is bull. Cisco routers do not have text editors, and transfering a config file to/from a cisco router every time you need to make a change is quite cumbersome.

        I used to be annoyed that different Unix config files have different syntaxes, until I used Cisco... There, each different option (hundreds, if not thousands in each config) may have it's own syntax, that you really have to memorize, or look-up to get right.

        Store the configuration in solid-state flash memory.

        Not a problem at all. I had a router running solely on a 32MB PCMCIA card several years ago.

        Upgrade the entire OS by TFTP'ing a single file.

        Now that's pretty stupid. First, I've seen many routers corrupted because TFTP is so very hit-or-miss... The fact that most Cisco routers are only able to use TFTP is a serious drawback, not an advantage.

        As for the single file... OpenBSD's base system is spread across about 5 tar.gz files... If it makes you feel better, I could very quickly whip up a script that will combine them into one tgz file. Better?

        Provide support for layer 2/3 QoS packet tagging in hardware

        QoS is supported by PF. It's not in hardware, but that's no real concern.

        When the only tool you have is a hammer, everything looks like a nail.

        When you only own stock in Cisco, everything else must be inferior.

    • OpenBSD is only a cisco killer in SOHO and SME type environments. Even then, part of the problem is that it still requires expertise to setup - there are a lot of CCIE/CCNE out there, and no so many pf/carp/openbsd experts.

      The thing for the OpenBSD guys to do is make OpenBSD an attractive platform to OEM's who will build more user friendly solutions onto it.

  • by Billly Gates (198444) on Saturday May 01, 2004 @12:10AM (#9025883) Journal
    Eagerly, awaiting the openbsd 3.5 theme song I ftped into one of the mirrors [openbsd.org].

    Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.

    Strange but somewhat ammusing to say the least. Go download it [openbsd.org].

  • yea (Score:3, Informative)

    by Anonymous Coward on Saturday May 01, 2004 @12:11AM (#9025884)
    seems main ftp server is down. remember there are the mirrors if you guys want to get it. http://openbsd.org/ftp.html

    and OpenBSD Rocks!
  • by imac.usr (58845) * on Saturday May 01, 2004 @12:16AM (#9025901) Homepage
    - Enable bus mastering on fxp(4). Oh yes.

    I don't know what it means, but I approve.

  • by Daimaou (97573) on Saturday May 01, 2004 @12:19AM (#9025910)
    I would like to offer my thanks to the OpenBSD team here on Slashdot, where it will promptly be lost in hundereds of other posts.

    I have used OpenBSD since 2.7 as a firewall, a web server, and a file server. There are a lot of unix-like operating systems out there, but for me, nothing can beat the simplicity and security of OpenBSD in these areas.

    I'm also extremely happy with the ease of applying patches on OpenBSD. It makes remote management the easiest thing in the world (well, from a unix perspective anyway).

    If you haven't tried OpenBSD, and are looking for an excellent server OS, I highly recommend giving it a try. I would recommend supporting the effort by buying a CD too.
  • Mascot (Score:3, Informative)

    by Zardus (464755) <yans@yancomm.net> on Saturday May 01, 2004 @12:21AM (#9025916) Homepage Journal
    Isn't that the wrong mascott in the slashdot story?
  • OpenBSD (Score:4, Funny)

    by foo fighter (151863) on Saturday May 01, 2004 @12:34AM (#9025955) Homepage
    We who are about to be rooted salute you!
  • by SuperBanana (662181) on Saturday May 01, 2004 @12:54AM (#9026013)
    We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

    Prediction for OpenBSD 6.0 announcement:

    "We remain proud of OpenBSD's record of 15 years with only a single remote hole on a 986, executed from a windows system over a local network by a person under the age of 18. On tuesday. During a full moon. At low tide."

    • by 0racle (667029) on Saturday May 01, 2004 @01:29AM (#9026111)
      How is it getting sillier? Because they increment it once a year when there wasn't a hole that year, or are you just so used to using something else that you just cant believe that something goes longer then a month without a catastrophic security hole.
    • No, not silly. (Score:2, Insightful)

      by Tony-A (29931)
      That single remote hole (as opposed to no remote hole) means that security does matter and cannot be taken for granted.
      Uber secure? I'd grant them that.
      Secure? Probably not, but they're working on that.
      Secure means that I can run unpatched vulnerable software with impunity.
      Security does not mean that I have to try playing catch-up with the latest security "fixes".
  • Fast AES (Score:5, Interesting)

    by atrus (73476) <atrus&atrustrivalie,org> on Saturday May 01, 2004 @12:54AM (#9026014) Homepage

    I found this part of the release notes particulary interesting:

    OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).

    I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.

    Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.

    • Re:Fast AES (Score:4, Interesting)

      by CTho9305 (264265) on Saturday May 01, 2004 @01:17AM (#9026073) Homepage
      Why waste all the power on a Via C3 (multiple watts) when you could use an AMD Alchemy Au1550 [amd.com], which consumes less than 1 watt? The development board is MUCH smaller than any uATX-like form factor.
      • Re:Fast AES (Score:4, Interesting)

        by atrus (73476) <atrus&atrustrivalie,org> on Saturday May 01, 2004 @01:29AM (#9026104) Homepage
        The AMD Alchemy is smaller, but with the C3+chipset being Intel/PC compatible, there already is a large base of software available for the C3. By extension, there are many more people familiar with programming things on PC operating systems, which makes the C3 an appealing choice. The Alchemy is more custom. While I'm sure the development kit for the Alchemy is good, it can't match the available software base of PCs. Need to add a DNS server? There are numerous ones available which meet different needs. While you probably could port one of the DNS servers to run on the Alchemy, this is a time consuming operation.
      • Re:Fast AES (Score:4, Interesting)

        by BiggerIsBetter (682164) on Saturday May 01, 2004 @04:52AM (#9026617)
        Cost and availability. When my boxed set of OpenBSD 3.5 arrives in a week or so, I can go out and buy a Mini-ITX board and box for a few hundred dollars off the shelf. I can have a reasonable firewall device up and running the afternoon the CDs arrive. And even better, it's not using overpriced development components, it's in full volume production. The AMD product is interesting, but unless they get real product on shelves at reasonable prices, it's not worth my time to chase what is effectively vapour-ware.

        BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.
    • Ok, I'll volunteer to prove you wrong. :)
      Here [silentpcreview.com] is a case which uses a heatpipe to replace the fan on a EPIA M motherboard. Honestly though, if I wasn't tracking the mini|nano-itx stuff I wouldn't have known.
    • Re:Fast AES (Score:3, Informative)

      by leov211 (556266)
      Yes, the new 600MHz version of Nehemiah runs fanless on the new CL6000 mini-itx server board.
    • Re:Fast AES (Score:4, Informative)

      by mst76 (629405) on Saturday May 01, 2004 @04:58AM (#9026632)
      I believe the 600mhz fanless boards (ME 6000, CL 6000) also include the hardware AES accellerator.
  • by AvantLegion (595806) on Saturday May 01, 2004 @01:12AM (#9026059) Journal
    ... for remote hole #2?

  • My addition (Score:4, Interesting)

    by bobtheheadless (467304) on Saturday May 01, 2004 @01:55AM (#9026184) Homepage
    Everybody has their OpenBSD quips, so I may as well add mine.

    I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.

    Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.

    Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...
  • One remote whole... (Score:4, Informative)

    by gnu-sucks (561404) on Saturday May 01, 2004 @02:44AM (#9026330) Journal

    We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

    I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

    If you look at the release 3.4 [openbsd.org] errata list, there's at least three or four root exploits waiting to happen. And 3.3 [openbsd.org] and 3.2 [openbsd.org] aren't any better.

    And YES, sendmail was in the default install. As well as many programs based off the lately bad libc-6.

    OpenBSD is the most secure, and secure-oriented, but its not perfect by any means.

    And yes, I run OpenBSD on a few servers, and one desktop!

    • We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

      I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.


      Ok Ok, well I got one that's completely true and an even longer timeframe.

      MS-DOS: 0 Remote Root Exploits in over 20 years
    • by nuintari (47926) on Saturday May 01, 2004 @03:32AM (#9026454) Homepage
      You have to take into account OpenBSD has privsep, stack protection, W^X memory, and a myriad of other security features not present in most other *nix systems.

      Taken together, a large chunck of potential remote exploits become much less serious problems because the exploit isn't capable of root'ing an OpenBSD box. Sure, a DoS vulnerability is nothing to sneeze at, but it sure beats getting rooted. Same vulnerability will that will root a linux box, will often only annoy the living hell out of an Open box, and you'll still see a patch faster for OpenBSD.

    • by Triumph The Insult C (586706) on Saturday May 01, 2004 @04:55AM (#9026624) Homepage Journal
      and in the default install, sendmail only listens on localhost ...
  • Perfect Timing (Score:3, Informative)

    by alexhmit01 (104757) on Saturday May 01, 2004 @03:12AM (#9026401)
    Ironically, I just finished installing 2 OpenBSD machines in the past couple of days, just finished up one about 5 minutes ago. Unfortunately, while they get the software up on a mirror quickly, everytime we buy the CDs they don't ship out for weeks after the downloaders grabbed them... makes it a bit discouraging to buy the CDs, which we used to do (several copies) each release...

    But now that OpenBSD is only on Firewalls, no webservers, it's less pressing.
  • by Russellkhan (570824) on Saturday May 01, 2004 @04:30AM (#9026572)
    I just downloaded 3.4 yesterday.
  • Documentation (Score:5, Insightful)

    by Alioth (221270) <no@spam> on Saturday May 01, 2004 @04:59AM (#9026636) Journal
    What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq. The manual page is clearly written, has good examples, and provides the information you need.

    I run Linux on my main workstation (and having been a Linux user since the 0.12 kernel days, Linux is close to my heart), but I'm increasingly impressed with OpenBSD as a firewall - the documentation is light-years ahead of Linux iptables documentation for a start, and then there's the new capabilities of pf with 3.5. It's not far off challenging the big boys like CheckPoint FireWall-1 (whose only advantage for our particular network is a pretty GUI configuration tool). With OpenBSD 3.5 with carp and pfsync, the CheckPoint box's days are numbered - I can get better reliability/redundancy with OpenBSD now. The OpenBSD documentation is better. The mailing lists for OpenBSD are more informative than the CheckPoint ones. The hardware is a lot less expensive, and you don't have to pay annual software rental like you do with FW-1.
    • Re:Documentation (Score:3, Informative)

      by lemonjelo (157554)

      What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq.

      I'd also throw in that the file system layout is very consistant with OpenBSD. There's even a hier(7) [openbsd.org] man page describing the layout. When I'm working on another OS I find myself digging around, even for configuration files, way too often.

    • Re:Documentation (Score:3, Insightful)

      by ImpTech (549794)
      Hear hear! I *still* can't really do iptables all that well, but I picked up pf in virtually no time. Its not only the better documentation, its that pf is so much less cumbersome to work with. Though I guess I should say I've never bothered to learn the new-fangled iptables-save/iptables-restore system, but why bother when I can just use OpenBSD on the firewall box?
  • by ninjaz (1202) on Saturday May 01, 2004 @06:36AM (#9026818)
    I picked up OpenBSD with version 2.3 and started using it seriously with version 2.5. During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS to a compelling system with a wide range of complementary features.

    The ones that stand out for me are -

    Chrooting and dropping privileges for BIND by default (kept me feeling fairly safe through a few vulnerabilities, and without the extra work of maintaining my own bind built for chroot)

    Picking up ssh and releasing a good, free version

    Coming up with the nicest firewall I've used, taking it from nothing to ready for release within 6 months (That still amazes me!)

    spamd - After breaking 400 spam messages a day directed at my inbox, wiring Spamhaus SBL into the firewall and tarpitting a good portion of the traffic is a nice bonus. Noticing a week after setting that up that OpenBSD 3.5 has graylisting is a nice surprise.

    Propolice stack protection built into the OS and integrated for the long haul

    Now with CARP, I can feel comfortable getting all this in any environment - I think failover support really opens up a lot of possibilities for the future of OpenBSD.

    All in all, OpenBSD has all the attributes I like in an OS -

    regular 6 month releases (production quality doesn't have to mean stale),

    cohesiveness (no waiting for glibc to catch up to a new kernel feature, or vice-versa),

    a real commitment to free software (as demonstrated with OpenSSH, pf, and now CARP)

    really delivering - as opposed to various Linux security projects that I've seen integrated with mainstream distros, then apparently forgotten about or relegated to a special option marked with a warning label, OpenBSD is a real tested system.

    As a system, it can progress toward its goals through every aspect of the system (eg., the pervasive privilege separation), rather than a patchset to a mainstream distro, which has inherent lag time and may be working at cross-purposes to that distro or the numerous projects that make up the distro it's trying to secure. I've seen a few patchsets come and go over the years, too, while OpenBSD keeps adding to the foundation they've built.

    Thanks, OpenBSD team, for all the great releases... (and all the fish ;)

    Now I'm off to explore my new OpenBSD 3.5 system, where make build just finished. :-)
    • During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS

      I have to say, I think you've got it backwards. I was using OpenBSD back in the day myself, and from the first install, it was impressive. Unlike all the other OSes, any hardware you had installed would just work, with absolutely no user intervention (assuming it was supported). You could shutdown, swap your soundcard with something completely different, reboot, and with no changes at all, your new soundcard wo

  • live cd (Score:3, Interesting)

    by Knights who say 'INT (708612) on Saturday May 01, 2004 @07:56AM (#9027003) Journal
    Hey, why don't you come up with a live-cd that can be installed to hard-drive with one command like Knoppix and that FreeBSD project?

    Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.

    Of course, I _could_ use better performance.
  • by Junta (36770) on Saturday May 01, 2004 @10:33AM (#9027610)
    Their claim of one remote hole in the default install is lame, *I* run a platform that has *never* had a remote hole in its default install...DOS!
  • by sudog (101964) on Saturday May 01, 2004 @10:42AM (#9027643) Homepage
    I understand there's some kind of arpbalance program which allows two machines to answer to the same arp request, and by doing so the hope is that some clients will see one arp, and some clients the other;

    However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?

    For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend. :)

    Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.

Any sufficiently advanced technology is indistinguishable from a rigged demo.

Working...