OpenBSD 3.5 Released 345
pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5.
We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"
Security (Score:2, Interesting)
So if I want optimal security, how do I choose which packages to use?
Re:Excellent (Score:2, Interesting)
what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??
pfsync/CARP (Score:4, Interesting)
It's now suitable for replacing a lot of the Cisco gear out there.
Monty Python clone??? wtf? (Score:4, Interesting)
Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.
Strange but somewhat ammusing to say the least. Go download it [openbsd.org].
Re:Every Hacker's Wet Dream (Score:1, Interesting)
Re:Every Hacker's Wet Dream (Score:2, Interesting)
seriously though, just check netcraft. there are lots of sites hosted on OpenBSD.
Re:Excellent (Score:4, Interesting)
LK
Re:pfsync/CARP (Score:5, Interesting)
OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.
Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.
Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.
Fast AES (Score:5, Interesting)
I found this part of the release notes particulary interesting:
OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).
I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.
Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.
Re:Fast AES (Score:4, Interesting)
Re:Fast AES (Score:4, Interesting)
Re:never-been-rooted claims getting sillier (Score:5, Interesting)
Re:Every Hacker's Wet Dream (Score:3, Interesting)
The sites with the longest uptime run OpenBSD
thats who uses it
My addition (Score:4, Interesting)
I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.
Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.
Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...
Re:Every Hacker's Wet Dream (Score:4, Interesting)
thats who uses it
That's not a valid list.
$ uname -sr
SunOS 5.7
$ uptime
12:11am up 1585 day(s), 8:41, 1 user, load average: 0.27, 0.27, 0.26
That puts us in the top 10, and we're not the only ones. The problem is the uptime solaris reports to netcraft rolls over every 495 days.
Re:"single remote hole" (Score:3, Interesting)
It seems to me that the design level of OpenBSD is remote administration of the box where an intervening router is owned by a competent enemy.
Re:Excellent (Score:3, Interesting)
Dont' think so mainstream. Think exotic:
a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall. [cyberguard.com]
While one CPU is serving the net and procmailing, the other one could compress some tarbz2 for the backup.
Well, I am aware, this is a server and not firewall/router, but why not combine it, especially since the firewall is a spearate system here. So yes, OpenBSD should really have SMP. Too bad VIA does not plan the C5P as So370 version and matching mobo, but in future such things might come. Why not ?
Re:pfsync/CARP (Score:2, Interesting)
They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) and it's small (the same length as the epia itself, and a little over an inch wide). Depending on which epia you have, it's possible to plug it's ATX out straight into the Epia's ATX in without a cable.
So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!
about security holes (Score:5, Interesting)
If you call chroot a poor kludge, you're obviously not a security guy. Granted, it's not perfect, but it does help a little. Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do? Well, taken to the extreme, this would mean:
- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...
This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.
You're saying chroot is giving a false sense of security. So, shouldn't the people be educated about what it solves and what it doesn't, then? Obviously it's a good feature, it just isn't intended to be a solution to everything. Just a solution to one problem: filesystem namespace visibility.
Re:Fast AES (Score:4, Interesting)
BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.
Re:Excellent (Score:2, Interesting)
Something changed Theo's mind about it (maybe it was just Niklaus volunteering), so it's probably worth looking into.
FreeBSD and OpenBSD (Score:2, Interesting)
Does FreeBSD support more hardware? What's the difference?
Re:about security holes (Score:3, Interesting)
live cd (Score:3, Interesting)
Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.
Of course, I _could_ use better performance.
We don't need no steenking moving parts (Score:4, Interesting)
Re:Excellent (Score:3, Interesting)
Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they get for easy of use and "newbie friendly" features.
... how about load balancing? CARP do that yet? (Score:3, Interesting)
However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?
For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend.
Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.
Re:Breaking backward compatibility? (Score:3, Interesting)
NetBSD has Kernel options "COMPAT_16" or "COMPAT_15" so the kernel itself will support binaries which are targetted at older releases and thus can run software from (decades?) ago without much more than installing the older libraries it was linked against.
OpenBSD, as I recall, has no such functionality to speak of. Or does it now?
(English.. do you speak it?)
Cisco Killer? Depends... (Score:1, Interesting)