OpenBSD 3.5 Released

pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"

Security

[Anonymous Coward]

The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows

So if I want optimal security, how do I choose which packages to use?

Re:Excellent

[Anonymous Coward]

>> I use Linux on almost all my systems, but nothing can cut the security I get using OpenBSD on my firewalls and routers.

what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??

pfsync/CARP

[ArbitraryConstant]

OpenBSD is the Cisco killer.

It's now suitable for replacing a lot of the Cisco gear out there.

Monty Python clone??? wtf?

[Billly Gates]

Eagerly, awaiting the openbsd 3.5 theme song I ftped into one of the mirrors [openbsd.org].

Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.

Strange but somewhat ammusing to say the least. Go download it [openbsd.org].

Re:Every Hacker's Wet Dream

[Anonymous Coward]

From what I understand, Earthlink has a lot of OpenBSD machines that are currently in production.

Re:Every Hacker's Wet Dream

[no reason to be here]

my formerly slackware-lovin', now debian-lovin' former roommater, despite his love of Tux and all things penguin, has started using OpenBSD for his router/firewall. If he's using it, i imagine their must be at least another dozen out there that use it. :)

seriously though, just check netcraft. there are lots of sites hosted on OpenBSD.

Re:Excellent

[Lord Kano]

How much traffic are you handling if you really need SMP on a firewall/router?

LK

Re:pfsync/CARP

[ArbitraryConstant]

I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.

Wouldn't the computer architecture make an OpenBSD router less stable?

Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.

Fast AES

[atrus]

I found this part of the release notes particulary interesting:

OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).

I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.

Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.

Re:Fast AES

[CTho9305]

Why waste all the power on a Via C3 (multiple watts) when you could use an AMD Alchemy Au1550 [amd.com], which consumes less than 1 watt? The development board is MUCH smaller than any uATX-like form factor.

Re:Fast AES

[atrus]

The AMD Alchemy is smaller, but with the C3+chipset being Intel/PC compatible, there already is a large base of software available for the C3. By extension, there are many more people familiar with programming things on PC operating systems, which makes the C3 an appealing choice. The Alchemy is more custom. While I'm sure the development kit for the Alchemy is good, it can't match the available software base of PCs. Need to add a DNS server? There are numerous ones available which meet different needs. While you probably could port one of the DNS servers to run on the Alchemy, this is a time consuming operation.

Re:never-been-rooted claims getting sillier

[0racle]

How is it getting sillier? Because they increment it once a year when there wasn't a hole that year, or are you just so used to using something else that you just cant believe that something goes longer then a month without a catastrophic security hole.

Re:Every Hacker's Wet Dream

[manifest37]

http://uptime.netcraft.com/up/today/top.avg.html [netcraft.com]
The sites with the longest uptime run OpenBSD
thats who uses it

My addition

[bobtheheadless]

Everybody has their OpenBSD quips, so I may as well add mine.

I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.

Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.

Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...

Re:Every Hacker's Wet Dream

[prockcore]

http://uptime.netcraft.com/up/today/top.avg.html
The sites with the longest uptime run OpenBSD
thats who uses it

That's not a valid list.

$ uname -sr
SunOS 5.7
$ uptime
12:11am up 1585 day(s), 8:41, 1 user, load average: 0.27, 0.27, 0.26

That puts us in the top 10, and we're not the only ones. The problem is the uptime solaris reports to netcraft rolls over every 495 days.

Re:"single remote hole"

[Tony-A]

Something very tricky with one-time passwords, IIRC. Seems like all Linux and most OpenBSD users would have been unaffected.
It seems to me that the design level of OpenBSD is remote administration of the box where an intervening router is owned by a competent enemy.

Re:Excellent

[amix]

Dont' think so mainstream. Think exotic:

• VIA C3 (C5P core). Has double-RNG and AES hardware integrated. Perfect for VPN and WLAN.
• At 1.2GHz it is not very fast (due to architecture) but consumes very (!) low energy and is coolable passive. Perfect for a home-server, that is 24/7 and in your living-room
• is SMP capable

a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall. [cyberguard.com]

While one CPU is serving the net and procmailing, the other one could compress some tarbz2 for the backup.

Well, I am aware, this is a server and not firewall/router, but why not combine it, especially since the firewall is a spearate system here. So yes, OpenBSD should really have SMP. Too bad VIA does not plan the C5P as So370 version and matching mobo, but in future such things might come. Why not ?

Re:pfsync/CARP

[mrchaotica]

OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.

They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) and it's small (the same length as the epia itself, and a little over an inch wide). Depending on which epia you have, it's possible to plug it's ATX out straight into the Epia's ATX in without a cable.

So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!

about security holes

[Anonymous Coward]

Yes, lack of security holes makes anything secure, this is quite obvious. However, how can you know you don't have any security holes? The answer is simple: you cannot.

If you call chroot a poor kludge, you're obviously not a security guy. Granted, it's not perfect, but it does help a little. Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do? Well, taken to the extreme, this would mean:

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.

You're saying chroot is giving a false sense of security. So, shouldn't the people be educated about what it solves and what it doesn't, then? Obviously it's a good feature, it just isn't intended to be a solution to everything. Just a solution to one problem: filesystem namespace visibility.

Re:Fast AES

[BiggerIsBetter]

Cost and availability. When my boxed set of OpenBSD 3.5 arrives in a week or so, I can go out and buy a Mini-ITX board and box for a few hundred dollars off the shelf. I can have a reasonable firewall device up and running the afternoon the CDs arrive. And even better, it's not using overpriced development components, it's in full volume production. The AMD product is interesting, but unless they get real product on shelves at reasonable prices, it's not worth my time to chase what is effectively vapour-ware.

BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.

Re:Excellent

[Anonymous Coward]

With dual-core CPUs possibly on the way from AMD, and the proliferation of other SMP or HyperThreading technologies, SMP is slowly becoming a priority.

Something changed Theo's mind about it (maybe it was just Niklaus volunteering), so it's probably worth looking into.

FreeBSD and OpenBSD

[Dionysus]

How does FreeBSD compare to OpenBSD? I realize that OpenBSD has a security focus, but I was thinking more from a user point of view. If a program runs on FreeBSD, does it automatically run on OpenBSD (without recompile) etc?

Does FreeBSD support more hardware? What's the difference?

Re:about security holes

[geniusj]

This can usually be achieved through Mandatory Access Control (MAC). I know FreeBSD 5.x has a MAC implementation, though I haven't used it myself. There are or have also been various linux MAC implementations available. Something to get used to though is that generally with MAC, there is no such thing as 'root'.

live cd

[Knights who say 'INT]

Hey, why don't you come up with a live-cd that can be installed to hard-drive with one command like Knoppix and that FreeBSD project?

Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.

Of course, I _could_ use better performance.

We don't need no steenking moving parts

[Dammital]

Build your OBSD firewall in a Soekris box [256.com]. Low power, low noise, runs from a CF card (or boots via PXE). Some models accept power-over-ethernet. And Soekris [soekris.com] directly supports FreeBSD, OpenBSD, NetBSD and Linux.

Re:Excellent

[EvilAlien]

Using the 2.6 kernel on a system with security as the primary goal isn't wise anyways. Part of having a well-secured system is staying away from the insufficiently audited and tested code, i.e. the new stuff.

Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they get for easy of use and "newbie friendly" features.

... how about load balancing? CARP do that yet?

[sudog]

I understand there's some kind of arpbalance program which allows two machines to answer to the same arp request, and by doing so the hope is that some clients will see one arp, and some clients the other;

However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?

For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend. :)

Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.

Re:Breaking backward compatibility?

[sudog]

I'm talking about 3rd party binaries, built to target a specific OpenBSD version, breaking when the next version of OpenBSD becomes available. I'm NOT talking about in-place binary upgrades of the system.

NetBSD has Kernel options "COMPAT_16" or "COMPAT_15" so the kernel itself will support binaries which are targetted at older releases and thus can run software from (decades?) ago without much more than installing the older libraries it was linked against.

OpenBSD, as I recall, has no such functionality to speak of. Or does it now?

(English.. do you speak it?)

Cisco Killer? Depends...

[Anonymous Coward]

Replying from airport - so, anon. coward - perspective is required, folks - *BSD, *nix, etc may replace lower end Cisco (or many other vendors) devices (1700, 2600 etc), but the PC architechture or 'software only' implementations are insufficient for OC-48 or OC-192 interfaces, Packet Over SONET implementations, etc - excluding layer 3 switches, most switches almost exclusively use ASICs for a very good reason, folks - don't forget that Cisco's core competency has always been routers, hence the purchase (and still ongoing) 'absorption' by Cisco of the Catalyst, PIX, Aironet, etc product lines and/or companies, with all the attendant flaws of the 'purchase and integrate' model - nor am I a Cisco fanatic as my pref (cost/performance ratio, functionality, support, reliability, etc.) is for Juniper routers and Foundry switches in the large enterprise while a plethora of options exist for smaller organizations, including *BSD or *nix. Before screaming 'Cisco killer' (or '[any_vendor] killer'), always look at the purpose of the system - don't allow evangelism to cloud judgement, or else you'll be confused with a televangelist.