Forgot your password?
typodupeerror
BSD Operating Systems

OpenBSD's PF Developers Interview 110

Posted by Hemos
from the reading-all-about-it dept.
An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@). Start reading from the first half and continue with the second part."
This discussion has been archived. No new comments can be posted.

OpenBSD's PF Developers Interview

Comments Filter:
  • by Anonymous Coward on Saturday May 08, 2004 @01:35PM (#9094355)
    Packet filtering, you might think that would be mentioned in the summary... or the article. But then it wouldn't be Slashdot.
  • OpenBSD problems (Score:-1, Interesting)

    by Anonymous Coward on Saturday May 08, 2004 @01:38PM (#9094373)
    I agree that FreeBSD is in deep trouble. And while FreeBSD is beset with its own internal strife, it is not the only BSD to be affected by this cancer. Just look at the problems plaguing OpenBSD.

    I read that T.Deraadt email thread when I first looked at OpenBSD, and my initial impression was that Theo had a real baaaaadddd attitude. I do know for a fact that a lot of the NetBSD folks were upset to see him leave and fork off his own version of the OS, and to lose him as a developer. But in reading his email he obviously has a problem with taking any criticism, and had no problem with jumping down someone's throat with a flamethrower and foul language. Denial, its not just a river in Egypt...

    Not that I wouldn't use OpenBSD, or any other operating system that met my technical needs, whatever the personality of the people involved. I've dealt with enough bad attitudes from commercial OS vendors in my years in the industry to be able to deal with it if I have to. It just seems that *BSD has an extra heaping helping of bad attitudes that make commercial vendors look like pikers.

    If you *really* read that email thread, you would see the attitude loud and clear. "We don't think that it helps anything for you to tell someone he's a f**khead when he's posting a message trying to help with the OS development." "F**K YOU, *I* want control of the source and if you don't like it I'll fork my own off!"

    That's my impression of it... He sounded like an immature little upset kid to me. The development of any of the O.S. OS's is a group effort, and having one person think they have all the answers and have to be the one in control is dead wrong. So, now he *has* control of his own fork of BSD, and lost the ability to maintain many of the various platform ports because he has no developers. Thus, the OpenBSD page says that for a VAX port, for instance, "support can be easily ported over from NetBSD". Why these problems are so prevalent under FreeBSD/OpenBSD/NetBSD remains something of a mystery. These systems seem to be self selective in their attraction to weirdos and big egos.

    The split had nothing to do with the quality of his coding work, and everything to do with his nasty attitude towards people... and NOT just the people of NetBSD Core, but other people who were just civilians trying to help out, or looking for help. No wonder BSD has lost.

  • PF can Filers By OS (Score:5, Interesting)

    by zulux (112259) on Saturday May 08, 2004 @01:44PM (#9094399) Homepage Journal
    One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.

    It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)

  • Re:OpenBSD problems (Score:5, Interesting)

    by Anonymous Coward on Saturday May 08, 2004 @01:46PM (#9094410)
    I've read the same thread myself, but I don't think Theo's temper is a problem for OpenBSD.
    Quite the contrary, actually.

    He has a project that's rock solid, and he doesn't want forks polluting OpenBSD's good reputation.
    I don't see why that's a problem. After all, OpenBSD is _his_ baby, and it's his call what to do with it.
    I'd probably do the same if I were in Theo's shoes.
  • Wow (Score:1, Interesting)

    by 222 (551054) <stormseeker@gmail . c om> on Saturday May 08, 2004 @01:52PM (#9094437) Homepage
    I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.
  • Re:OpenBSD problems (Score:3, Interesting)

    by burns210 (572621) <maburns@gmail.com> on Saturday May 08, 2004 @04:04PM (#9095241) Homepage Journal
    yea, it is his 'baby' but it is released under and open license, why SHOULDN'T i be able to fork openbsd if i want? If Theo wants an unforkable OS, he shouldn't have started by forking netbsd in the first place!
  • Re:OpenBSD problems (Score:1, Interesting)

    by CherniyVolk (513591) on Saturday May 08, 2004 @05:45PM (#9095864)
    Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)

    In most cases, the fork should be named "BrokenBSD" by default.
  • Re:Wow (Score:5, Interesting)

    by 0racle (667029) on Saturday May 08, 2004 @05:46PM (#9095880)
    I personally have a lot of respect for the OpenBSD team, and the pf developers in particular, some time in the next week I'll be replacing my little Linksys with a OpenBSD pf firewall, and when I sat down to write the rules for it, it was amazing and appreciated how simple it is to write the rules, and that they're understandable at the same time. Comparing it to iptables that I saw once, the ease of writing the pf rules would have been enough for me to switch over. They also have that reputation thats not bad either.
  • by Anonymous Coward on Saturday May 08, 2004 @07:28PM (#9096463)
    The OS fingerprinting really has limited usefulness, because it's so easy to fool it.

    Block external Windows clients? But I'm behind an OpenBSD firewall running pf myself, so connections from my Windows machine will look like OpenBSD. (synproxy ;)

    And what happens when Longhorn starts using a TCP/IP stack indistinguishable from OpenBSD? (not that that's likely...)

    What are the chances of someone attacking (let along successfully) an OpenBSD machine from Windows anyway? More likely they're on Linux or something else and have the ability to spoof any OS they want.

    You can't rely on it at all, and the rest of OpenBSD is secure enough that you don't really have to.

    I suppose you can use OS fingerprinting to enforce internal policy ("no Windows machines on out network"), since you really need 2 machines to evade that, but that's kinda silly.
  • by jimi1283 (699887) on Sunday May 09, 2004 @03:28AM (#9098647)
    I can tell you, pf/ipf syntax is so easy when compared to iptables. And pf takes ipf even further by adding shortcuts to common tasks. For example, rather than setting up block rules to stop spoofing, you just do "antispoof for interface" and you're done :)

    I love OpenBSD for firewall/vpn duties... now if they'd just hurry the hell up and implement NAT-t for isakmpd i'd be a happy camper...

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...