Forgot your password?
typodupeerror
Operating Systems Software Announcements BSD

OpenBSD 3.6 Released! 194

Posted by Hemos
from the coming-out-at-you dept.
dspisak writes "The people over at OpenBSD have released version 3.6 containing significant new features such as: SMP support for i386 and amd64 archs, the ability to optimize pf rulesets, better hotplug support, in addition to more robust encryption and vpn functionality. This is in addition to more recent hardware support, for a full list of changes take a look at the 3.6 changelog. Don't forget to use the mirrors!"
This discussion has been archived. No new comments can be posted.

OpenBSD 3.6 Released!

Comments Filter:
  • Hooray! (Score:3, Funny)

    by Rhesus Piece (764852) on Monday November 01, 2004 @01:54PM (#10688086)
    Excellent timing!
    Right around Halloween, the "dead" comes back to life!

    Congrats and good work to the OpenBSD team!
    Keep it up.
  • Actually (Score:5, Informative)

    by Karamchand (607798) on Monday November 01, 2004 @01:55PM (#10688107)
    ..it was released on 29th of October already, as you can read here [undeadly.org]. When download, please don't forget to use the torrent [benzedrine.cx]!

    • ...slashdot actually acted like a responsible net citizen and delayed the announcement until the mirrors were populated.

      And it hurts nobody, I think you'll agree. Those who desperately want the 3.6 code will already have it; more casual users will benefit from using a mirror.

  • I wish (Score:5, Funny)

    by Anonymous Coward on Monday November 01, 2004 @01:55PM (#10688108)
    I wish there was someone in real life who knew what OpenBSD was so they could share my enthusiasm =(
    • Re:I wish (Score:5, Funny)

      by nomadic (141991) <nomadicworld.gmail@com> on Monday November 01, 2004 @02:15PM (#10688465) Homepage
      I wish there was someone in real life who knew what OpenBSD was so they could share my enthusiasm =(

      I know a girl who's extremely interested in OpenBSD, I could give you her number if you want.


      Nah, just messing with you, made that up.
      • well here's a real one [ambientirony.mu.nu].
        I don't have her number though....
      • I know a girl who's extremely interested in OpenBSD, I could give you her number if you want. Nah, just messing with you, made that up.

        What, it's that unlikely? I know about the BSDs and use FreeBSD myself, and I used to work at an ISP where most of the people there (excluding management) used some form of free Unix clone.

        • What, it's that unlikely? I know about the BSDs and use FreeBSD myself, and I used to work at an ISP where most of the people there (excluding management) used some form of free Unix clone.

          Are there unicorns and pixies there, too?
  • by nweaver (113078) on Monday November 01, 2004 @01:55PM (#10688113) Homepage
    There was an excellent paper at CCS last week on the limits of address space randomization. If you want address space randomization to be effective, use a 64 bit architecture and native 64 bit binaries for your OpenBSD system.
  • Little Late (Score:3, Informative)

    by the morgawr (670303) on Monday November 01, 2004 @01:57PM (#10688139) Homepage Journal
    OBSD 3.6 has been out since Friday. It was released early with the hope that mirrors would have time to get set up before a massive slashdot-like download blasted the main site.

    Well, come to think of it, this article was on time...

  • Firewall ? (Score:1, Interesting)

    by Anonymous Coward
    What are the differences ,between packet filter and ip tables, for use as a firewall box ?
    • Re:Firewall ? (Score:3, Informative)

      by Anonymous Coward
      Both PacketFilter and NetFilter provide enhanced filtering capabilities, and are statefull.

      The way you build your rules is a little different.

      I don't think there's much difference for Joe User (who wants to protect his home network beind cable/dsl).

      The features in pf that I like are:
      - packet normalization (scrub in all)
      - ISN modification (modulate state)

      I think you should rather use OpenBSD/pf if you intend to have a firewall with enhanced VPN capabilities, since OpenBSD has pretty good security feature
      • Re:Firewall ? (Score:3, Insightful)

        by TheRaven64 (641858)
        Last time I looked, iptables also didn't support prioritisation of TCP ACKs, a particularly useful feature for people on an asymmetric connection, since it prevents maxing out the upstream bandwidth from throttling the downstream.
        • That's not entirely accurate. NetFilter can [lartc.org] do it. It's really ugly though. You have to tell it where the ACK flag is in the headers because it doesn't know.

          From the site I linked:

          tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \
          match ip protocol 6 0xff \
          match u8 0x05 0x0f at 0 \
          match u16 0x0000 0xffc0 at 2 \
          match u8 0x10 0xff at 33 \
          flowid 1:3


          That will (apparently) prioritize ACK packets with no payload. Then there's the PF wa
    • by DeBeuk (239106) on Monday November 01, 2004 @03:51PM (#10690449)
      Top 10 reasons IPTABLES is better than PF:

      10. Parsing IPTABLES config files excellent preparation for subsequent
      learning of Asian pictograph-based languages.

      9. Standard logging via syslogd helps eliminate clutter in /var/log.

      8. GPL prevents Steve Jobs from stealing your code.

      7. Simplistic man pages encourage development of social skills via mailing
      lists.

      6. Multiple distributions, versions, kernels, modules, plugins, etc. keep
      hackers confused as to exactly what they're attacking.

      5. "Mangle" just sounds so much more 133+ than "Scrub".

      4. Complexity of structure leads to more opportunities for obfuscation and
      subsequent job security.

      3. New and experimental kernel modules make life exciting again.

      2. GUI and Web based utilities mean that anyone can set one up without knowing
      what they're doing.

      And the number one reason IPTABLES is better than PF:

      1. No distracting arguments about whether to port it to OpenBSD.

      Shamelessly stolen from the pf mailinglist [theaimsgroup.com].
  • by ewg (158266) on Monday November 01, 2004 @02:01PM (#10688195)
    It's like a BSD golden age lately, with (alphabetically!) FreeBSD, NetBSD, and OpenBSD releases coinciding.

    Hooray for all three. It's a amazing luxury to have so many open source Unix-like operating systems and kernels out there, free for the download.
    • by BrookHarty (9119) on Monday November 01, 2004 @02:29PM (#10688743) Homepage Journal
      There are more BSD's distros than the top3 (Free/Net/Open), you have PicoBSD, Firefly BSD, Debian GNU/BSD, Gentoo BSD, BSDi, BSD-OS and Darwin.

      Seems like lots of choices for BSD users.
      • There are more BSD's distros than the top3 (Free/Net/Open), you have PicoBSD, Firefly BSD, Debian GNU/BSD, Gentoo BSD, BSDi, BSD-OS and Darwin.

        Not really. Nobody uses the rest of that stuff, generally for good reason.

        PicoBSD: out of date abandonware
        FireflyBSD: an intriguing research project but not close to being finished
        Debian GNU/BSD: BAHHAHAHAHAHAHAHAAHA
        Gentoo BSD: ditto
        BSDi and BSD-OS (same thing, right?): merged and superceded in just about every way by FreeBSD
        Darwin: Everyone who gives a shit just u

    • This is a total opposite of what it was like in the past.

      10 years ago I really wanted to learn a unix but had no real stable versions available for the pc. You needed a risc box. I was thinking of buying a Powerpc 601 next cube. They were cheap and only $1400. My friends thought I was nuts. A few years later I learned about Linux and it became stable and ready enough to use.

      Today its the opposite with cheap free unixies available on x86.
  • by Anonymous Coward
    of this release!

    A new BSD song!

    Yeah!!!!!!
  • i notice... (Score:5, Interesting)

    by null-sRc (593143) on Monday November 01, 2004 @02:03PM (#10688240)
    i noticed under new features:

    tcpdrop(8), a command to drop TCP connections.

    this looked like an awesome idea, and I'm wondering what the windows / linux equivalent is... anyone know?
    • Ok, it says that if one connection is causing congestion, you can drop the connection...
      But can they just reconnect?
      • Re:i notice... (Score:3, Informative)

        by Tuzanor (125152)
        Not if you already changed the firewall rules to stop it. :-) If you change the firewall rules, the already open states would still be there and you'd have to kill the connection for it to stop. This new feature just gives you more fine grained control. So instead of having to flush all the open states (which would affect everything)
    • In windows it's the power button.
    • I think in Windows it's a balloon that pops up and says "Network Cable Disconnected"... :-)
    • Re:i notice... (Score:2, Informative)

      by NicolaiBSD (460297)
      Linux/iptables equivalent is here [freshmeat.net].
    • there is none in windows that i know of, but it would be trivial to code one:

      MIB_TCPROW row={MIB_TCP_STATE_CLOSED, myaddr, myport, theiraddr, theirport};
      SetTcpEntry(&row);
    • Re:i notice... (Score:4, Informative)

      by eht (8912) on Monday November 01, 2004 @04:07PM (#10690829)
      There's an free app for windows from sysinternals called tcpview that lets you close connection, it's gui based though available here [sysinternals.com]

      not sure of any command line utils

      sysinternals has many other cool free apps and many of those have source code
  • by saintlupus (227599) on Monday November 01, 2004 @02:07PM (#10688308) Homepage
    OpenBSD has a reputation for being the ideal platform for making into a router or firewall. That's true, but it's also a really nice general server OS for low power tasks. I run it at home as a file/web server, and it's really quite nice.

    If you like Unix (as opposed to hating Microsoft), give it a shot.

    --saint
  • macppc G5 support? (Score:1, Insightful)

    by Anonymous Coward
    When will Open support Apple's new G5 computers? Currently the hardware compatability only lists all older G3 and G4 based computers.
  • by Anonymous Coward on Monday November 01, 2004 @02:17PM (#10688498)
    Simple (text install). Default install is small, but gives you a complete, basic Unix-like OS. Man pages are really useful. Multi-platform, so you don't have to manage a different OS on every arch you have. OpenBSD is creating technology that helps other distros, such as OpenSSH. I'm expecting to see their BGP and NTP stuff showing up elsewhere.
  • by BawbBitchen (456931) on Monday November 01, 2004 @02:19PM (#10688539) Homepage
    ...you would have 2 servers up and running already. Got my CD's last week and have 1 new box up and one old 3.5 box upgraded. May thanks to Theo and the team for such great software.

    If you have not tried OpenBSD please do. While I will not speak on the idea of OpenBSD on the desktop I will speak to how great it is as a firewall. If you have struggled with IPTABLES it is time to give a try to PF. Have a look. It should be easy to understand:

    ext_if="xl0"
    int_if="fxp0"
    # clean up the packets
    scrub in all
    # nat the internal network to the external interface
    nat on $ext_if from !($ext_if) -> ($ext_if:0)
    # setup a table of RTBL IP's for spammers
    table persist
    #redirect any IP's in the the RTBL to spamd
    rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port 8025
    # ftp proxy
    rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
    # redirect any internal user to squid
    rdr on $int_if inet proto tcp from any to ! $int_if port 80 -> 127.0.0.1 port 3128
    # pass extenal web request to the internal www server
    rdr on $ext_if proto tcp from any to any port http -> 192.168.0.2
    # pass extenal web request to the internal www server
    rdr on $ext_if proto tcp from any to any port https -> 192.168.0.2
    # drop everything
    block in log
    # allow out and keep track
    pass out keep state
    # allow anything to the loopback and internal interface
    pass quick on { lo $int_if }
    # no RFC 1918 spoofing (quick - do it now!)
    antispoof quick for { lo $int_if }
    # allow external ssh in
    pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state
    # allow smtp in
    pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
    # allow the www forwarding
    pass in log on $ext_if proto tcp to 192.168.0.2 port http keep state
    # allow the www forwarding
    pass in log on $ext_if proto tcp to 192.168.0.2 port https keep state
    # allow outbound smtp
    pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

    Very simple and clean. If you need a firewall give it a try!
  • hotplugd is neat (Score:5, Informative)

    by hkb (777908) on Monday November 01, 2004 @02:29PM (#10688745)
    hotplugd is pretty damned neat on the user end. It allows you to define actions performed when a device is plugged in, such as a digital camera (ala cp /mnt/camera/* ~/pictures/$DATE/).

    It's also mentioned in a recently slashdotted interview with some OpenBSD devs here:
    http://www.onlamp.com/pub/a/bsd/2004/10/28/ openbsd _3_6.html
  • by berck (60937) on Monday November 01, 2004 @02:34PM (#10688816) Homepage Journal
    I've got OpenBSD running as a little personal webserver, DNS server and so on. It's running OpenBSD3.1, because at least back then, it was absolutely impossible to update. Every up understanddate involves going through and manually mucking with endless configuration files, etc. I use Debian for most everything, and have grown so used to the ability to run an apt-get update; apt-get dist-upgrade.

    The inability to easily update OpenBSD, to me, nullifies any benefit one gets from it being "secure". If I'm running a two year old version of Apache because it's such a pain in the butt to update, how iss that secure? I think automatic security updates are imperative for a secure system.

    And, furthermore, the automatic updating system should be secure as well.
  • FInally (Score:2, Funny)

    by Grayswan (260299)
    Awesome! I can finally run BSD on my old quad 386sx with 1Meg of RAM! Now I'll be cooking with propane.
  • Anybody gotten their CDs yet? Ordered mine a month ago. The new stickers should give the GPL/Linux Nazis at my work pause :)
  • Up time (Score:3, Funny)

    by KilobyteKnight (91023) <bjm@@@midsouth...rr...com> on Monday November 01, 2004 @03:51PM (#10690451) Homepage
    I wish they'd slow down the releases. Between the new versions and power outages, the uptime on my server is suffering.
  • by mmkhd (142113) on Monday November 01, 2004 @03:59PM (#10690649)
    I want to recommend OpenBSD to anyone who wants to build a small server and it is a must for a firewall/NAT box.

    I have never seen such a clear, concise, and easy to understand configuration file as that of pf.conf (IP filter).
    The files for the boot-up configuration rc.conf and rc.local are also very clear and easy to understand.

    Everything has very _good_ man pages and sample configuration files with lots of comments.

    The faq on openbsd.org is quite good, too.

    One aspect of security is simplicity, which implies easily understood configuration files.

    Another aspect of security is that you learn about the fundamentals of your system /network. OpenBSD's lack of graphical configuration aids is a great help here.
    You simply _have_ to learn about your system to be able to operate it, but at the same time learning is made easy, by great documentation.

    And if anybody is put off by OpenBSD's (in)famous penchant for straight/rude talking developers: Don't worry, I found people friendly and helpful. They are only put off, by questions that are very obvious and have been covered in the documentation extensively. But I am also the kind of person who loathes to ask for help in a D.I.Y. shop such as Home Depot, preferring to find things unaided so that I learn more and more about the products they offer, so that I will be more knowledgeable when doing my next project.

    Marcus
  • I look forward to OpenBSD releases not because I use OpenBSD, or even that I am particularly interested in it -- it's the OpenBSD songs [openbsd.org] that I wait for. They are actually quite good.
    "The Legend of Puffy Hood" and "Puff the Barbarian" were particularly good, and I found that many non-geeks liked them for their music if nothing more (and they tend to appreciate the lyrics once they read the page I linked above).

    Speaking of lyrics, if you read them, you will find that they are actually very clever political s

  • Just how good is the SMP code in it?

    steve
    • That's a great question. And one that I'm sure many would like to have answered. I, unfortunately, am not the person to answer it.
    • Big kernel lock. About as good as FreeBSD 4.x or Linux 2.0.x.

      It's a good start, you'll know that the other cpu under the hood will be at least doing somethign, not just heating the air :)
    • Re:SMP support (Score:5, Informative)

      by styrotech (136124) on Monday November 01, 2004 @06:06PM (#10693001)
      The developers admit it's pretty crude. It just uses the one big lock technique that most first time SMP projects seem to.

      Don't forget SMP opens up new opportunities for security problems, and the OpenBSD devs will be treading very cautiously and conservatively with their implementation. For them security outweighs performance.

      Don't expect it to compete with Linux 2.6 or FreeBSD 5 in terms of performance and scalability anytime soon (if ever).
      • Don't forget SMP opens up new opportunities for security problems

        BSD developpers like to hide behind that, but I don't recall any security problems arising in any OS from SMP support. Buffer overflows, unchecked user data, etc. aren't things that come about because of SMP.

        steve
        • Re:SMP support (Score:3, Insightful)

          by setagllib (753300)
          Well, you saw the crap that happened to FreeBSD 5 when they tried to get 'good' SMP support. The SMP is fine-grained for the most part, but it isn't worth it, since the performance on SMP and UP is still (as demonstrated above) miles behind other systems, even Net and OpenBSD which don't claim to have fine-grained or even far matured SMP.

          SMP itself is not a killer, but when a design for SMP is overcomplicated, the rest of the system suffers.
        • The OpenBSD crowd spent their time worrying about those very security problems, as well as others. I suspect they wanted SMP now because the dual core chips are going to start coming out soon.

          Also... some security problems come from race conditions. Those are a lot easier to avoid in a biglock kernel than they are in something like FreeBSD 5.
  • 1 down, 2 to go (Score:2, Redundant)

    by nurb432 (527695)
    This is a great month for us BSD fans.. with major releases from all 3 main flavors..
  • by Keith McClary (14340) on Monday November 01, 2004 @06:18PM (#10693162)
    Don't forget to use the mirrors!

    I've heard there are big companies using many copies of OpenBSD but haven't even bought a CD.

    They should get their names on this list:
    http://www.openbsd.com/donations.html

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...