OpenBSD 3.6 Released!

dspisak writes "The people over at OpenBSD have released version 3.6 containing significant new features such as: SMP support for i386 and amd64 archs, the ability to optimize pf rulesets, better hotplug support, in addition to more robust encryption and vpn functionality. This is in addition to more recent hardware support, for a full list of changes take a look at the 3.6 changelog. Don't forget to use the mirrors!"

Actually

[Karamchand]

..it was released on 29th of October already, as you can read here [undeadly.org]. When download, please don't forget to use the torrent [benzedrine.cx]!

Little Late

[the morgawr]

OBSD 3.6 has been out since Friday. It was released early with the hope that mirrors would have time to get set up before a massive slashdot-like download blasted the main site.

Well, come to think of it, this article was on time...

Don't forget the most important part....

[Anonymous Coward]

of this release!

A new BSD song!

Yeah!!!!!!

Not just for routing.

[saintlupus]

OpenBSD has a reputation for being the ideal platform for making into a router or firewall. That's true, but it's also a really nice general server OS for low power tasks. I run it at home as a file/web server, and it's really quite nice.

If you like Unix (as opposed to hating Microsoft), give it a shot.

--saint

Re:Is there a such thing as...

[eln]

Well, there was BSDi, which I think is defunct now, which was a closed-source OS on a BSD base (a piss poor one, I might add). Then of course, there's OSX, which is a closed source OS built on a BSD core.

So yes, there is.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:About Slashdot BSD Logo

[Chundra]

Actually, the fish has been around since 2.6 [openbsd.org].

If you had ordered the CD's...

[BawbBitchen]

...you would have 2 servers up and running already. Got my CD's last week and have 1 new box up and one old 3.5 box upgraded. May thanks to Theo and the team for such great software.

If you have not tried OpenBSD please do. While I will not speak on the idea of OpenBSD on the desktop I will speak to how great it is as a firewall. If you have struggled with IPTABLES it is time to give a try to PF. Have a look. It should be easy to understand:

ext_if="xl0"
int_if="fxp0"
# clean up the packets
scrub in all
# nat the internal network to the external interface
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# setup a table of RTBL IP's for spammers
table persist
#redirect any IP's in the the RTBL to spamd
rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port 8025
# ftp proxy
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# redirect any internal user to squid
rdr on $int_if inet proto tcp from any to ! $int_if port 80 -> 127.0.0.1 port 3128
# pass extenal web request to the internal www server
rdr on $ext_if proto tcp from any to any port http -> 192.168.0.2
# pass extenal web request to the internal www server
rdr on $ext_if proto tcp from any to any port https -> 192.168.0.2
# drop everything
block in log
# allow out and keep track
pass out keep state
# allow anything to the loopback and internal interface
pass quick on { lo $int_if }
# no RFC 1918 spoofing (quick - do it now!)
antispoof quick for { lo $int_if }
# allow external ssh in
pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state
# allow smtp in
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
# allow the www forwarding
pass in log on $ext_if proto tcp to 192.168.0.2 port http keep state
# allow the www forwarding
pass in log on $ext_if proto tcp to 192.168.0.2 port https keep state
# allow outbound smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

Very simple and clean. If you need a firewall give it a try!

Re:i notice...

[Tuzanor]

Not if you already changed the firewall rules to stop it. :-) If you change the firewall rules, the already open states would still be there and you'd have to kill the connection for it to stop. This new feature just gives you more fine grained control. So instead of having to flush all the open states (which would affect everything)

Re:i notice...

[NicolaiBSD]

Linux/iptables equivalent is here [freshmeat.net].

Re:Firewall ?

[Anonymous Coward]

Both PacketFilter and NetFilter provide enhanced filtering capabilities, and are statefull.

The way you build your rules is a little different.

I don't think there's much difference for Joe User (who wants to protect his home network beind cable/dsl).

The features in pf that I like are:
- packet normalization (scrub in all)
- ISN modification (modulate state)

I think you should rather use OpenBSD/pf if you intend to have a firewall with enhanced VPN capabilities, since OpenBSD has pretty good security features.

But the bottom line is: choose the one you're comfortable with. Both can be secure only if well configured!

Re:It's like a BSD golden age lately

[BrookHarty]

There are more BSD's distros than the top3 (Free/Net/Open), you have PicoBSD, Firefly BSD, Debian GNU/BSD, Gentoo BSD, BSDi, BSD-OS and Darwin.

Seems like lots of choices for BSD users.

hotplugd is neat

[hkb]

hotplugd is pretty damned neat on the user end. It allows you to define actions performed when a device is plugged in, such as a digital camera (ala cp /mnt/camera/* ~/pictures/$DATE/).

It's also mentioned in a recently slashdotted interview with some OpenBSD devs here:
http://www.onlamp.com/pub/a/bsd/2004/10/28/ openbsd _3_6.html

Re:About Slashdot BSD Logo

[ebooher]

Ok, the current icon for a generic BSD story on /. right now is the Daemon, right? Everyone I know associates the Daemon with BSD regardless of flavor. NetBSD has attempted to single themselves out as a seperate distro from the rest of the BSD group/stables. Why would it make any sense to use their new logo as the *generic* BSD logo? If the /. story is 100% devoted to NetBSD, then sure, use the flag like Apple has their own logo. But I don't think it would be worthwhile to replace the Daemon with the NetBSD flag on a story dealing with OpenBSD.

Re:If you had ordered the CD's...

[the morgawr]

Don't know of a comparison but a quick overview of pf is available: http://www.openbsd.org/faq/pf/index.html

It might just be that I'm a little thick up top, but I've found it easier and quicker to use PF instead of iptables for routers. The main thing I like about it is that you can do your packet shaping and filtering with the same config file. You can also track state connections by IP address (source tracking).

Re:OpenBSD impossible to update?

[44BSD]

CVS is your friend. See also the updating mini-faq, conveniently located here [openbsd.org]

Re:If you had ordered the CD's...

[e9th]

A reasonably good book on pf is Building Firewalls With OpenBSD and pf by Jacek Artemiak. It's an okay intro to firewalling, with lots of pf specific examples. No direct comparisons with iptables, though.

Re:OpenBSD impossible to update?

[Moridineas]

Also you can use binary snapshots to upgrade, which I did recently from 3.1 -> 3.5. VERY easy. I would've done source upgrade, but the computer is a 386 and that takes a long time :-p

As for updating files in /etc/ ... MERGEMASTER! It's a port, in sysutils I think...mergemaster is your friend, and a really, really awesome program.

Re:If you had ordered the CD's...

[Richard_at_work]

You are actually using more rules than you really need to, as you can combine the rdr and the pass rules:

## Webserver (http/https)
rdr pass on $ext_if proto tcp from any to ($ext_if) port http -> 10.0.0.8 port http
rdr pass on $ext_if proto tcp from any to ($ext_if) port https -> 10.0.0.8 port https

I like this better than having two seperate rules, as you know youve included both!

custom iso I made :

[xarontas]

ed2k://|file|openBSD36.i386+ports+src.bootable.iso |276707328|abfef21976ed88d112bb413889ec24a3| you can check security using MD5 sums for the files included boot image used: floppy36.fs

Re:SMP

[BawbBitchen]

Depends.

I asked about SMP for Sparc32 (I have a quad SS20!) but there was no take on that. SMP for Sparc64 maybe coming..

OpenBSD is great for learning, too

[mmkhd]

I want to recommend OpenBSD to anyone who wants to build a small server and it is a must for a firewall/NAT box.

I have never seen such a clear, concise, and easy to understand configuration file as that of pf.conf (IP filter).
The files for the boot-up configuration rc.conf and rc.local are also very clear and easy to understand.

Everything has very _good_ man pages and sample configuration files with lots of comments.

The faq on openbsd.org is quite good, too.

One aspect of security is simplicity, which implies easily understood configuration files.

Another aspect of security is that you learn about the fundamentals of your system /network. OpenBSD's lack of graphical configuration aids is a great help here.
You simply _have_ to learn about your system to be able to operate it, but at the same time learning is made easy, by great documentation.

And if anybody is put off by OpenBSD's (in)famous penchant for straight/rude talking developers: Don't worry, I found people friendly and helpful. They are only put off, by questions that are very obvious and have been covered in the documentation extensively. But I am also the kind of person who loathes to ask for help in a D.I.Y. shop such as Home Depot, preferring to find things unaided so that I learn more and more about the products they offer, so that I will be more knowledgeable when doing my next project.

Marcus

Re:i notice...

[eht]

There's an free app for windows from sysinternals called tcpview that lets you close connection, it's gui based though available here [sysinternals.com]

not sure of any command line utils

sysinternals has many other cool free apps and many of those have source code

Re:On Address Space Randomization...

[kokamomi]

here it is in acrobat format. [wisc.edu]

Re:SMP support

[styrotech]

The developers admit it's pretty crude. It just uses the one big lock technique that most first time SMP projects seem to.

Don't forget SMP opens up new opportunities for security problems, and the OpenBSD devs will be treading very cautiously and conservatively with their implementation. For them security outweighs performance.

Don't expect it to compete with Linux 2.6 or FreeBSD 5 in terms of performance and scalability anytime soon (if ever).

Re:It's like a BSD golden age lately

[ocelotbob]

Nope. The only NeXT hardware were the slabs and the cubes. There were no PPC NeXTs sold.

Re:It's like a BSD golden age lately

[baka_boy]

No way there was a PPC NeXT box -- they had already ported the OS to X86 by the time the 601 hit production. My guess is that you're remembering a BeBox review.

Re:If you had ordered the CD's...

[NickHolland]

We've taken some steps with this release to make this a little less difficult:

http://www.openbsd.org/faq/upgrade36.html [openbsd.org]

As the author of the above, my opinion of its value may be biased, however. :)

Re:i notice...

[Anonymous Coward]

tcpkill from dsniff [monkey.org]: it's less "clean" (send RST to both side of the connection) but works fine in most cases. Runs on most (all ?) Unices. There is a Windows port but it looks like tcpkill is not part of it.