Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD 2.7 Released 201

dragonfly_blue writes: "Just wanted to let you know, OpenBSD 2.7 is out, with significant advances; including OpenSSH2, better Linux binary emulation, DSA encryption, and (my personal favorite) support for encrypting your swap space. Theo and the gang have also expanded the ports and packages collections considerably, so get 'em while they're hot!" (More.)

ocipio contributed some more tidbits, writing: " ... OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking. OpenBSD's cryptography has been further enhanced by encrypting virtual memory swap space, and by more flexible ISAKMPD key exchange and operating modes for IP Security networking." To keep things interesting in BSD Land, he adds "According to Jordan Hubbard, FreeBSD's release engineer, FreeBSD 3.5 will be released June 20th."

Cool on all counts. Way to go, BSD crew! (And Thanks! to everyone who pointed out this release.)

This discussion has been archived. No new comments can be posted.

OpenBSD 2.7 Released

Comments Filter:
  • by Anonymous Coward
    Actually you have your wires crossed. The TrustedBSD project (www.trustedbsd.org) is intended to add POSIX.1e security features to the FreeBSD system, including capabilities, MAC and kernel event auditing. It's not a code audit project - thats a separate project which also exists.

    As for the amount of code to audit, OpenBSD includes a lot of "extra" stuff as well compared to e.g. FreeBSD: for example, apache, lynx, mg (an emacs-alike editor), etc. Checking the sizes of my OpenBSD and FreeBSD source trees, I show OpenBSD to be 335M, and FreeBSD to be something less than 370M (I have extra crap in my tree). Thats not that different, considering FreeBSD probably includes more code in /usr/src/contrib which isn't actually compiled (contrib/ accounts for about 120M of that figure).
  • Oops, slashdot ate my cookie. The parent comment was posted by me (I don't like to hide as an AC)
  • Go grab a new 2.4.0-test1-ac* kernel, apply the 2.3.42 kerneli patches (which aren't available on ftp.kerneli.org, ironically. Check the linux-kernel archives.), handle the conflicts, and update the kernel utilities. If you don't want to mess with all this, you can get a 2.2 patch from ftp.kerneli.org and use it.

    I'd like to do that to a mission-critical prodction server! ;-)

    Regards, Tommy

  • Sorry. I'm cranky. I have to write a program in its entirity before tomarrow morning. I mean to include the :), really I did.
  • How much swap is truly necessary when you have large amounts of RAM?

    My home machine - a dual PII/400 - has 512Mb of PC100 memory. I'm considering installing Debian 2.2 on it when it is released. Do I really even need swap space?

  • by iota ( 527 ) on Thursday June 15, 2000 @03:37PM (#999156) Homepage
    No alpha port this time due to lack of support from users. Check out http://www.openbsd.org/want.html :
    "If we do not get some of these very soon, we are not going to ship OpenBSD/alpha on the 2.7 CD-ROM (it isn't worth our effort)."

    Makes a lot of sense to me... unlike Linux distros and developers, who are backed by VC, IPOs, and cushy jobs, the OpenBSD team actually have to work for a living :)

    jason
  • 1. Theo's beef is with NetBSD, not FreeBSD.
    2. If you don't wanna pay 25$ (miniscule), download it. Periodic CVS updates are recommended.
  • On September 20, when the #@$%#$@% RSA patent expires, it should be possible to ship OpenSSH as standard in the USA.

    YESSSSS!!! That's only 3 more months! Wheee!!! Is anyone planning a party???
  • No. Do basic math: Swapping means at least 5 ms delay to throw data to disk, which is about as slow as anything can get. In these 5ms, you can encrypt quite a lot of data even with something as slow as DES. Blowfish would be blazingly fast.

    In short: Encryption performance is about as fast as drive I/O, and initial delay on IO makes it unnoticeable.
  • Interesting...donated hardware or hosting perhaps?
  • Swap is never really reused anyway. Swap is encrypted to protect from stolen-harddrive-attack.
  • I'm not trying to belittle you, but the general attitude here at slashdot is that no one thinks they should pay for anything, just ask RMS about commercial software.

    http://tlug.linux.or.jp/rms.html

    "The only good thing about the unauthorized copy is that you avoid giving money to the owner. This is good, because the owner does not deserve a reward for making software proprietary"

    If you are worried about distro cost cheapbytes sells the OpenBSD cd for $4.99.
  • My problem with linux has been (lately) that when I try to install redhat, the install terminates.

    This happens to me a lot on a lot of different machines, and in fact I couldn't get redhat to install even the minimal setup on my Celeron 366, nor could I get debian to even boot into the installer. OpenBSD, on the other hand, installed with no problems and very quickly.

    If I were going to point a newbie at unix for the first time, though, I wouldn't send them to BSD. There's just not as many people out there willing to help a BSD newbie as there are those willing to help the linux kiddies. Then again, if you get on #linux as root, expect some hax0r1ng...

  • Swap partition, no. Swap file, yes.. Encrypted loopback, or an encrypted filesystem holding said swap file..

    Now this is off the cuff; This prolly won't work, and even if it did, it's be as slow as Windows95 on a 386.. But it is food for thought.. Ramdisk in memory, containing the 'swap space' mounted via a encrypted loopback. Make the ramdisk size close to physical, and you now have encrypted DRAM..

    Or switch platforms; The AS/400, the S/80 and a variety of other IBM midranges are capable of it, even if they don't come out of the box that way..
  • Why stop there? Let's encrypt everything to the point of all we get on our screen will be a bunch of useless characters. We won't know what is going on, but the important part is neither will THEY! Encode our swap space, maybe that is exactly what they want us to do. Ever think about that?
  • You say you set your 486 up as a cable-sharing gateway using FreeBSD. As I also want to setup a 486 for the exact same purpose, I'm exploring various options. Possible candidates I have in mind are Debian and OpenBSD. So, I have some questions:

    1. What about speed? Do you know how the various BSD's compare to linux when serving as a gateway on a 486? What is your experience running FreeBSD on it?

    2. Why did you pick FreeBSD instead of OpenBSD in your particular situation?

    3. Any other suggestions? I'm perfectly willing to spend time learning something new, but I really don't feel like installing and configuring more than one os.
  • This document makes a teensy error; it completely ignores the fact that the Linux swap space is not included in the Linux native file system; it has to be allocated on a separate partition with a different file system.

    No, it doesn't ignore that; and no, it doesn't have to be on a seperate partition.

    If you're not going to read the article, at least do a search for "swap" on it and read those lines.

    Here's one for you from the article:

    You will notice that I don't have a linux swap partition visible. My linux setup currently uses the OpenBSD swap area.

    That's one way. Another is the use of a swap file on the Linux partition (or even on the BSD partition), which Linux can easily do.

    How do you classify that as "ignoring" the question of swap space?

    --
  • Check out: http://www.openbsd.org/ports.html [openbsd.org] for generat information on the ports, and http://www.openbsd.org/cgi-bin/cvsweb/ ports/ [openbsd.org] to browse (via cvs) the ports tree. Good luck.
  • I have the encrypted loopback working very nicely. I use it with reiser files systems. (a patch on a patch :o)
    I was looking for your solution for the dynamic key generation and automounting of the swap device more than anything else.
    Thanks for the reply though.

  • Is there anyway to do a encrypted file system on OpenBSD?
  • You would encrypt swap to prevent the leaking of any sensitive data that is resident in a processes memory (cleartext passwords, private or secret keys, etc.)

    Without encrypted swap, an application with sensitive data may be swapped out at some point to the disk. Even if the process zeros its own memory eventually, this disk copy may be left around for prying eyes (another process does a large malloc and scans this dirty memory for keys/passwords).

    It seems to me that zeroing the swap before reuse would be a cheaper alternative to this. Here is the argument for why I think encryption doesn't buy you any security that zeroing doesn't:

    My reasoning is that another process would never get your old "dirty" memory with your key after a malloc. They would have to resort to spying in your memory in realtime.

    As for someone looking at your actual memory in realtime, encrypted swap isn't going to stop that. If they are sufficiently powerful to do this, they are sufficiently powerful to go into the kernel, extract the swap encryption key and read things anyway.

    Could someone more in the know explain what encryption buys you that kernel-level zeroing doesn't?

  • Yes I agree. The "Paranoid" option, with crypto installed is fairly locked down IMHO. It also illustrates the point that restricting access and functionality to what is required fr basic operation is the first step to securing a system.


  • Would't a program running as a normal user be unable to access the raw swap partition?

    Yea true, just like a normal user (or user program) can't grab a raw dump of kernel memory. Buy back in old Solaris or late SunOS, one of Sun's version shiped with incorrect premission on the kernel memory device, which allowed users (and user programs) to read any (or all) of the "primary" memory...

    It is better to have a "backup" or "fail safe" plan when dealing with security. If my firewall is completly cracked, I still have tcpwrappers to defend off with. If I set the incorrect read permission on a senastive file, I still have it encrypted to defend off with. If some how anyone can start connecting to the telnet port, most of the users accounts have /bin/false as there shell....

    The fact is, things do screw up, and when dealing with security it is a good idea to setup atleast 2 (if possiable) methods (if not more) incase the "main line" defense gets expoilted or breaks.

    Also what if someone takes the swap drive out at night, dumps it, puts it back in without you noticing? OK that is super paranoid, but that it what I love about OpenBSD.

  • Anyone know if this will be integrated into the Mac OS X (more specifically, the Darwin) code base?
  • This is not OpenBSD specific, but the best firewall book I've ever read is Firewalls and Internet Security (Repelling the Wily Hacker) by Cheswick and Bellovin. Published by Addison-Wesley. Good luck.
  • It could be his machine. True, the package selection system is easier than Win98 or NT in many respects, and if he is confused, well... maybe he would be happier with this manufacturer, [apple.com] as they make excellent machines with a very spiffy, powerful, and easy-to-use OS.

    Nevertheless, I am usually not one to blame problems with a user interface on the user. That is a developer's trap. What we need to do is keep trying to make the interfaces as intuitive as possible. It is true there will always be some that will not want to think for themselves at all, but that is what defaults are for.. let the developer and the computer think for them and they should be happy... IF the defaults are sane!

  • This new crypto stuff is very cool. Can't wait to have a play with it. These are featurs that should be in every OS. Top work.

  • This is why it is better to use an OS for what it's intended. OpenBSD is not for playing games. It is not for using applications, generally, though it will apparently run linux apps with binary compatability and most others with a recompile. I can't speak for that personally, and to be honest I don't see the point. Adding applications adds instability and decreases security.

    Basically, give NT to the Pointy-Haired Boss (though they will never admit they really need a Mac), Macintosh to the graphic designers (who *want* a Mac), use Linux for workstations and possibly web servers, and OpenBSD for firewalls and secure web servers.

    Using BSD as your box to play Quake on is like driving a tank to work.


  • Ok, zero-ing out the swap file is a good idea, but a couple of questions. What happens if the machine is shutdown unexpectly? For example, if you zero out the swap file in the shutdown run level, that is alright. But what if you say YANK the power cord from the wall, that bypasses the shutdown run level on the system and the swap is never zero-ed out?

  • It really depends on what you are doing. Obviously if you are not hitting swap a lot, you will not see a decrease in performance. If your disk is slow, the proc being locked up doing encryption calculations is less noticable.

    There are lies, damn lies, and benchmarks.

  • " ... OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking.

    Wow, it supports all the components that you will likely find in high-end servers, except for the most important ones! When are they finally going to support multiple processors?

  • www.openbsd.org is actually
    openbsd.sunsite.ualberta.ca, www.usa.openbsd.org
    is actually running OpenBSD itself.
  • Sure, I'd be glad to explain. You're wondering why www.OpenBSD.org is running on a Solaris server. See this comment from the misc OpenBSD mail archive [sigmasoft.com].

    Basically www.OpenBSD.org [openbsd.org] runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

    While you're looking around the site, check out their T-shirts. I like the fish-cipher t-shirt [openbsd.org] t-shirt that any open source guy would like. It has the Blowfish code printed on the t-shirt's back.

  • Sounds strange but I'd actually recommend "linux firewalls" by Robert Ziegler.

    I've read all of the books mentioned so far and I'd have to say first place goes to Orielly's even though it's a tad out of date. Second goes to Ziegler's book even though it's for Linux. It explains some important info in a very easy to understand layout that you need to get your firewall running.

    Most importanly, don't forget the indespensable IPFilter FAQ someone mentioned above.

    Good luck, LiNT

  • by Anonymous Coward
    It's only relevant for older machines and those are slow anyways

    Not really. Even if you have lots of free memory, some operating systems will move unused stuff out to swap space to give themselves more room for stuff like disk caching, buffers, etc. I'm running Linux with 64MB of RAM - right now only 30MB is used, but I still have 8MB in swap space. My disk cache is 31MB.

  • 4.0-S is still not considered "stable", as it is recommended for people who depend on the stability to wait for version 4.1-S. I have had no complaints on my 4.0 systems, but vinum still causes kernel panics when i have brain farts while setting up new arrays :0
  • How can you be so ignorant? MacOS-Ten does not contain code from ANY of the free BSD's. It is based on NeXT which was based in part on some old BSD code from yesteryear.

    Or, actually, it does. Darwin (the actual kernel bit of Mac OS X) was derived from FreeBSD 3.2-RELEASE sources and Mach 3. Go look it up. [apple.com]

  • I said above: Basically www.OpenBSD.org runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

    I meant to write the OpenBSD group is NOT, repeat, NOT looking for venture capital, and they're not like other distros like Red Hat who are more able to spend money on bandwidth and not worry about how it will affect the project's overall finances. Basically the OpenBSD project has limited financial resources so they want to use all the free resources they can get.


  • While IPv6 is supported in the linux kernel, I havn't seen too much work (yet) go into a full userland support
  • How about you all stop being stupid? Archie's right, paying $30 for extremely nice operating system is not that bad. I mean, how much did you pay for the hardware? Did you bitch about that too? How are the OpenBSD people supposed to fund their project without money? And using the whole 'leave the girl alone' angle was just boring and old.
  • i think they dropped support for alpha due to lack of funding/hardware. i don't feel like digging through the archives, but if you take a little time i'm sure you'll find it.
  • No, you still need to write Ordo vim (or maybe ordo mutt complium) because you don't want to be writing out temp files either. vim writes out unencrypted swap files...

  • Actually (ignoring the fact that your entire post is incorrect and filled with bogus information) OpenBSD is far more relevant than Solaris. Being operating systems, both are condemned to suck, but OpenBSD sucks far, far less. Solaris is slow, obsolete, and has more security holes than an unpatched Red Hat 5.0 [note to ignorant: that's a LOT]. OpenBSD is small, secure, and fast. If you're going to compare the relevance of OpenBSD, please compare it against that of a product with a future.
  • Also, are there any ways to encrypt the data in physical RAM, in any OS?

    The Dallas Semiconductor 5002FP [dalsemi.com] encrypts the address and data buses. It's an Intel 8051 compatible microprocessor, so forget about running Linux or *BSD.

  • How soon are any of these ideas going to make it to Linux distributions?

    In particular, I think it'd be great to have ssh ship with every Linux distribution.

    I don't think I'm paranoid enough to encrypt my swap, though....
  • No, just that one. Actually, anyone who doesn't know can't call himself a unix admin anyway.
  • Would that be to prevent your users from seeing what is in swap space? Or is this a paranoid "If the feds take my box..." kind of thing?
  • by Elladan ( 17598 ) on Thursday June 15, 2000 @01:59PM (#999198)

    Another process doing some malloc()s to see your ram isn't a problem - the kernel in this situation is going to zero the ram before that process gets to read from their malloc area, and in any case it won't have any reason to read in from untouched swap.

    Generally speaking, while the system is running and permissions are set, there's not going to be any difference between encrypted and unencrypted swap security wise. Programs won't be allowed to read from swap space, and they aren't allowed to read each other's ram or core files, either (at least, not without permission). About the only case where encrypted swap would help while the system is running is if swap was, for some reason, mounted over a network connection or someone was able to otherwise sniff the channel between the system bus and the actual swap storage device. This might be an actual possibility if you were dealing with, say, some sort of thin client which didn't have a hard disk and swapped to the server, for instance. Secrets wouldn't be accidentally transmitted in the clear due to some app on the client being swapped out. I suppose encrypted swap might also be useful in keeping superuser attacks from extracting information which is no longer resident, but was in the past too, but if you have a root compromise, you're screwed anyway.

    The real point of encrypted swap space is that it keeps your secret information from showing up in the swap file if someone steals your machine. Normally, the OS doesn't try to keep swap space clean, so whenever something is paged out, it'll just sit there in the swap partition until it gets overwritten. So, if someone stole your computer, they could then just scan through the memory dumps in your swap partition looking for secret data, and they might well find it. There's no way you could ensure that they wouldn't.

    Various other methods to encryption, such as zeroing, aren't really going to help. There are a number of flaws to the zeroing idea:

    • The swap space can only be zeroed when you actually release it. Thus, the OS would clear the swap block when it's no longer in use. This has the disadvantage of causing more disk IO, but more to the point, if the OS never sees the block get released, it never zeroes it out. So, the gestapo kicks down your door and rips the power cord out of the computer, the OS never gets a chance to clear itself out, and they get your secrets too. Bad.
    • Zeroing the data won't necessarily erase it very well. Look at the wipe utility and all the hoops it has to go to in an attempt to securely erase data from your disk (and even then, it has flaws). It's very possible for someone to go over a swap partition that's been zeroed, and still recover data, even if it was erased a couple times.
    So, basically, it's a lot better to guarantee that your secret is never written to disk at all in an unencrypted form, if you're really worried about it. That means, either you encrypt the swap file, which is a general solution, or you write your software so that, if it knows it has a secret, it will make sure the secret is never written to swap (for instance, by locking the secret in ram so it can't be paged out). The latter solution is good practice, but it's very hard to ensure it works properly.
  • If you can't think of anything other than feds, then YOU are paranoid.

    Just take a look at all the hard disks stolen from Los Alamos, at all the notebooks stolen in a number of places. Espionage, including industrial espionage, exists.

    If you keep your data encrypted, you decrease the chance of having it just stolen. But if the data is left unencrypted in the swap...
  • Well, im glad to see you like IRIX. (I like, and Use IRIX daily as well).

    As far as threading in irix, it didn't work with shit until 6.4. NFS on irix has been problematic at times, leading to pesky things like kernel panics, etc. The 32->64 bit migration on irix has been pretty amusing, unless you've actually had to use 3rd party tools or libs for anything, in which case, its been nightmarish. (n32 tools are better, vendiors love to ship o32... sound familiar ?)

    IRIX has faults just like any other OS. I still like it. There is a pretty wide market niche for solaris to fill, one that IRIX wouldn't fill as well. Namely, Solaris has the right mix of "stable", "easy", and "thorough" to make it a very viable operating system. Outside of the world of slashdot, there are plenty of people that agree with me :)

    IIRC, the largest IRIX installtion is ASCI-Blue mountain, at 6144 processsors. This is _not_ a single machine image. O2k machines have only been implemented upto 256 cpus with a single image, althoug the O2k architecture should support 4096 (see Lewis and Berg: Pthreads)

    XFS _is_ a fast file-system. But if you were a hardcore irix user then you know its taken XFS a while to be what it is. Back in the day when we were running 5.3 + XFS, things were different. Back then there was no xfs_check. They just assumed it would alwasy work. This is in the XFS design papers, btw. Or like the time when XFS patches broke any possibility of conveniently booting a downed SGI machine (all the media was 6.2, effectivly patchlevel zero, but subsequent patches to the OS made the on-disk XFS file-system unreadable and thus unrepairable to the on-cd kernel and tools)

    These sorts of things tend to not happen with solaris. It's not nearly as esoteric, so it doesn't have the bleeding edge performance of IRIX. On the other hand, it is very feature rich, and very stable as well.

    Like i said, right mix of stabl, easy, and thorough. Might as well add "cheap".
  • Well, not for all applications...for example, databases, you have no control over what gets paged in and out...it is more up to the database. So unless you make your own db that doesn't use any paging (which will be a rather useless database since dbs usually require a lot of memory), sensitive information in the database will always be in some sort of swap file/partition or temporary file.
  • by "Zow" ( 6449 ) on Thursday June 15, 2000 @12:21PM (#999202) Homepage

    Just curious, but what happened to the Alpha port? I noticed that all the previous versions included it, even bootable on the CD, but not 2.7. Any ideas? Theo overclock his Alpha and toast in in testing out the encrypted swap space or what?

    -"Zow"

  • its an olivetti-5030 server with four 486 boards in it. the motherboard has no processor slot on it, rather they sit on expansion cards.

    i think you can get dual, maybe quad too, 486 motherboards for a VERY hefty price IIRC.

    and i would kill for a 16 proc pentium mobo :)~~~~
  • by technos ( 73414 ) on Thursday June 15, 2000 @12:22PM (#999204) Homepage Journal
    Let's encrypt everything to the point of all we get on our screen will be a bunch of useless characters

    This is assuming that you could make *nix any more cryptic than it is without hitting mental critical mass. Try it, and you'll probably see the fatality rate in *nix admins soar from cranial explosion..

    Shit, I may have just given Microsoft an idea..
  • i believe linux is getting a replacement for ipchains in the 2.3/2.4 series. i think it is actually the ipnat that you are talking about.

    btw: did apache have a remote exploit lately when they got the 'powered by apache' logo replaced with the back office one? i read something like that somewhere....
  • Its the "feds snatch the box" scenario. You do not want to create a record on disk of something that was decrypted, created before encryption, etc.

    If sensitive data was written to the disk, it could be recovered even if written over (theoretically). This is protection for the extremely paranoid, but that is what OpenBSD is all about.

    If you were booting with your root partition encrypted and all filesystems storing sensitive data encrypted, this is the final hole to plug to prevent anything unencrypted from being put on a disk unencrypted.

    I see the danger as being what people are looking at when they take the disk from you, not what they can find when the system is running.
  • n32 tools are better, vendiors love to ship o32... sound familiar

    Of course. Proof that IRIX-targeting proprietary vendors are just as idiotic as Linux-targeting ones (libc5, yeah that'll make me buy your shit).

    This is _not_ a single machine image. O2k machines have only been implemented upto 256 cpus with a single image, althoug the O2k architecture should support 4096

    I'm familiar with the architecture. 256 is still four times as many as Sun offers. The Craylink technology used to link partial SGIs is also highly impressive. It's really a blazing-fast network, with hubs and so forth. Quite flexible.

    These sorts of things tend to not happen with solaris. It's not nearly as esoteric, so it doesn't have the bleeding edge performance of IRIX.

    IRIX 6.5, which has been around for quite a while really, is rock solid. I've had plenty of annoying problems with earlier versions, just like you. 6.2 and 6.3 would lock up, 6.1 was complete garbage, NFS had issues, and so on. But you have to compare equivalent systems - we're not comparing Solaris 2.8 with IRIX 6.2. Solaris versions less than 2.4 had a number of serious problems; it's generally conceded today that Solaris < 2.4 is effectively unusable. I'm not recommending that anyone use IRIX 5.3 any more than that they use Solaris 2.3. When comparing IRIX 6.5.[5-8] with Solaris 2.8, IOW contemporaneous operating systems, I think you'll find that IRIX comes out looking quite good for stability, ease of use, and feature set. Naturally YMMV but I'm disinclined to allow problems with earlier versions of IRIX to bew brought up in a comparison with more recent versions of (something else).

  • All right, I'll not try and convince you again. You've made a choice, and you're sticking to it.

    ;-)

    I get some mail from Theo (not to me personally, to the lists), and, although I'm not sure how long it will last, he is generally civil and forthcoming in them...

    I don't know what to say about the packet filtering; is FreeBSD still filtering out packets from the OpenBSD networks, as they claim? "We won't stop filtering packets from the OpenBSD networks until Theo is out". Heh, it's fun to read archived threads sometimes.

    Well, thanks for being honest; it's important for me to know how OpenBSD got its reputation. You seem like a good person, with very valid reasons for not using OpenBSD.

  • by Anonymous Coward
    There is a paper on this, called "Encrypting Virtual Memory." It is at http://www.citi.umich.edu/techreports/ [umich.edu]. The paper will be presented at the USENIX Security Symposium [usenix.org] in August this year.
  • True, $30 isn't much, but it's not as nice as free. It's like if you were to go to Costco, and they had fuzzy peach slices on for $30 a bag, but they were giving away licorice for free. If I was only strong enough to carry home one back of candy, I'd probably go for the licorice, even though I'd prefer to have the fuzzy peach slices.

    So it's the same thing, I'd say. There's nothing wrong with not wanting to pay $30 when there's a perfectly valid alternative available gratis.
  • This is nothing new. Linux has been able to encrypt filesystems and swap space for several years now with no problem.

    Go grab a new 2.4.0-test1-ac* kernel, apply the 2.3.42 kerneli patches (which aren't available on ftp.kerneli.org, ironically. Check the linux-kernel archives.), handle the conflicts, and update the kernel utilities. If you don't want to mess with all this, you can get a 2.2 patch from ftp.kerneli.org and use it.

    # losetup -e

  • Largely, to keep one program from snatching sensitive information from another program's swap space. Like, for example, passwords that are held in memory. A hostile program running on a box could scan through available swap in search of username/password pairs.

    That's one of the reasons your raw partitions aren't given read access to everyone by default.

    Now I imagine an exploit could be crafted in which you allocated memory which would be allocated in swap first and then selectively swapped in and scanned...


  • [ various OpenBSD vs. FreeBSD comments snipped ]

    But you leave out the big kicker: what if I'm not using an x86 or Alpha based system?

    In this case, FreeBSD does me no good at all, and NetBSD or OpenBSD are my *BSD flavors to choose between.

    I'd love to use FreeBSD (more experience with it from a prior job) on my old Mac IIci, but it just ain't gonna happen.

    -LjM

  • Yes, there is such a document: http://www.openbsd.org/faq/INSTALL.linux [openbsd.org]

    This document makes a teensy error; it completely ignores the fact that the Linux swap space is not included in the Linux native file system; it has to be allocated on a separate partition with a different file system.


    The Second Amendment Sisters [sas-aim.org]

  • As I remember it, a large part of the purpose of OpenBSD was that it was developed outside the US so it wasn't subject to US restrictions on the export of strong cryptography. This allowed them to ship 128-bit Blowfish encryption, which added to the whole "super-secure" thing. But now that Uncle Sam have relaxed their export controls, part of the inherent advantage of OpenBSD over the other BSDs has been eroded.

    The other strong point in OpenBSD's favour is the code auditing process, but FreeBSD is now going along the same path of tightening up its codebase. Again, the distinctions between the two main BSDs are becoming blurred. If this continues, will there still be a need for OpenBSD? Given the history between Theo and the FreeBSD camp, I can't ever see the projects merging. And with the price differential between Open and Free (admittedly not much, but still significant) I think Theo may have to relinquish his stranglehold on the official ISO image to the distro if OpenBSD is to survive. Despite the advantages of OpenBSD, I am still put off by the prospect of paying $25 (?) every 6 months, when I can get FreeBSD for more-or-less the cost of distribution.

    - Lita

  • I have OpenBSD 2.6 on a 486dx33 running in the kind of configuration you are looking for. I choose Open as that is what I had used before. Speed is a non-issue if you are just passing packets. Even my cheap ISA ne2000 cards can keep up with the cable modem. Even if you want to serve a few pages with apache or ftp a 486 is up to the task. If you want a system that you can install and forget, OpenBSD may be a better choice then FreeBSD. The 3 years without a remote exploit in the default install (which includes apache and sendmail) is comforting. I assume that FreeBSD can be secure as well, but they have always said that performance was their main concern whereas OpenBSD has always said that security is their main concern.

    Compared to Linux I prefer OpenBSD as a gateway. I really like IPFilter and IPNat over IPchains. I find the configuration files much easier to read. For example the following blocks and logs all attempts to telnet to my gateway:

    block in log from any to <my_ip> proto tcp port telnet flags S
    (The above is a quick'n'dirty example. Please consult the docs before making your own rules).

    IPFilter and IPNat do lack the proxies that come with Linux IP-MASQ. Generally this is not a problem as the IPFilter 'keep state' rule and IPNat seem to be smarter then Linux IP-MASQ. However I have not used Linux as a gateway for over a year so I could be wrong. If you IRC get the tircproxy package (look on freshmeat.net) and set it up as a tranparent proxy. Tircproxy proxies DCC connections and I recommend it to anyone using using IP-MASQ or *BSD IPNat

    A good OpenBSD resource site is www.deadly.org [deadly.org]

  • From SGI of course.. makers of IRIX.. the most universally loathed UNIX amongst free unix/BSD zealots.

    Too bad for them. I like IRIX. And BSD. And Linux, sometimes. Solaris, however, sucks my ass. IRIX has all the features you attribute to solaris, but it's actually fast. XFS is infinitely better than Solaris standard UFS, and you get it out of the box without paying extra. IRIX's thread implementation is functional, fast, and standards-compliant. NFS, including v3, works great. Intelligent SMP support? Well, IRIX runs on the 8k+-CPU nuke simulators and other massive Origin 2000 systems. Solaris can do 64 CPUs, but slowly (well, it can't do any number of CPUs quickly). I could go on, but I'm convinced the world is blind to Solaris's failings, which are many and severe.

  • what kind of performance tradeoff would be expected with on-the-fly encryption/decryption of the swap space?

    The paper reference provided by an A-C above, http://www.citi.umich.edu/te chreports/citi-tr-00-3.pdf [umich.edu] claims a 26% to 36% performance loss due to the swap space encryption in their benchmarks.
    --

  • My reasoning is that another process would never get your old "dirty" memory with your key after a malloc. They would have to resort to spying in your memory in realtime.

    There is no Unix I know of where you get another processes' dirty memory when you malloc. When malloc first gets it's memory from the OS (with sbrk) it is zero'ed (I think in thery it is merely "not valid data", but in practice it is zero'ed). If you free that memory and malloc it again it might contain your own dirty data. Similar things happen with mmap'ing annon memory, and /dev/zero (the other way malloc is implmented nowadays). In Net and FreeBSD the free'ed memory is frequently madvis;ed as unused and will not be written to swap unless it is written to again (and will tend to come back as zero, unless it is written again).

    When I say "no Unix I know of" this includes V7 (or V6 -- what is it the Lyon's book covers?).

    Could someone more in the know explain what encryption buys you that kernel-level zeroing doesn't?

    Others have already said, but I'll state for completeness... If your system is seized by a hostle force (say your goverment, or it's a laptop, it could be a competeing bissness), the swap area could have cleartext passwords, or chunks of important documents. Of corse if you didn't encrypt your real data then there are other areas of intrest on the disk...

  • Your point is? WinDOS has almost 90% market share. Does that mean it doesn't suck? Solaris takes a beautifully-designed lightning-fast million dollar system and makes it run like a 386 with a flaky memory module. IMHO, that qualifies as "sucks." I guess your definition is different. Just remember me when you're trading up your expensive Sun box again to make up for the failings of Solaris; I'll buy the old system from you, put UltraLinux on it, and get the same performance you will at half the price. I wish BSD had SMP support, but it's still worth using if you have a UP system lying around. Linux on SMP UltraSPARC, however, is a thing of beauty.
  • I can respect that; there are many people who agree with you.

    However, it's interesting to notice some people will pay good money for excellent software, even without being able to try it out first. If you're resourceful, you can even get OpenBSD for (close to) free, as you pointed out.

    Some people find Theo's development style and anti-social behavior to be abrasive, but since when have those qualities stopped anyone from being a fantastic software developer? Consider Picasso for a moment; although you may find him intensely disagreeable as a person, does that mean you will never find meaning in his paintings?

    I urge you to reconsider OpenBSD, if you are holding back simply because of Theo's personality. OpenBSD is a truly refined, unusual experience, and, trust me on this; you can enjoy the meal without liking the chef.

  • What about the systems it has been ported to?

    OpenBSD is based off of NetBSD which has been ported to many more systems than FreeBSD ever has. While I've only used OpenBSD on x86 (and then only briefly), I'm assuming it's also available for at least most of the platforms that NetBSD is.
  • by Ignatius ( 6850 ) on Thursday June 15, 2000 @02:32PM (#999237)
    Swap partition, no. Swap file, yes.

    this ain't true: there's absolutely no problem using a loopback-ecrypted patition as swap-device.

    Ramdisk in memory

    absolutely pointless, since the encryption keys have to remain in (unencrypted) memory anyway.

    I have the impression that some guy's miss the point here: encrypted partitions are not (primarily) meant to protect against intruders on a running system (a 2nd reason why encrypted ram is basically pointless) but to protect against theft, confiscation, seizuere (or whatever the legal pretext of the day may be called) of your hardware. It's about ensuring that once the power is turned off, there remains absolutely no recoverable data on the system.

    Therefor it is, btw, reasonable to encrypt the swap partition with a random key transparently generated on startup (I've patched losetup to provide this very option.)
  • I have built an OpenBSD Firewall, and it has been chugging away on a $10.00 salvage 486 with two spare NICs for a few months now. OpenBSD uses the IPFilter packet filtering program for firewalling, and for Network Address Translation (having multiple machines share a single IP), you have IPNAT.

    Both are included in the base install of OpenBSD, but need to be activated. From the OpenBSD FAQ at http://www.usa.openbsd.org/faq/faq6.ht ml#6.2 [openbsd.org] you can check out the IPFilter and IPNAT sections - this helped me to get running from practically step zero. The MAN pages in OpenBSD are also the best in the business, with example code and config files, and they are consistently getting better with each release.

    To develop your rule base for IPFilter, you can't beat the IPFilter HOWTO located at http://www.obfuscation.org/ipf/ [obfuscation.org]. This has everything you need to know about creating a solid firewall without being an expert in TCP/IP packet routing.

    So since you can get all the info for free, try downloading OpenBSD 2.7 and give it a shot. When it works for you WAY easier than you expected, take the cash that you would have spect on the firewall book and purchase the CD [openbsd.org] (and yes, mine is on the way...)

    Good Luck and Enjoy!
  • by nemoc ( 178963 ) on Thursday June 15, 2000 @12:47PM (#999246)
    True.... What we need are encrypted core dumps
    encrpted swap is nice...but the big problem with memory is the core dump. If someone has local access to a box, and can get a core dump, there's a change they can get login-name/password-hash combo's, and it's trivial to run a word-list through a program like crack.
    on improperly configured boxes, local access isn't even required as long as their running apache, because apache let's you enter the '..' directory in path names.
  • For IRC get tircproxy (look on freshmeat.net) and set it up as a transparent proxy. I would recommend this to Linux IP-MASQ users as well. I didn't bother with the oidentd part to tircproxy to set the usernames.

    For ftp there is the 'proxy ftp' option for IPNat. I haven't really tested in though as my FTP client (lukemftp) is set to use passive by default. Netscape ftp seems to work though and I have no idea if it uses passive or not.

  • I feel compelled to agree with this comment. I too, must say that I really love Linux. That being said, it is _not_ a new user's operating system.

    I feel that any of the *BSDs are very solid and production ready. I can't say that about a number of Linux machines. Linux can be made to be a very secure, wonderful, and easy Operating system, but for people wanting to get started, BSD is a better choice.

    BSD's _biggest_ advantage is the weath of excellent documentation on general usage. OpenBSD's documentation is the man page system. Anything that you could possibly want to know about OpenBSD is in the man pages. This makes it very easy to find what you are looking for.

    For those who also like "handbook" style docs, FreeBSD combines excellent man pages (sometimes Linux's manpages are a stretch) with a handbook that gives you a general overview of how to do basic administrative functions.

    I advocate new users starting with FreeBSD because of the very user-friendly docs. FreeBSD's website has documentation that starts by teaching a user how to login! Seriously, read the "FreeBSD for people new to both FreeBSD and UNIX" documentation and tell me that wouldn't be good for _any_ new user.

    OpenBSD is not quite so basic, but the docs are more friendly than anything I've seen from the Linux Documentation Project. I really like the LDP, but OpenBSD has some really great man pages.

    If you are a linux user, check out one of the BSDs. You'll be glad you did. I started with Debian and Slackware circa kernel 1.2.13, and started using BSD last August. I'm hooked!

    -Peter
  • by debrain ( 29228 ) on Thursday June 15, 2000 @02:36PM (#999253) Journal
    Building OpenBSD and Linux Firewalls, Sonnerreich and Yates. This will tell you enough to get a solid OpenBSD firewall up.
    Building Internet Firewalls, Second Edition Zwicky, Cooper, Chapman. This will provide you with more background information, but nothing on OpenBSD. (I was, not so much disappointed, as surprised, at this, for the first time with an O'Reilly book).

    The best, in my very humble opinion, references are online, but they aren't as nice to read as the Building Linux and OpenBDS Firewalls book, but are an excellent suppliment.
    http://coombs.anu.edu.au/ipfilter [anu.edu.au]
    http://www.obfuscation.org/ipf/ [obfuscation.org]

    See the prior of the web pages for a mailing list (Majordomo). The author (Darren Reed) of IPFilter actively participates in this mailing list, which is helpful, and often appreciated.

    Hope that helps
    Brian

  • Actually, I didn't know NT had that feature. OpenBSD swap is only overwritten on demand, meaning the contents are not changed until that section of swap is overwritten as some process swaps into it..

    There hasn't been any real 'zero'ing feature, save perhaps the paranoid individuals I have seen that include dd if=/dev/zero of=/dev/[swap] bs=1024 count=[swapsize] in their shutdown scripts..
  • The FreeBSD vs. NetBSD error has already been adressed, and for the ISO image: there's absolutely no problem to create your own bootable OpenBSD CD: the 2.88MB boot-image is free and as a bonus you can customize the contained software to your architecture and other preferences and will probably be able to fit the whole system and software on only one CD (including source).
  • My problem with linux has been (lately) that when I try to install redhat, the install terminates.

    Sounds like a Redh*t problem...but then you said you tried Debian, too. Back in the day, I started with SLS, then went to Slackware...nowadays, I'm using SuSE. (I took a quick detour into Corel Linux (based on Debian), but I couldn't get it dialed in just the way I wanted and didn't want to waste the time to figure it out when I knew how SuSE is configured.) I've installed SuSE on everything from a Cyrix 5x86 up to a K6-III and have never run into problems. I can't say that I've ever used Redh*t, but it seems that when someone posts to comp.os.linux.* or /. with a "Linux problem," it often ends up being a Redh*t problem.

    I tried one of the BSDs (don't remember which one) a few years ago...there didn't seem to be anywhere near as much activity swirling around it as for Linux, so it didn't stay on my computer long. Now that my NetWare server setup is trashed (flaky i430VX-based motherboard, not a software problem...funny how most of the hardware problems I've run across have been with Chipzilla [intel.com] hardware, not stuff from this underdog [amd.com] or that underdog [cyrix.com]) and the machine it was on is fixed, maybe it's time for another trip into "BSD-land."

    _/_
    / v \
    (IIGS( Scott Alfter (remove Voyager's hull # to send mail)
    \_^_/


  • They grind code slowly but exceeding fine.

    Seriously, it's a different philosophy with different priorities. Linux developers in general are more interested in rapid growth, a rapid release cycle, lots of feedback to fix stuff. BSD developers in general take a more "autocratic" (if you don't agree) or "controlled" (if you do) approach. And the OpenBSD team takes an "extraordinarily careful" approach, which is why we never hear about OpenBSD boxen getting cracked...

    ------

  • I'm working my way through the Wiley book and finding it very good. There's a high-level (i.e. no code) overview of the various kinds of attacks and exposures, and what firewalls can (or not) do about each.

    Then theres a, umm, diplomatic discussion of the choice parameters between using Linux or OpenBSD. It struck me as plain enough, between the lines, that they think OpenBSD has it all over Linux save in the level of support of some hardware, and possibly ease-of-install.

    A fair bit of the book is devoted to the install of each, and configuration of the firewalls. I don't know if the book gives you anything about the actual setup that you can't get from OpenBSD's own documentation or the fine howto's at the "obfuscation" site, but I really benefitted from the textbook learning of the background of how IP packets work, and how lies inside them are the basis of most kinds of attacks.

    PS: Good sense of humour in it, too. Buffer Overflow attacks are in a paragraph headed "Buffer: The IP Slayer".
  • by komet ( 36303 )
    I see OpenBSD has VLAN support. Very nice. Does anyone know when Linux will have this in the stock kernel? Linux or OpenBSD would be great as VLAN routers.
  • The /. community is mostly Linux-centric, the BSD section doesnt get a lot of readers (as opposed to other sections).

    A lot of people seem to have some misconceptions about OpenBSD vs. FreeBSD vs. Linux Distros. (I don't have a lot of experience with NetBSD)

    OpenBSD's primary purpose in life is to provide the most secure operating system availible. I personally think it has succeeded very well in this respect. Its the only operating system I would ever let touch my servers. OpenBSD works alright as a workstation OS, but IMHO there are better choices, depending on your needs. It works great as a router or firewall, and with the inclusion of RTMX O/S it is sure to only get better.

    FreeBSD is meant to be, much like most Linux distros, an all purpose OS, which works well on workstations, as well as servers, and in many ways is, along with OpenBSD, superior to most Linux distros.

    Linux distros are unique. I personally wouldn't run anything but Debian, which is partially an exception to the point Im about to make. Most Linux distros (ala RedHat) are geared more to try to be everything to everyone. This often times leaves a Linux distro very, very open by default (ala RedHat). Linux works decently as a server OS, lacking some more advanced crypto support (by default, these things can always be installed manually, or packaged), and works extremely well as a workstation OS.

    OpenBSD isn't designed to be a workstation OS, as RedHat and others seem to be geared (You really shouldn't need a server running X by default). OpenBSD is designed to be secure, and -- as Theo claims -- hasn't had a remote root exploit in the DEFAULT install in three years. THATS why I choose OpenBSD for my servers. Ports really don't matter as much to me in OpenBSD as in FreeBSD, et al, because I simply don't need them. I really don't use anything other than xntp (which is now packaged) that isn't installed by default, or that I don't compile from source myself (i.e. not from a port).

    The right tool for the right job, Linux doesn't need to be everything to everyone.

    (I am not responsible for my bad spelling and grammer :)
  • I just know I'm gonna get flamed for asking a Linux question in a BSD article, but is there any way to encrypt a Linux swap partition? Also, are there any ways to encrypt the data in physical RAM, in any OS?
  • by sammy baby ( 14909 ) on Thursday June 15, 2000 @12:04PM (#999287) Journal
    Largely, to keep one program from snatching sensitive information from another program's swap space. Like, for example, passwords that are held in memory. A hostile program running on a box could scan through available swap in search of username/password pairs. Encrypting swap makes this less likely.
  • IPv6 is stable in kernel 2.4 and experimental in 2.2.x. What crack are you on?
  • by DreamerFi ( 78710 ) <john@s i n t e u r . c om> on Thursday June 15, 2000 @08:02PM (#999297) Homepage
    www.dubbele.com [dubbele.com] has a free netbsd based firewall. Also, on the web site there's a good list of resources you may want to check out.

    -John
  • Gee thx for that "what crack are you on?" crap. I had no idea that it was implemented stable in 2.4, but thanks for so bluntely pointing it out.
  • Just to clarify some of your comments:

    Actually, OpenBSD *does* ship lynx in the base system (what's more, it was vulnerable to some of the recent security holes), as well as other stuff like apache.

    As of 4.0-RELEASE (which came out in March), FreeBSD ships OpenSSH and OpenSSL in the base system (even on CD). This was shortly after the first OpenBSD release which also included OpenSSH, IIRC. NetBSD also ships OpenSSL (and they pre-dated FreeBSD in this regard, I believe).

    Finally, as one of the FreeBSD Security Officers I'm not sure what you're talking about WRT "the ammount of exploits for the -current release" - if these really do exist (and I'd be surprised) then we certainly haven't been informed of them.

    What there *has* been lately is a lot of FUD on Bugtraq about "FreeBSD is probably vulnerable to this, but I didn't check" and so forth, but not a lot of content (well, there were a couple of vulnerabilities which applied to the other BSDs as well). If you have anything solid to point to here I'd appreciate it if you could drop us a line at security-officer@FreeBSD.org so we can look into it - thanks.

    So far this year FreeBSD has found and fixed several vulnerabilities which exist in all three BSDs, as well as making numerous security fixes to FreeBSD itself (most are in the category of "well, I can't think of any way that would ever be a security problem, but I suppose it could be one in someone's weird setup, and it's still a bug").
  • First off, <disclaimer>let me say that GNU-Linux is great, it's raising a big stink for Open Source and Free Software and that visibility and credibility is needed</disclaimer>. However, I have to agree with AC. The better known distros of BSD that I've tried have all been vastly easier to configure than any of the Linux distros. The Linux community tends to support bleeding-edge, often even before fixing present problems. On that token, however, I seriously think that Joe Clueless is far better off with FreeBSD or OpenBSD. It's relatively easy to use and has excellent support for established hardware.

    I personally had to ditch efforts to run Linux on a DEC 486 I picked up after it was decommisioned at my school. Just about everything on this PC was in awful shape, from the RAM to the HDs to the BIOS. Nevertheless, I managed to install FreeBSD 3.4 on the first shot! After a little tinkering, I had this box running _beautifully_ as a cable-sharing gateway with a few auxillary services.

    IMHO, BSD has really gotten the shaft in terms of public opinion. If you ask me, it really is the better operating system. It just doesn't have the hordes of fanatics. =)

    --


  • Just picked up a Thinkpad iSeries 1450 last week, and i've been having problems getting everything running under RH6.2 -- During my epic saga of a search for a fix, I found this page, which was tremendously helpful:

    *NIX On The IBM Thinkpad

    This page has a run-down of several free *NIX'es, and how they compare against eachother on the Thinkpad. Turns out OpenBSD 2.6 wins hands down.

    Now I may rest. :)



    Bowie J. Poag
  • Damnit, Beavis..

    Here's the link:

    UNIX on the Thinkpad [xoom.com]


    Bowie J. Poag
  • by Anonymous Coward on Thursday June 15, 2000 @12:06PM (#999318)
    Insert the standard [Why would I run *BSD instead of Linux]-questions here.

    Seriously. For those of you who haven't tried *BSD but like Linux - you should give one of the BSDs a go. Installing FreeBSD is dead easy, OpenBSD aswell. What you get is a solid and functional OS.

    My first impression of OpenBSD was that "Man, they've really put some thought into this". Redhat/Mandrake and the others cram in loads of weird programs on your harddrive but the default *BSD install is very slick and slim lined. You get what you need and if you want more then go for the ports.

    The ports system rocks! For those of us with fast connections it's far better than RPM. No problems with missing libraries and no hassle.

    Enough of the rant. Now TRY it!

    j0hn

  • The ports system rocks! For those of us with fast connections it's far better than RPM. No problems with missing libraries and no hassle.


    Even more so for those with slow connections. For years I've used FreeBSD with only a 28k8 modem. The ports system is much much more bandwidth efficient. Example:


    RPM: new RPM with some fix. Old RPM based on emacs-20.5, new RPM too. You have to download the whole binary, complete package again. That is outrageious IMO


    Port: New fix: Update your port (basically a directory with some files, among which are patch files, in it) usually done by an rsync like mechanism (cvsup) ie the update typically is something like 1kb. Then rebuild the port (the original emacs-20.5.tar.tz source is still lying around in /usr/ports/distfiles from the first time you got this port).


    So for refreshes of a port you typically download 1KB, for RPM you have to reget the whole binary again.

  • by q[alex] ( 32151 ) on Thursday June 15, 2000 @12:09PM (#999329) Homepage
    Yes, there is such a document:

    http://www.openbsd.org/faq/INSTALL.linux [openbsd.org]

    OpenBSD does have ext2fs support as well.
  • I agree; I'm still forced to use Windows98 to some degree (don't ask), but I have free reign as far as determining my (and my clients) server OS's.

    OpenBSD is fantastic for servers, especially if you don't need to run KDE or Gnome apps (although, I'm sure you could figure out how to run some o' them new-fangled window managers, if you are so inclined.) If you are looking for a desktop system, though, I'd look elsewhere. Personally I don't even install X11 if I can help it.

    The encrypted swap feature is not one of the points that initially sold me on OpenBSD (although it does sound über-sexy at cocktail parties). =P

    It's the other, shall I say, more practical (OK, all right, probably more boring, too; but...) features that I like. Like SSH built-in, and everything locked down by default. Not necessarily cutting-edge, but nice. I sleep well at night.

  • by technos ( 73414 ) on Thursday June 15, 2000 @12:10PM (#999346) Homepage Journal
    IIRC, OpenBSD swap space is only overwritten on demand. Once used, the space retains whatever information is in it until overwritten again.. A lot of useful junk, passwords, etc, is left in swap for an indeterminate amount of time. What happens when the box is stolen, say by a hostile foreign government or by the hostile local one, and they can't log in or mount your encrypted volumes? They sniff your swap space!!
  • I'm giving up MS Proxy Server in favor of a real firewall, and I've decided to use OpenBSD.

    Can anyone recommend a good firewall book for OpenBSD? In particular, I've got the O'reilly book, Building Internet Firewalls, and I was considering Building Linux and OpenBSD firewalls, from Wiley.

    Any comments or suggestions?

FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis

Working...