Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

Custom OpenBSD 3.0 with IPFilter From Darren Reed 265

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.
This discussion has been archived. No new comments can be posted.

Custom OpenBSD 3.0 with IPFilter From Darren Reed

Comments Filter:
  • ipfilter is so much easier to use than netfilter/iptables ... Any word on whether the licensing issues have been re-thought or resolved?
    • How exactly is iptables easier to use than ipfilter ?
      Personally, I find the pseudo-natural language rules a bit confusing, but it`s probably a matter of taste.
      Also, I wasnt aware that the official OpenBSD features the (linux-only) netfilter packet-filter.

      BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?
      • > BTW, what is the current packet-filter in the official OpenBSD 3.0 release (as ipfilter is out) ?

        It's simply called pf and it's custom to OpenBSD.
        • I have recently installed OpenBSD on my home
          router-firewall-workstation after running
          2.6 - 2.9 and lemme tell ya, pf ROCKS

          with less than 10 lines changed across 4 files in
          /etc I was able to get the following configured
          for my network:

          -firewalling (enable pf in /etc/rc.conf and put
          4 rules in /etc/pf.conf)
          -full nat (enable ip forwarding in /etc/sysctl.conf
          and put 1 line in /etc/nat.conf)
          -full port forwarding with ip header rewriting (put
          2 lines in /etc/nat.conf)

          so simple, so powerful, and BUNDLED!

          'nuff said
      • It's called packet filter - just pf, rather than ipf. It was developed by the OpenBSD team, and has some features they wanted to add but never could due to the restrictions on the IPF license. That's what Theo claimed in an interview I read, anyway.

        It's the file system speed improvements that really make an upgrade to OpenBSD 3.0 worthwhile, though..
  • by aridhol ( 112307 ) <ka_lac@hotmail.com> on Tuesday January 22, 2002 @01:44PM (#2883202) Homepage Journal
    OpenBSD's main tenet is that security is the most important part of the distribution. This rogue distribution is using OpenBSD's name (is this allowed? Anyone?); is it still following OpenBSD's strictures regarding security, such as a full source audit before release?
    • by ^BR ( 37824 )

      It seems that it's a plain OpenBSD 3.0 with IPFilter integrated, somethin that you could do yourself but Darren is nice enough to provide a compiled version.

      No worry there, it's still OpenBSD, the whole point of the OpenBSD philosophy is to permit derivative works.

    • by 2Bits ( 167227 ) on Tuesday January 22, 2002 @01:56PM (#2883269)
      As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.
      • That is what Lindows must have been thinking.
      • by xonker ( 29382 ) on Tuesday January 22, 2002 @02:40PM (#2883532) Homepage Journal
        I think that you mean the ISO/CD-ROM image layout. From the FAQ:

        Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy, it is up to you to determine this for yourself. We suggest that people who want to download OpenBSD for free use the FTP install option.

        I don't think that the layout of the filesystem itself (/, /etc, /home, and so forth...) is under copyright.

        The actual name would be under trademark, and I would imagine that someone else would be unable to use the trademark to distribute a derivative of OpenBSD. Linux is the name of the kernel for Linux distros, bsd is the name of OpenBSD's kernel. The use of Linux as a trademark should technically be approved by Linus or whomever manages that for him.

        I guess this would be OpenBSDarren...
      • As long as the distribution does not use the file layout of the "original" OpenBSD (the layout is copyrighted by Theo), it should be legal. OpenBSD is just an OS name, like Linux.

        Stangely, OpenBSD does not appear to be registered with the US Patent Office (check in TESS [uspto.gov]). Note that this is unlike Linux, which is:


        Word Mark LINUX
        Goods and Services IC 009. US 021 023 026 036 038. G & S: computer operating system software to facilitate computer use and operation.
        FIRST USE: 19940802.
        FIRST USE IN COMMERCE: 19940802
        Mark Drawing Code (1) TYPED DRAWING
        Serial Number 74560867
        Filing Date August 15, 1994
        Published for Opposition June 13, 1995
        Change In Registration CHANGE IN REGISTRATION HAS OCCURRED
        Registration Number 1916230
        Registration Date September 5, 1995
        Owner
        (REGISTRANT) Croce, William R. Della, Jr. INDIVIDUAL UNITED STATES 33 Snow Hill St. Boston MASSACHUSETTS 02113
        (LAST LISTED OWNER) TORVALDS, LINUS INDIVIDUAL Assignee of FINLAND 5774 CANNES PLACE SAN JOSE CALIFORNIA 95138
        Assignment Recorded ASSIGNMENT RECORDED
        Attorney of Record ROBERT T. DAUNT
        Type of Mark TRADEMARK
        Register PRINCIPAL
        Affidavit Text SECT 15. SECT 8 (6-YR).
        Live/Dead Indicator LIVE
        • by BdosError ( 261714 ) on Tuesday January 22, 2002 @04:12PM (#2884034)
          It may not be registered, but that is not required for copyright (Besides, you showed a trademark). Trademarks don't require registration either, it just makes them stronger.

          And since OpenBSD is based here in Canada, the above (NAL) summarized US rules don't necessarily apply, other than through treaties on Intellectual Property. It is not a registered trademark in Canada either, as you can check here. [ic.gc.ca]
  • Good. (Score:4, Interesting)

    by rainer_d ( 115765 ) on Tuesday January 22, 2002 @01:45PM (#2883211) Homepage
    Especially for people who don't want to migrate.
    I've setup a firewall [daemonnews.org] with bridging and no IPs on OpenBSD 2.9. Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

    Not that PF is bad - you just can't do everything together ;-)

    cheers,
    Rainer

    • I thought pf was rules-compatable with ipf?

    • Re:Good. (Score:3, Informative)

      by DaveTerrell ( 923 )

      Now, I could migrate to 3.0 and don't change anything on the underlying code for the custom GUI.

      You will have to change your rules. OpenBSD made several modifications to IPF that darren never included upstream (interface names in place of IP addresses, for example). I also recall some controversy involving patches to support ipf on the bridge. I don't know if those are supported either.

      You're welcome to experiment I suppose. Good luck. But I'd strongly recommend not installing this straight onto your production system.

  • Ego dramma (Score:4, Interesting)

    by JDizzy ( 85499 ) on Tuesday January 22, 2002 @01:48PM (#2883228) Homepage Journal
    I use FBSD, and OBSD. sorta stuck in the middle on this since FBSD doesn't think the D. Reeds license is non-free like Theo et'all believe, and rightly so. Honestly, The OBSD IP filter is supposedly better anyways. Apparently the OBSD was aware of some design flaws in IPF, and engineered their version without them. So I hear its slightly faster, and backwards compatible with Reeds IPF. Looking at the OBSD rhetoric, one might believe that they want the other BSD to consider their IPF, but don't' really care one way or the other.

    Sorta like the OpenSSH, there is an original version from the SSH company, but everyone just uses OpenSSH. I see this being their same strategy for IPF clone.

    • Re:Ego dramma (Score:2, Interesting)

      by rifter ( 147452 )

      Actually, the reason FreeBSD can use it is that it uses an unmodified ipfilter. Ipfilter was originally written for FreeBSD, IIRC. But while FreeBSD uses ipfilter in userspace, OpenBSD always used a heavily modified form which lived in kernel space. The problem was that Darren and Theo got in a pissing match and Darren put a clause in his license that said he had to approve any release of ipfilter. Theo responded by dumping ipfilter, now Darren is trying to counter by creating his own OpenBSD.

      While this is legal, the problem is that the whole point of OpenBSD is the security audtnig the OpenBSD team does. The version Darren is pushing is essentially a patched version of what they are putting out, but any security auditing of his patches is likely going to be done by him alone. I don't think this is a way to go, frankly.

      • Re:Ego dramma (Score:2, Informative)

        by kan ( 107198 )
        > while FreeBSD uses ipfilter in userspace
        Absolutely incorrect. Get your facts straight.
        • I'm not sure who modded this 'informative' (I know I'm going to /.-hell for saying this) but it's pretty far from it.

          I've heard the same thing about ipfilter; that is, that it was developed for FreeBSD, for use in userspace, and was adopted by the OpenBSD team and subsequently modified to operate in kernelspace.

          That is why I couldn't just get the OpenBSD 2.9 from FTP and install ipfilter from Darren Reed's site (to fix the traceroute bug). It requires quite a lot of patching to get it to work with OpenBSD.

          So do you have any more information on _why_ the above poster was incorrect? I'm quite interested.

    • Re:Ego dramma (Score:3, Insightful)

      by illusion_2K ( 187951 )

      Where did you get that from?

      The issue that the OpenBSD guys had with IPF was that the license wasn't 100% BSD compatible as it stood when they decided to ditch it. I can't recall exactly what the issue was, but there's historical posts in the misc@openbsd.org [geocrawler.com] mailing list. (Searching for Theo De Raadt and IPF should be enough - he's explained his position at least a half dozen times). Afterwards. Darren decided to change the license so that the other BSD's wouldn't ditch IPF in favor of PF too.

      All in all, one of the things I respect most about the OpenBSD guys is how they do stick to their principles, as they did in the IPF fiasco.

      • Re:Ego dramma (Score:2, Interesting)

        by hollow_man ( 24346 )
        Where did you get that from? Theo got his knickers in a twist about a test release of IPF (aimed at Solaris of all OSes!) and challenged Darren. Funnily enough, (after being threatened (although some debate can be had about what constituted a threat)) Darren then decided to clarify his IPF license (which for release versions hadn't changed for yonks) so it was not quite compatible with the goals of OpenBSD. Hence the split. Darren has cordial relationships with FreeBSD and NetBSD core and as such things never get as out of hand as with Theo.
        With the regards to the "design problems" someone else posted about earlier, IPF is designed to be a crossplatform package (we use it exclusively on Solaris here) and as such it will never be as taylored for OpenBSD as pf is.
        I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.
        • Re:Ego dramma (Score:2, Interesting)

          by jazman_777 ( 44742 )
          I think that Theo, as good as he is for OpenBSD, would be even better if he now and then counted to ten before saying something. Having a clear vision and unwavering ideals is a good thing to have but a foul temper will only harm the cause.


          Which cause? Being nice and warm and fuzzy with everyone? Or putting out a solid secure OS? I think his temperament works just fine for the latter, he weeds out the chaff who think his goal should be the former.

        • Re:Ego dramma (Score:3, Interesting)

          by Tuzanor ( 125152 )
          The thing is Theo never really got all THAT upset. He essentially just said "give us BSD rights to this thing" while darren said, "if you beg and suck up, maybe".

          Theo just decided to hell with it and just announced that ipf is leaving OpenBSD. He never called anybody names or anything. he just sorta unexpectantly removed it.
  • by r00tarted ( 552491 ) on Tuesday January 22, 2002 @01:50PM (#2883237)
    conflict surrounding the openbsd project
    next story please.
  • by bconway ( 63464 ) on Tuesday January 22, 2002 @01:52PM (#2883244) Homepage
    One important thing to note (and left out of this announcement) is that Darren will be including bootable ISOs with his releases. This is a great move, as I've always run into trouble with the hacked together OpenBSD unofficial ISOs. I'm also not too keen on using a 6-month-old firewall with who knows how many fixes needed in the future, and am glad IPF is back in the game with a OpenBSD-alike release that I can grab and run with. Good job to everyone involved!
    • by Null_Packet ( 15946 ) <nullpacket@NoSpAM.doscher.net> on Tuesday January 22, 2002 @02:12PM (#2883353)
      How is it good that Darren Reed will be including ISO's? Looking at the thread this seems to be a cut towards the openbsd team by undermining their primary fund raising activity- selling cd's.

      Besides, I have to wonder how resourceful someone is who doesn't know how to find OpenBSD ISO's via Google.

      This isn't a troll, but this strikes me as counter-productive to Open Source in general, and it seems even sillier that one needs to distribute an entire ISO for such a small package.

      Remember- it was Darren who changed his license which forced the OpenBSD team to remove his packages from the distro.
    • I've never needed the ISO's. The net install works rather well, and you can do it over HTTP or FTP, as well as the other standbys (NFS, local, etc).

      I've lurked on the misc@openbsd mailing list, and seen what Darren says. He seems "shady" (best as I can describe it). He seems to do his best to piss people off, and whenever pf doesn't work as expected, he says "IPF does that". Even if the poster was using the wrong syntax.

      The firewall age isn't an issue, it's infancy happened on the -current tree. I'm rather happy with pf, and will keep using it whenever possible.
    • Here's an idea: Pay the $40 and get a newly released official ISO and support the project. Supporting Open Source doesn't mean you have to be a cheap bastard, especially when you're complaining about unofficial ISOs. Don't agree with OpenBSD's policy on IPF? Don't use OpenBSD.

      psxndc

  • by the_olo ( 160789 ) on Tuesday January 22, 2002 @01:52PM (#2883246) Homepage
    Just installed OpenBSD 3.0 today.
    The new Packet Filter' syntax is somewhat backwards-compatible with IPFilter, the most significant difference being that with PF you now must specify protocol when specifying ports, so for example if with IPF you had:

    block in on fxp0 from any to any port = 137

    with PF you have to change it to:

    block in on fxp0 proto { udp, tcp } from any to any port = 137

    And you place the default donfiguration in /etc/pf.conf, not /etc/ipf.rules.
    • block in on fxp0 from any to any port = 137

      still works.

      so does

      ext_if="fxp0"

      block in no $ext_if from any to any port = 137


      and does:
      protocol_rules="proto { udp, tcp }"
      ext_if="fxp0"

      block in on $ext_if $protocol_rules from any to any port = 137
    • PF has a fair number of nice features IPF doesn't have, such as variables and sets. Using them you should be able to make your new rules a lot cleaner. And, when you write something from scratch, odds are you'll do it better the second time by virtue of greater experience with the domain... PF is a Good Thing.
  • by BetaRelease ( 110550 ) on Tuesday January 22, 2002 @01:53PM (#2883249)
    Dude,

    You don't want to include my program with your distribution?

    Fine, I'll just include your distribution with my program!

    'nuff said!
    • As long as he's the only one. Can you imagine 10 companies doing this? 100? Of course they'd never all be in sync or anything either... And eventually the software will of course only work on HIS distribution. One version of the OS for every piece of software you use? There's an inner circle of hell we can all do without.
    • It was the obvious solution to M bundling browsers with operating systems: netscape should have responded by including an operating system with the browser.


      lot's of engineers for wine would have been nice, too, but bundling netscape, a bsd (or linux), and the (then) personal use version of staroffice, and they could have kicked a good chunk of the low-end clean out from under microsoft.


      hawk

      • Actually, they already had. The JVM environment in Nav 3 was supposed to make the operating system redundant. Netscape trumpeting this was one of the reasons that MS got so heavy on browsers around that time.
  • Amusing (Score:5, Flamebait)

    by hettberg ( 552289 ) <hfsjk@gawklh24gds463g.net> on Tuesday January 22, 2002 @01:57PM (#2883271)
    OpenBSD team wants to get changes incorporated into IPF. Darren no respond.
    Ask again -> No respond. Darren coder supreme.
    OpenBSD decide to make changes, but only in OpenBSD source tree. Darren hears, gets angry! Decides: "LICENSE NO ALLOW!"

    Insert Flame War.

    OpenBSD team decide to switch to different packet filter under BSD license. Because Project Goal: Every user should be able to make changes to source tree. IPF license bad!!
    Darren try get back: says, NetBSD, FreeBSD allowed! MUAHAHAHAH!!!
    Theo say: no care, pf much better than ipf!
    Darren changes mind: changes license. But OpenBSD will not change back to ipf. Darren even much more bitter.
    Darren so bitterbitter. Decides: I'LL GET BACK BY FORKING OPENBSD AND RELEASING MY OWN VERSION. HEHEHEHEHE.

    Conclusion: Open source, closed minds.

    I find this very amusing.
  • PF vs IPF (Score:3, Informative)

    by don_carnage ( 145494 ) on Tuesday January 22, 2002 @01:57PM (#2883272) Homepage
    I've been running an OpenBSD firewall for about a year and a half now using IPF. Now that 3.0 is out and includes PF, I've already migrated most of my rules over and really like some of the features that come with it (like variables). Most of the IPF rules are similar to the PF rules, so there really isn't much of a learning curve for migration.

    I don't have a bias for one or the other (IPF vs PF), but will probably stick with PF since it's included in the default OBSD 3.0 installation.

    Is there any reason why I should keep using IPF? Isn't it still included in the ports if I really needed it? Doesn't this sound like a political move?

    • Doesn't this sound like a political move?

      More like a political countermove.

      I notice, however, that he isn't getting flamed for offering ISOs. Curious, that, since putting a link to ISOs in my sigline has gotten me flamed here at least a dozen times.
      • More like a political countermove.

        True. I read through the Theo rant [slashdot.org] before and it seems like a lot more politics than I would care to deal with.

        But the OS is pretty good, eh? ;^)

      • I notice, however, that he isn't getting flamed for offering ISOs.

        Actually, I'm flaming him. Offering an OpenBSD with IPF is one thing, but offering bootable ISOs is another matter entirely. It's a direct attack on OpenBSD's revenue stream. Granted, the license has always allowed that, and relied on the goodwill of the users to buy the official product, rather than creating bootable ISOs. But Darren never offered them before his falling out with Theo, and starting to do so now really doesn't show him in the best light... At one point, I considered making bootable CDs myself, but decided that it wouldn't be in the best interests of the OpenBSD project (and hence, indirectly, myself) to do so.

  • by Frater 219 ( 1455 ) on Tuesday January 22, 2002 @02:00PM (#2883288) Journal

    I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

    Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

    • by Anonymous Coward
      I've used both. pf and ipf are pretty close in terms of functionality and stability, and pf has some nice incremental features over ipf. If I had to choose, I'd use pf.
  • by dfeldman ( 541102 ) on Tuesday January 22, 2002 @02:04PM (#2883308) Homepage
    This move represents the latest step that Darren Reed has taken to attempt to gain control over open source operating systems that incorporate his packet filter. He has expressed the belief, on many newsgroup postings, that he deserves a place on the *BSD teams (as at least a committer) because of the way that his product has increased market share for the BSDs. And he continues to attempt to hold those distributions hostage until they bend to his will. His eventual goal is to release a closed-source BSD that incorporates his filter, because he cannot stand to give the public the right to modify and redistribute his precious code.

    Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases [safermag.com] that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.

    Darren, listen to your users - change your license or perish.

    df

    • by imp ( 7585 ) on Tuesday January 22, 2002 @02:16PM (#2883370) Homepage
      IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security

      Except that isn't true. there have been a number of issues with the way that iptables/netfilter in linux interacts with some systems. A number of problems related to timers in the state engine have come to light and do cause real problems for some systems. Also, 2.4 was relatively recent in history, so all the problems and issues with iptables/netfitler cannot be known yet. To assert otherwise is to ignore the history of software. All software has a hype cycle: The latest thing is always the best, then experience shows that it doesn't handle this or that right, followed by the disillusionment phase followed by the adopting another product that's in the hype phase. ipfilter is much farther along in this process and is maturing nicely. We have not had the history to know yet if iptables/netfilter will be the same.

      If you don't believe me, go back and look at the press that each new Linux release gets. Then look at how people talk about that release 3-6 months later, and then 1-2 years later. It takes time for problems to be diagnoised and understood.

    • by Frater 219 ( 1455 ) on Tuesday January 22, 2002 @02:22PM (#2883410) Journal
      IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

      Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

      I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

      iptables :
      iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
      iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

      pf:
      block in proto tcp to any port ssh
      pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

      Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.

      • The point would be valid if there weren't a more readable way to configure iptables:

        iptables --append firewall --source 10.11.0.0/16 --proto tcp --destination-port ssh --jump ACCEPT
        iptables --append firewall --destination-port ssh --jump DROP
        *

        This seems both readable and easy to follow to me. I maintain a large and (necessarily) complex firewall using iptables (and DNAT, SNAT, mark-based routing, etc.) I've never found it to be especially difficult to follow the config files, nor awkward to read.

        I don't deny things could be just as simple as pf, possibly even easier, but I don't think complexity of configuration is a valid criticism of iptables. On the contrary, I'd have to say I find the example you gave a little counter-intuitive - it's necessary to think for a little too long about whether that's "to any" or "to any port". That's probably just me, though - in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste / how accustomed each person is to the syntax - neither of the syntaxes are (IMHO) intrinsically better.

        * The second line's unnecessary if your input/forward chain policy is 'DROP', which would be the case for most sane firewalls I can think of...
        • in any event, this post hopefully makes it clear that the difference between the two is far more a matter of personal taste/how accustomed each person is to the syntax

          Exactly!
          A standard slashdot argument is: "I use XYZ and it is easier/better than ABC."

          The reason that it's "easier/better" is that you're more familiar with it. People make judgements based on what they have experience with.

          Sure, I think that BSD is better than Linux. I think that the *BSDs firewall syntax is better than the Linux firewall syntax. I think that the *BSD ports/package system rocks compared to any Linux solution (yes, even apt). But I think these things because I use *BSD all of the time! If I used Linux all of the time, I'd look at BSD and say, "What are these stupid disk slice things? What is this disklabel crap? Can't I just make some partitions and go?"

          You can draw examples from every facet of the computer world on this subject. Emacs and vi, anyone? Perl versus Python? C++ versus Java? Generally, "better" means "the thing that I know how to use the best."

          Some things have a more difficult learning curve than others -- does that make them better? Maybe; but that shouldn't be your only criteria for judging.

          We're more prone to see things as "better" when we've invested time in learning them. And when we do compare things, we often use a suboptimal example for the thing that we don't know well -- because we don't know it well.
      • Syntax aside, which one is better? by better I mean maintain security, smallest hit to bandwidth?
        that should be the first concern. If the one that is least intuitive provides more reliable secutity, then go with it and write yourself a script take input in a way thats intuitive to you, and spits it out in the correct format.
        of course, IF all things are equall, the go with the one thats easier to set up and maintain.
        • Syntax aside, which one is better? by better I mean maintain security, smallest hit to bandwidth? that should be the first concern. If the one that is least intuitive provides more reliable secutity, then go with it and write yourself a script take input in a way thats intuitive to you, and spits it out in the correct format. of course, IF all things are equall, the go with the one thats easier to set up and maintain.

          Believe me, there are other measures involved in picking a firewall besides its security (where there are a lot of decent entries) and its cost in terms of latency. (It isn't likely to hit bandwidth unless it's overloaded, btw.) The factors that I see involved in picking firewall kit shake out into two categories: technical and social, as follows.

          Technical factors:

          • Transparency. For design reasons, we need a bridging firewall, not a routing firewall. (In network jargon, Layer 3 inspection, Layer 2 operation.) That is, the firewall must not appear as a hop in a traceroute; it needs to act like a filtering switch, not a filtering router. Among other things, this makes it harder for an attacker (or a disgruntled user) to know where the firewall is, or how it works.
          • Security. This is the "no-brainer" of the bunch. A firewall that is itself at any avoidable risk of compromise is simply out of the running. Moreover, a firewall should be as preëmptively secure as possible: it shouldn't need a lot of maintenance to keep it that way. This leads into ...
          • Reliability. I need a system which is not going to fail or fall over, and which is not going to need a lot of ongoing administration for the underlying system. Ideally, it should (for instance) be able to go for months without needing to be patched or upgraded. (Needless to say, it should be a minimal system.)
          • Versatility. I'd like to be able to do more than just "block this host" or "allow that host to receive nothing but SSH sessions". Being able to easily plug in things like application proxies, tunnels, and other security enhancements is a significant plus. Of course, being sure that these things will work correctly in bridging mode (see above) is essential.

          Social factors:

          • Documentation. I need to be able to bring the other staff up to speed on this system quickly and comprehensively. Complete -- and complete-sounding -- documentation is a must. HOWTOs with sections that say "(Need to finish writing up such-and-so a feature)" do not inspire confidence, in either the firewall itself or in the security administrator pushing that firewall. Moreover, see under "boss-proofness" below.
          • Ease of use ... for our definition thereof. Since we don't have the funding to beef up our security staff, most of the people who will be doing network monitoring here are Unix sysadmin types. They don't like GUIs and Web interfaces of the sort that commercial firewalls-in-a-box offer. They like vi. They like languages that are easy to edit in vi, and which conform to their (okay, "our") Unix-biased idea of how languages should work. (Hint: pf supports shell variables. That's a plus.)
          • Boss-proofness. My boss's first idea when I mentioned we needed a new firewall was to the effect of, "Let's just do that on our Cisco routers. I can always hire a CCN* if you quit." He's fond of "standard" systems, "supportable" systems, and things he thinks he can easily hire new staff to maintain in the event that current staff might not be around forever.

            The next best thing to "You can hire someone with thus-and-so certification, and you're guaranteed they can write new rules for this right away" is something like "This system is so straightforward that anyone who knows Unix can pick it up in an hour and write new rules for it. Oh, and here's the complete documentation -- and I can assure you that there are ...

          • ... No surprises." 'Nuff said.

          I'm not saying OpenBSD is the only system that can meet these goals. (After all, I'm still waiting on the OpenBSD 3.0 CD to show up so I can set up a testbed to prove it's a better choice than more Cisco gear.) I'm saying it's not quite as easy as "pick whatever works and doesn't eat the network, and wing the rest."

    • Looking at the actual licence:
      server# pwd
      /usr/src/contrib/ipfilter
      server# cat IPFILTER.LICENCE
      Copyright (C) 1993-2001 by Darren Reed.

      The author accepts no responsibility for the use of this software and
      provides it on an ``as is'' basis without express or implied warranty.

      Redistribution and use, with or without modification, in source and binary
      forms, are permitted provided that this notice is preserved in its entirety
      and due credit is given to the original author and the contributors.

      The licence and distribution terms for any publically available version or
      derivative of this code cannot be changed. i.e. this code cannot simply be
      copied, in part or in whole, and put under another distribution licence
      [including the GNU Public Licence.]


      There is the licence. Now, what part of with or without modification == "he cannot stand to give the public the right to modify" ?

      Oh, thats right. This is slashdot. "Let not facts get in the way of promoting all things Linux." From your post "IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4," All that 'ass kicking' must be why the 2.4 series is The kernel of pain [slashdot.org] Your anger is that the fine code of IPFilter can't be GPLed is all.
  • that will surely bring out a heated discussion about which OS is better, Linux, xBSD, win95, etc...
    In the immortal words of some character from Monty Python and the Quest for the Holy Grail, "No, please! This is supposed to be a happy occasion!
    Let's not bicker and argue about who killed who..."
  • childish acts... (Score:3, Interesting)

    by Anonymous Coward on Tuesday January 22, 2002 @02:06PM (#2883320)
    Darren, grow up :)

    Why not just create a port for OpenBSD ?
  • ...that is in this software [grc.com] that makes Windows XP more secure.

    I use it all the time. No unsecure sockets!

    --SC

  • by evilviper ( 135110 ) on Tuesday January 22, 2002 @02:38PM (#2883516) Journal
    The new Packet Filter software was one of the big IMPROVEMENTS over previous OpenBSD releases. Read the OpenBSD discussions about PF on deadly.org and you'll see that PF was welcomed by pretty much everyone. It surpassed IPF in ease of use, and features. No doubt since it's made by the OpenBSD folks, it's much more secure than IPF as well.

    I doubt there will be more than a handful of IPF users once they've tried OpenBSD PF.

    While I'm on the subject, this kind of action on the part of Darren really justifies Theo's decision to dropped IPF in the first place. He used to matter, but now he's just a slightly noisy fly on the wall.
    • I have to disagree with you on this one, "almost everyone" on the OpenBSD list might have loved PF, cause it was now their own little baby. But take a look at other lists (ip-filter), people were not happy with PF, last time I tried PF it was NO WHERE near as robust of IPF, as for ease of use, I would disagree there too, the syntax is similar, and IPF ALREADY was damn easy to use (compared to rulesets for CheckPoint or IP Tables or whatever). So step off dude, PF needs work before it can compare with IPF.
      • by epine ( 68316 )
        Just this morning I upgraded two of my OpenBSD machines to 3.0, along with the machine I built over the weekend from scratch.

        I've used IPF since 2.6 and IMHO it wasn't nearly easy enough to use. Each line of the file is simple, but managing conceptual changes to your firewall is a royal pain in the Perl script. So far I've just read some of the new PF documentation and skimmed the PF list from time to time. I have no doubts that PF will mature rapidly, if it isn't already. I can't believe some of the new changes to the syntax weren't made years ago.

        I've been working on the IP protocol stack for a couple of years, mainly looking at some of the latency problems with TCP/IP in signal contention networks (aka cell phones). TCP was designed to handle path contention networks and it doesn't handle signal contention at all well. The packet structure of IP is not rocket science. The TCP/IP stack is a much worse beast than what PF requires, especially if you add in all the IPv6 changes (substantial). I was reading this code yesterday. It's written clearly enough, yet hard to analyse case by case.

        What matters for the new PF implementation is making correct syscalls and handling all the error returns correctly. The OpenBSD people know all the pitfalls from years of fixing other's mistakes. If you get the syscalls right, the remaining stability issue is largely semantic. The semantics are easily demonstrated by building rulesets that work.

        The third area of concern are the efficiency tricks. I think will take another iteration at least to perfect. This area was probably neglected while the effort focussed on functionality, stability, and correctness. Try not to forget that the OpenBSD people have complete access to the IPF source code to guide them through the tricky spots.

        Theo doesn't control OpenBSD, he just controls one tree. I wasn't at all unhappy that OpenBSD chose to write PF from scratch. They've done a good job on OpenSSH, which I regard as a more challenging problem. I also regard IPv6 integration as more challenging the PF. IPv6 and IPsec are a scary beast.

        My next task is to start playing with new PF on all the new 3.0 boxes I've just configured. I'm not expecting any anguish. If my expectations are off base, I'll post again eating humble pie. I'm not saving my appetite, I don't think I'll need it.
      • Might I ask when you last tried PF? I'd enjoy an example of something than can be done in IPF that can't in PF.

        There are already examples of the reverse - namely:

        1) scrubbing
        2) variables
        3) listed elements allowing one line to do what takes many lines in IPF
        4) inbound and outbound rules on bridges

        Politics, flamefest, and egos aside, I simply believe PF is technically superior - based on the above things that PF can do that IPF can't - in addition to the common features of both - until proven otherwise.
  • ISO's (Score:3, Interesting)

    by skyhook ( 4433 ) on Tuesday January 22, 2002 @03:17PM (#2883754)
    I've never understood why people get so up in arms about the lack of downloadable ISO's for OBSD
    How the hell hard can it be to do the following?

    mkdir ~/obsd30
    cd ~/obsd30
    [use favorite method of obtaining all files from OBSD Mirror]
    cd ..
    mkisofs -b floppy30.fs -c boot.catalog -R -o obsd.iso obsd30
    cdrecord [your options] obsd30.iso

    (NOTE: I did that mkisofs off the top of my head so it's very likely wrong, but it's damn close.)

    I buy OBSD CD's to support the project, but I'm not waiting for them to arrive when the files are there for FTP.

    I just replaced a Redhat/ipfilter box (My home router) with an OpenBSD 3.0 box, my first. So I've got no legacy baggage.

    License Bigots bore me to tears. Darren reminds me of Dan Bernstein with his "My way or the highway" mentality. The QMail lists are half full of people bitching about the license, and it's why I left qmail for Postfix a long while ago (and never looked back. If djbdns had a competitor, I'd be Bernstein free.)

    If the whole point of using OpenBSD is to use something audited by the OBSD team, then the concept of using any distribution other than the one I get from ftp.OpenBSD.org is ludicrous.
  • by kjj ( 32549 ) on Tuesday January 22, 2002 @03:21PM (#2883782)

    Copyright (C) 1993-2002 by Darren Reed.

    The author accepts no responsibility for the use of this software and
    provides it on an ``as is'' basis without express or implied warranty.

    Redistribution and use, with or without modification, in source and binary
    forms, are permitted provided that this notice is preserved in its entirety
    and due credit is given to the original author and the contributors.

    The licence and distribution terms for any publically available version or
    derivative of this code cannot be changed. i.e. this code cannot simply be
    copied, in part or in whole, and put under another distribution licence
    [including the GNU Public Licence.]

    THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    SUCH DAMAGE.

    I hate legalese, don't you ?

    Ironic that this relatively short license which is somewhat BSD style is actually copyleft or "viral" in nature. Look closely at the section before the diclaimer boiler-plate. Maybe it should be called the DPL (Darren Public License) BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?
    • It doesn't attempt to control linking and inclusion. Viral (gpl) means that if you use A, which is any license, and B, which is GPL, under many (not all) circumstances, your final output must be GPL.


      This lets the two pieces, mix, match,mate, link, whatever without trying to control the output.


      hawk

      • Both the GPL and the Darren Copyleft depend on what the law will consider "a derivative of this code". So there is no legal difference in how viral they are.

        Either both or neither let you mix, match, mate or link.

        It might be less restrictive than what the FSF claim of the GPL, but in that case it is becasue FSF is wrong about the GPL.
        • there is that :)


          I went deeply into the GPL a couple of years ago for LyX. I still couldn't quite figure out exactly what it meant (and I *am* a lawyer, and also hold a Ph.D. in economics & statistics . . .)


          I *am* sure that it doesn't say what the FSF claims--and now that you mention it, the static linking bit is FSF rather than GPL, isn't it?


          Darren's doesn't seem to have a distributable-as-a-whole under the licence requirement, however.


          hawk, esq.

    • BSD advocates typically rant on and on about how GPL is terrible the way it contaminates software, and yet somehow this license is considered OK?

      In that sense, the BSD is just as viral as the GPL. What they whine about is different:


      BSDites are under the illusion that they may one day want to close access to the source and become the next SUN. (This is exactly what Bill Joy did)


      They feel that if they use the GPL they wont be able to commercialize in the microsoft sense, which is true unless they own all contributions.


      Although they make alot of good server and security code, the BSD programmers have a really uptight and clannish community.

  • by psxndc ( 105904 ) on Tuesday January 22, 2002 @03:22PM (#2883783) Journal
    I think it's great that Darren released his own version of OpenBSD. I hope that many people will in fact use it and love it. I however will not be one of those people. See, to me, Theo and his attitude are good for the OS. Theo wants things his way(tm) or the highway. This means that only software that _he_ wants to run and use will be included. Would you write software that you wouldn't trust or use? Given that the rest of the OpenBSD team checks Theo's work too, I trust that the OpenBSD product will be a robust, secure OS. Darren's porduct AFAIK will only be audited by himself. This to me is not as secure or as desireable as the official OpenBSD product and therefore won't be used by me for the whole reason of using OpenBSD: security. I've never met Theo, and from what I understand he can be a real ass, but something about his analality (??) helps me sleep at night not worrying about my home network getting haX0red.

    psxndc

  • by Malor ( 3658 ) on Tuesday January 22, 2002 @03:46PM (#2883911) Journal
    I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.

    On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case :-) )

    I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.

    Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.

    I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original. :-)
    • This story made me laugh my bag off.

      TdR's imprimatur is on an -operating system-. That imprimatur has value: Theo sells what Darren is giving away. Darren's imprimatur is on a wonderful -component-. And it takes the OS I value to run whatever packet filter is used. I'm not good enough to evaluate what Darren might have changed to make his distro work, so my choices are 1) get an OS with unknown provenance, with at least one known good component, from Darren; 2) get one with known provenance, but a less-proven packet filter, from Theo; 3) stick with 2.9+ipf (which was my choice).

      I happen to think the whole ipf license 'clarification' issue was slimy, and Sturm und Drang aside, I have to admire TdR for sticking to principle and having the guts to go with a new packet filter. But I'll wait to upgrade until pf matures a bit.
  • by lamj ( 153635 ) <jasonlam@fla s h m a i l.com> on Tuesday January 22, 2002 @04:05PM (#2884003)
    I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

    I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.

    By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

    Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.
    • I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

      Yes, there were lots of childish comments. However, doing a code-weighted-average in my head, it seemed like the OpenBSD group was pretty calm and considered about the whole thing. Not that I'm completely unbiased, I guess.

      A more important point is that aside from the fact that pf was pretty much a fait acompli when Darren changed his license, Theo had a very good reason for not going back to ipf - the license change is still not open enough for OpenBSD to include ipf in the kernel.

      Theo et al want OpenBSD to be usable by anyone for anything, which means that Darren's, "you can't change the license terms," clause is still a problem. (See item #2 on OpenBSD's goals [openbsd.org] page.) As far as Theo is concerned you are fully welcome to fork OpenBSD (along with pf) and license your version under the GPL, if that is your desire.

      If you don't share or value that goal, fine. But criticising Theo and/or OpenBSD for maintaining these goals is a little harsh.

    • another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to
      the license


      I'd leave your troll alone, except for the upmodding it has received from some idiot.

      *NOTHING* prevents you from downloading IPF and compiling it into OpenBSD. There are *MANY* packages that aren't a part of the distribution. There are even more source tarballs that aren't part of the distribution. You want it, add it. What is so hard to understand about this?

      I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing.

      And OpenBSD believes in that. If one looks at the license of IPF, one realizes Darren doesn't believe in that in regards to his changing license on IPF (changing from vague to strict to loose).

      By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....

      And that's a bad thing? Should software only go through one audit?

      As I mentioned in a prior message, PF adds some new features (which I greatly appreciate) that I didn't have with IPF.

      Being a security consultant

      Welcome to the /. crowd. We'd offer you the secret handshake but we don't know your public key.

      but I would wait a bit before PF

      What's a bit? How long is long enough? How do you know someone didn't hack Darren's distribution? Have you run MD5 sums on all files in Darren's release to make sure that except for his changes, the code is still true OpenBSD? Did you audit his source code? How do you know he didn't inadvertantly introduce a flaw into OpenBSD?
  • by discogravy ( 455376 ) on Tuesday January 22, 2002 @04:31PM (#2884114) Homepage
    Given Theo's legendary patience and understanding, i'm sure that Theo and Darren can find a compromise they can live with and work this out.
  • This particular conflict concerning the fine OpenBSD operating system is not as simple as it seems at first glance. As a matter of fact, I believe this is a huge conspiracy by Darren Reed and his organization to eventually distribute an operating system nearly identical to OpenBSD, but with one slight modification: Darren Reed's version will include IPFilter.

    A little more investigation on your part will reveal that this is more or less what's actually going on, rather than what we're being told.


  • If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.
    It has likely taken him way longer to set up his own installer and layout than if he had just grown up and listened to reason.

    No thanks, I'm sticking with the official OpenBSD CD sets.

    hrm.. does Reed's come with a cool music track like OpenBSD 3.0 had on CD 2? :)

    Go Theo!
    • If Darren Reed hadn't been such a stubborn cock and lightened up on his licensing then perhaps ipf would still be part of the OpenBSD install.

      s/Darren Reed/Theo de Raadt/

      a little courtesy on both sides could've gone a long way. Theo truly brings out the best and worst in people.

  • Slashdot Headline: Custom OpenBSD 3.0 With djbdns/Qmail From Dan Bernstein

    # dmesg|more
    OpenBSD 3.0 (I_HATE_THEO!!!) #1: Thu Oct 18 14:48:27 MDT 2001
    djb@cr.yp.to:/usr/src/sys/arch/i386/I_HATE_THEO!!!

    Where will the insanity stop?

If you didn't have to work so hard, you'd have more time to be depressed.

Working...