OpenBSD 3.1 Released 315
Telent writes "OpenBSD 3.1 is out. I've been using a -current snapshot from April as my desktop, and this is truly an amazing release with lots of new PF tricks, improved driver support, and many other cool things. Get it from the master site at ftp.openbsd.org, or use a mirror when possible. Even the release art kicks butt. Enjoy!"
Thanks... (Score:2, Informative)
MicroBSD (Score:5, Interesting)
It's based upon an OpenBSD-current kernel (so you get PF and all the great OpenBSD stuff), with FreeBSD tools, an hardened installation, custom additions and ports, a stripped-down base, etc.
Re:MicroBSD (Score:1, Offtopic)
Re:MicroBSD (Score:1, Informative)
Re:MicroBSD (Score:1)
* No System User Accounts
So you got rid of that nasty root account?
Seriously, what on earth does "no system user accounts" mean?
Re:MicroBSD (Score:2)
PF for bridging. (Score:2)
I've been toying with the idea of using OpenBSD on a P75 as a wired-to-wireless network bridge. Essentially, I want to be able to have data go from my desktop machine, to this bridging computer, to a wireless AP, to the machines on the wired network that the AP is hooked up to.
Unfortunately, I've got no experience with IPF or PF, since all of my NAT needs are taken care of by a cheap-o Linksys router.
Anyone have a link for good introductory material on doing something like this?
--saint
Re:PF for bridging. (Score:1, Informative)
more specifically
http://www.openbsd.org/faq/faq10.ht
I think you will find PF the easist to use because the rules are easy to learn and make sense.
Re:PF for bridging. (Score:1, Informative)
http://www.deadly.org/pf-howto/html/
Re:PF for bridging. (Score:3, Informative)
Re:PF for bridging. (Score:3, Informative)
These might be also helpful:
OpenBSD Packet Filter [benzedrine.cx]
Re: pf and statesfull filtering on a bridge [theaimsgroup.com]
The OpenBSD Packet Filter HOWTO [deadly.org]
Re:PF for bridging. (Score:1)
It runs quite happily in HostAP mode, with bridging enabled, my wired and wireless networks are on the same subnet. Works very well.
N.B. OpenBSD 3.1 doesn't support WEP in HostAP mode, but OpenBSD-current does. This doesn't affect me, because I allow anyone to get on my network if they choose.
Re:PF for bridging. (Score:2)
Maybe not exactly what you're looking for, but this [phpwebhosting.com] is what got me introduced to OpenBSD and ipf.
Beyond that I'd check out the documentation for IPFilter [obfuscation.org] and PF [demon.nl]. Both are very good.
Actually, you'll still have to wait (Score:1, Informative)
"The files have been transferring to the main ftp mirror since last night. Once that is done they will move to the secondary mirrors and the email announcement will be sent out."
I still get "permission denied" when tryign to access the 3.1 directory. Of course this is an entirely different story if you've ordered the CDs.
Re:Actually, you'll still have to wait (Score:1)
Re:Actually, you'll still have to wait (Score:1)
Well...not quite (Score:5, Informative)
3.1 still hasn't been officially announced:
So, check back soon.
b&
Re:Well...not quite (Score:1)
*Now* (was: Re:Well...not quite) (Score:5, Informative)
To: announce@openbsd.org
Subject: OpenBSD 3.1 Released!
Date: Sun, 19 May 2002 15:03:44 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
- OpenBSD 3.1 RELEASED -
May 19, 2002.
It is our pleasure to officially announce the release of OpenBSD
3.1. This year OpenBSD turns 7 years old. In celebration of this
milestone, we invite you to enjoy our 11th release on CD-ROM (and
12th via FTP). We continue to celebrate OpenBSD's record of four
years without a remote hole in the default install. Just like all
of our previous releases, 3.1 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support (http://www.OpenBSD.org/plat.html)
o Much improved support for UltraSPARC hardware. More models are
supported and X11 works on all supported models.
o Improved 802.11b support, including a host-based access point
mode for Prism chipsets (i.e. wireless bridging). It is now
possible to completely configure a wireless interface using ifconfig.
o The hardware crypto drivers now work on all PCI platforms.
o Major macppc improvements including a brand new pmap module
that cut 'make build' time by over an hour.
o Tekram TRM-S1040 based PCI SCSI controllers are now supported.
o Creative SB Live! cards are now supported.
o HiFn 7811 is now supported by the hifn driver. A long-standing
bug causing PCI aborts has also been fixed in the hifn driver.
o Kernel support for Altivec on the macppc platform.
- Major improvements in the pf packet filter:
o Significant performance improvements due to additional optimizations
based on detailed benchmarks. Filter rule evaluation cost
(which occurs for every packet that isn't passed statefully)
is reduced by about 70%.
o Stateful filtering (including address translation and redirection)
for arbitrary IP protocols other than TCP, UDP and ICMP, for
instance GRE (used for IPsec/PPTP).
o Configurable memory limits (preventing memory exhaustion).
'pfctl -m' can set an upper bound on the number of simultaneous
states or fragments.
o authpf(8), an authenticating gateway user shell, modifies filter
rules when a user logs in, controlling network access at the user
level.
o New 'fastroute', 'route-to' and 'dup-to' options allow pf to
route packets independently of the system routing table. This
can be used to e.g., implement source-based routing or to
duplicate packets to an IDS or logging host.
o Parser improvements allow further reduction of rule set complexity
('no nat', rdr port ranges, and more).
o Rule labels simplify usage of counters for accounting ('pass in
from any to any port www label http_requests').
o The 'no-route' keyword in filter rules matches packets with non-
routable addresses. E.g., 'block in quick from no-route to any'
blocks packets from non-routable source addresses.
o tcpdump(8) expressions can filter pf logs on pf-specific fields.
E.g. 'tcpdump -i pflog0 action block' prints only blocked packets.
o Additional ioctls for adding and removing state entries (used by
proxies, authpf(8) and pfctl(8)).
- Ever-improving security (http://www.OpenBSD.org/security.html)
o More fixes for potential signal handler races. Work is ongoing in
this area to fix the signal handlers in all programs, not just
privileged ones.
o sshd now supports a privilege separation mode where all incoming
network traffic takes place in an unprivileged process.
o A number of memory leaks that could lead to denial of service
attacks have been plugged.
o Several other security issues fixed throughout the system, many
of which were identified by members of the OpenBSD team themselves.
Please see http://www.OpenBSD.org/errata30.html for more details
on what was fixed.
- New subsystems included with 3.1
o A version of the venerable spell program is now included.
o Generic macros for manipulating splay trees and red-black trees.
o Support for extended attributes in the filesystem.
- Many other bugs fixed (http://www.OpenBSD.org/plus30.html)
- The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)
o The 3.1 CD-ROMs ship with many more pre-built packages for the
common architectures. The FTP site contains hundreds more
packages (for the important architectures) which we could not
fit onto the CD-ROMs.
- Many subsystems improved and updated since the last release:
o A long-standing bug in the i386 MBR that caused a hang on boot
with some machines has been fixed.
o Better sizing of kernel buffers, based on amount physical memory.
o Other memory-related limits are tunable without recompiling a
lernel via config -e.
o Improved behavior of the virtual memory system in low-memory
situations.
o ALTQ is supported by more ethernet drivers and now works on
bridged interfaces.
o Loadable kernel modules are now supported on ELF platforms.
o The 2 gigabyte file size limit has been removed from mmap(2),
vnd(4), savecore(8), dump(8), restore(8), and rcp(1).
o XFree86 updated to 4.2.0.
o sendmail updated to 8.12.2.
o Latest KAME IPv6
o KTH Heimdal-0.4e
o OpenSSH 3.2
If you'd like to see a list of what has changed between OpenBSD 3.0
and 3.1, look at
http://www.OpenBSD.org/plus31.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
This is our twelfth OpenBSD release, and the eleventh release which
is available on CD-ROM. Our releases have been spaced six months
apart, and we plan to continue this timing.
- SECURITY AND ERRATA
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.1 FTP/CD-ROM binaries and the actual 3.1
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems and we always provide patches as soon as
possible. Therefore, we advise regular visits to
http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html
Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:
http://www.OpenBSD.org/mail.html
- CD-ROM SALES
OpenBSD 3.1 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track by Ty
Semaka, http://www.thedevils.com/.
Profits from CD sales are the primary income source for the OpenBSD
project in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 3.1 CD-ROMs are bootable on the following six platforms:
o i386
o alpha
o sparc
o sparc64 (UltraSPARC)
o macppc
o hp300*
* The m68k-based platforms, including hp300, are located on a fourth
CD that is not included in the official CD-ROM package. You can
download the ISO image for the fourth CD as described below.
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:
https://https.OpenBSD.org/cgi-bin/order
or, for European orders:
https://https.OpenBSD.org/cgi-bin/order.eu
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. As well, donations to the project are highly
appreciated, as described in more detail at:
http://www.OpenBSD.org/goals.html#funding
Due to space restrictions and our desire not to raise the cost of
the CD-ROM, the Motorola 68k-based platforms are located on a
fourth CD that is not included in the official CD-ROM package.
An ISO image for this CD may be downloaded from:
ftp://ftp.openbsd.org/pub/OpenBSD-ISO/3.1-CD4.iso
This CD contains the amiga, hp300, mac68k and mvme68k install sets
as well as the m68k packages. The CD is bootable on the hp300.
Note that not all ftp mirrors will carry the CD image.
- T-SHIRT SALES
The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:
https://https.OpenBSD.org/cgi-bin/order
The new 3.1 t-shirt is not available at this time but will be
available shortly.
- FTP INSTALLS -
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.
1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:
http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/3.1/ftplist
2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.1/ which contains these files and directories.
This is a list of what you will see:
Changelogs/ alpha/ macppc/ sparc64/
HARDWARE amiga/ mvme68k/ src.tar.gz
PACKAGES ftplist packages/ srcsys.tar.gz
PORTS hp300/ ports.tar.gz tools/
README i386/ root.mail vax/
XF4.tar.gz mac68k/ sparc/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:
CKSUM INSTALL.os2br comp31.tgz man31.tgz
INSTALL.ata INSTALL.pt etc31.tgz misc31.tgz
INSTALL.chs MD5 floppy31.fs xbase31.tgz
INSTALL.dbr base31.tgz floppyB31.fs xfont31.tgz
INSTALL.i386 bsd floppyC31.fs xserv31.tgz
INSTALL.linux bsd.rd game31.tgz xshare31.tgz
INSTALL.mbr cdrom31.fs index.txt
If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs file. Consult the INSTALL.i386
file if you don't know which of the floppy images you need (or
simply fetch all of them).
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
http://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 3.1 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/3.1/tools
directory to do so.
- XFree86 FOR MOST ARCHITECTURES -
XFree86 has been integrated more closely into the system. This
release contains XFree86 4.2.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During installation,
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.
On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.2.0 or where XFree86 4.2.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.
- PORTS TREE -
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.1 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see PORTS file for more information.
Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see PACKAGES, below).
- BINARY PACKAGES WE PROVIDE -
A large number of binary packages are provided. Please see PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/PACKAGES) for more details.
- SYSTEM SOURCE CODE -
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.1/ directory:
XF4.tar.gz ports.tar.gz src.tar.gz srcsys.tar.gz
- THANKS -
OpenBSD 3.1 includes artwork and CD artistic layout by Ty Semaka,
who also is featured in an audio track on the OpenBSD 3.1 CD set.
Ports tree and package building by Christian Weisgerber, David Lebel,
Marc Espie, Peter Valchev and Miod Vallat.
System builds by Theo de Raadt, Niklas Hallqvist, Todd Fries and Bob Beck.
ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.1 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Campbell, Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bob Beck, Brad Smith, Brandon Creighton, Brian Caswell,
Brian Somers, Bruno Rohee, Camiel Dobbelaar, Chris Cappuccio,
Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn, Damien Miller,
Dan Harnett, Daniel Hartmeier, David B Terrell, David Lebel,
David Leonard, Dug Song, Eric Jackson, Federico G. Schwindt,
Grigoriy Orlov, Hakan Olsson, Hans Insulander, Heikki Korpela,
Horacio Menezo Ganau, Hugh Graham, Ian Darwin, Jakob Schlyter,
Jan-Uwe Finck, Jason Ish, Jason Peel, Jason Wright, Jean-Baptiste Marchand,
Jean-Jacques Bernard-Gundol, Jim Rees, Joshua Stein,
Jun-ichiro itojun Hagino, Kenjiro Cho, Kenneth R Westerback,
Kevin Lo, Kevin Steves, Kjell Wooding, Louis Bertrand, Marc Espie,
Marco S Hyman, Mark Grimes, Markus Friedl, Mats O Jansson, Matt Behrens,
Matt Smart, Matthew Jacob, Matthieu Herrb, Michael Shalayeff,
Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin, Miod Vallat
Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,
Oleg Safiullin, Paul Janzen, Peter Galbavy, Peter Stromberg,
Peter Valchev, Reinhard J. Sammer, Shell Hin-lik Hung, Steve Murphree,
Thierry Deval, Theo de Raadt, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Wim Vandeputte.
If you want to order this new 3CDset: (Score:3, Informative)
The new artwork really ROCKS! [openbsd.org]
Re:If you want to order this new 3CDset: (Score:2)
I they want us atheists to run it, they'd better sort that out..
Re:If you want to order this new 3CDset: (Score:2)
This atheist is very happy to be using OpenBSD. It's the only system I get the "feel" of old-time Unix from, back in the 80s -- the VAX/BSD days. The layout is just right, and the documentation is superb. Manpages are actually comprehensive and up-to-date! Most other Unix-like systems of today (I won't mention any names) give me the feeling of being designed by committee.
Don't forget... (Score:2, Informative)
Can't fight the Systemagic, Über tragic, Can't fight the Systemagic....
Re:Don't forget... (Score:1)
Re:Don't forget... (Score:1)
Shudder... that song must *never* be heard by the general public! In fact, I beseech RMS to immediately destroy all copies. I mean, how in the world can you take a movement seriously when it has such a ridiculous theme song(and off-key singing , and patchouli-invoking lyrics, etc, etc, etc...).
Re:Don't forget... (Score:1)
Re:Don't forget... (Score:1)
LMAO! Thank you so much, I had no idea they released tracks with each release. Those are some great lyrics!
How fast a computer needed? (Score:1)
Re:How fast a computer needed? (Score:2, Informative)
I run OpenBSD on a 486 with 16 MB RAM, so I would qualify your system as "overkill".
Re:How fast a computer needed? (Score:1)
Depends on what you want to use it for (Score:1)
Re:Depends on what you want to use it for (Score:2)
Quoth Sits:
If you like your uptime, have a look here [trumpetpower.com].
b&
Re:Depends on what you want to use it for (Score:1)
Re:Depends on what you want to use it for (Score:1)
Re:How fast a computer needed? (Score:5, Informative)
Quoth baywuulf:
OpenBSD will run just fine on this computer. monk.trumpetpower.com [trumpetpower.com] is running on basically that same platform, and it's never given me a hint of trouble. Not that it or my DSL would likely survive a slashdotting, but....
My laptop is a Pentium 120 with 72 Mbytes RAM. I run Konqueror and Netscape under Windowmaker on it all the time. Sure, it's not a blazing speed daemon, but it's quite useable. And it's great to take onsite--I've got Apache, a DHCP server, lots more running on a machine I can tuck under my arm. I can max out a 100 Mbit Ethernet link with Apache, which actually makes the laptop a bit more convenient in some cases than a CD for transfering files.
b&
Re:How fast a computer needed? (Score:2, Informative)
Re:How fast a computer needed? (Score:1)
Re:How fast a computer needed? (Score:2)
Re:How fast a computer needed? (Score:3, Informative)
So basically it runs quite well on OpenBSD, but you have to install the whole Linux base system (bad, bad thing if you have a small disk), as well as to enable Linux-compat in the kernel.
Re:How fast a computer needed? (Score:2)
Re:How fast a computer needed? (Score:2)
How can you tell someone else that csh will be a painful experience? You might find it a painful experience; I know I find it a painful experience. But Billions and Billions (tm) of people in the world use csh every day, and don't seem to be suffering any ill effects. The first time you run adduser it will ask you what you want the default shell to be; just make sure you install the shell you want before first running adduser.
This leaves me puzzled. What dependency issues? For instance, my shell of choice is bash, and I know I'll need to add it after installing. So in my login environment, I set up the env. variable PKG_PATH to ftp://ftp2.usa.openbsd.org/pub/OpenBSD/3.1/packag# pkg_add ${PKG_PATH}/bash-2.05.tgz
Voila!! Bash is installed. This handles dependencies automatically; if package foo depends on package bar which depends on package foobar, running pkg_add -v ${PKG_PATH}/foo.tgz will automatically install foobar first, then bar, then install foo.
ISO Images (Score:1)
Re:ISO Images (Score:4, Informative)
ISO images are copywrite to Theo de Raadt and are not distributed beyond actual cds. OpenBSD has a different support/developement model, funded through cd sales and donations.
The non US distribution points seem to be solely in Europe and can be found here [openbsd.org]
Re:ISO Images (Score:2, Informative)
Re:ISO Images (Score:2)
Quoth SpikyTux:
CD sales are a prime source of income for OpenBSD; you'll never see an official OpenBSD ISO image legally available for download.
Having said that, an ISO image really isn't necessary. You can download a floppy image and use that to do an install directly via FTP. Rather than ~600 Mbytes to transfer for an ISO, you'll only have to grab about 120 Mbytes for a full install.
More details can be found here [trumpetpower.com].
Re:ISO Images (Score:2)
The non-offical OpenBSD ISOs are trustworthy. Cheapbytes [cheapbytes.com] offers an ISO for 4.99.
Re:ISO Images (Score:2)
Re:ISO Images (Score:2)
foolish (Score:2)
Re:foolish (Score:2)
They don't. They have their own (I'd say little, but it's not that little) system going that they're kind enough (and that's not exactly accurate either) to let us outsiders enjoy. It's not exactly a Private Club, but it has a lot of that feel, and a rather exclusive club at that.
Re:ISO Images - make your own from snapshot (Score:3, Informative)
Re:ISO Images (Score:1)
Re:ISO Images (Score:2, Interesting)
i have bought several cd distributions and several t-shirts however, so don't blindly leech, i have been running an openbsd server for a couple years and i have to say it's almost *too* stable.. by the it breaks or needs upgrading i've usually forgotten how to go about doing that because it's so good you don' thave to fix shit all the time... its an excellent server, simple and elegant design, i highly reccomend trying it.
as for your isos ask on irc or look around, they probably won't be out immediately, but then if you have th ebandwidth to download the iso's you should be fine w/ an ftp install.. you don't really need the media for anything anyway, ports provides everything and the ftp install is actually faster since once you download the shit it's readily available rather than having to burn a cd and then install it..
you get cool stickers w/ the cd sets however, this alone has provided enough motivation for me in the past, the stickers are invaluable =)
Re:ISO Images (Score:2)
Gotta love OpenBSD (Score:1)
Any of you who haven't already, give it a go [openbsd.org] and watch you don't get hooked
Already have mine (Score:2, Informative)
This allowed me to spend the weekend upgrading the servers over to 3.1. The process was painless, the pre-compiled packages from ports allowed me to speed a few things up and within seconds I had everything patched against the errata and ready to go.
I would like to point out that this is the first release where ports.tar.gz works without a problem. Normally I am forced to download ports or even src.tar.gz because they refuse to be decompressed.
However, I am not looking forward my 2.9 firewall to 3.1. Since OpenBSD 3.x releases no longer support IPF, I need to have the new FP ruleset in place before I do anything serious on that machine.
Re:Already have mine (Score:1)
Yeah, I know how you feel - I'm in the same boat. And now that 2.9 is 2 versions old and not actively patched anymore, it looks like I'm gonna have to start trying pf. Not that I have anything against pf - just that my ipf rules had tons of groups in them.
Re:Already have mine (Score:1)
Re:Already have mine (Score:1, Informative)
that'll get you to 3.0
Re:Already have mine (Score:1)
Of course, thats just me. I like everything to be nice and clean
Why Darwin? (Score:1)
Re:Why Darwin? (Score:1)
minus sendmail (Score:2, Interesting)
Re:minus sendmail (Score:3, Informative)
Re:minus sendmail (Score:5, Informative)
First, Sendmail is a GREAT MTA when used properly. The way it is installed, and the way it interoperates with the system is very secure. You dont see OpenBSD machines being used as spam gateways or getting hacked due to sendmail. Its almost secure plug-and-play.
Why people think that sendmail is automatically insecure is beyond me. OpenBSD is NOT MEANT to be an "OS for dummies" (like many Linux distrobutions are trying to be). OpenBSD is meant for users who know what they are doing, and are experienced enough not to make the stupid mistakes that will get them hacked/exploited. As long as you dont do something incredibly stupid, 99% of the time the architecture OpenBSD will take care of the rest. This includes getting sendmail up and running.
Re:minus sendmail (Score:2)
Re:minus sendmail (Score:3, Informative)
Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several [securityfocus.com] vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)
In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record [securityfocus.com].
For more information on why Postfix's security is completely superior to sendmail's, please see this page [postfix.org].
Re:minus sendmail (Score:2)
Okay, I'm bored today. here [securityfocus.com] are some more. These two lists together may still not be exhaustive, but they are definitely long enough to prove my point that sendmail's security track record is very bad.
Re:minus sendmail (Score:5, Informative)
Sendmail in OpenBSD hasn't run as root since 2.9 [openbsd.org].
Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here. [geocrawler.com]
I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.
Re:minus sendmail (Score:2)
That's a very good change that I wasn't aware of. However, I'll keep running Postfix: user-level access is a stepping stone to full root, especially outside of a chroot() jail, since setuid executables are available to be exploited.
Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs.
When did this happen? It would be interesting to know if any of the security bugs I linked to were reported after this audit was completed. That would be proof that their confidence was misplaced. (However, even if not, I still would not trust sendmail - the real question is of course what bugs remain, not what bugs have been discovered.)
Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement.
Yes, this is exactly what I used to do when I ran OpenBSD. It would be preferable if all outside packages were in ports rather than the main tree, to make completely removing sendmail more convenient.
My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have.
It's not a knee-jerk reaction. Did you look at the links I posted? Postfix is secure by design. Sendmail is not.
Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue.
I have never exploited a new sendmail vulnerability, either. However, I am not convinced that no vulnerabilities remain to be exploited. I prefer to use something like Postfix - proper compartimentalization, much less code to be audited, so I have more faith in its correctness.
(Still not complete faith. My ideal system would have all network services implemented in a high-level language like Java. It is good to completely eliminate entire classes of vulnerabilities (buffer overflows, format strings) that occur over and over and over in software everyone uses. But comparable software does not yet exist in these languages, or I am unaware of it.)
Re:minus sendmail (Score:2)
Where on Earth did you get that silly - and wrong - idea? My FreeBSD box has the remote and local MTAs separated into totally distinct processes, and the system users several UIDs for the different components.
It's great that you like Postfix, but try to find some real advantages before you evangelize it, OK?
Re:minus sendmail (Score:2)
Why should OpenBSD replace something that has been audited and debugged extremely rigorously just to follow the dictates of fashion? Just like OpenBSD BIND will stay at version 4 instead of jumping to 8 or 9, it will continue to use sendmail. After all, sendmail works.
Remember, if sendmail is something you have strong feelings about, you don't have to install it; every other major MTA -- postfix, smail, qmail, etc. -- is in /usr/ports/mail/. It's your machine, you can run whatever you want. Even BIND 8!
Sparc64 (Score:2)
ESP filtering? (Score:1)
Mozilla (Score:2)
Packet Filtering (Score:1)
Atto
Twofish? AES? Serpent? (Score:2)
They aren't as trusted. (Score:2)
First, please note what the subject says: Twofish, Serpent and AES/Rijndael aren't as trusted. That's not at all the same as saying they're not trusted.
They are all excellent ciphers as near as anyone in the field can tell, but they are all very new. Many people in the field (myself included) are deeply skeptical of all new algorithms. Blowfish, by comparison, is about ten years old and has no significant cryptanalytic attacks against it. This makes Blowfish preferred over AES in the eyes of many cryptographers. (This is also why so many of us drool over 3DES. While it's hideously slow and inefficient, 3DES has been turning brilliant cryptanalysts into alcoholic, burned-out wrecks for 25+ years. That's amazing.)
Second, I am not aware of any cryptographer who recommends Serpent or Twofish over AES. When Rijndael won the AES selection, every cryppie in the world who wanted to make a name for himself started to throw himself at it. Hence, Serpent and Twofish have been exposed to much less cryptanalysis than AES/Rijndael. Serpent and Twofish aren't bad ciphers, but given the existence of AES, every responsible cryptographer I know strongly recommends AES over Twofish and Serpent.
Third, if I recall correctly, the OpenBSD people like Blowfish because Blowfish is about as agile as a brick. Attempting to break Blowfish by brute force is a really painful thing to think about, because setting up a new key is computationally expensive. By comparison, AES is a very agile cipher.
Fourth, it's true that AES is a blazingly fast cipher. But Blowfish is no slouch in this department, either.
So what you wind up with is Blowfish (a) is key-clumsy, which OpenBSD wants, (b) has survived almost a decade of rigorous cryptanalysis, (c) is quite fast.
OpenBSD wouldn't get any real benefit from switching to Blowfish. Why should they change?
Encrypted filesystem ? (Score:2)
OpenBSD (Score:2)
Anyone know who does the music for the OpenBSD releases?
Just in time.... (Score:2)
If I had more time, I'd have left it there and turn it into a honeypot, put some interesting fake info up and lure them in further, giving no clue that I know they're there.
Re:BSD has been outted? (Score:1)
Re:*BSD IS DYING (Score:1)
Personally, I can see FreeBSD moving more into the embedded space (as evidenced by WindRiver), as it has a smaller overall footprint than Linux, seems (warning unscientific speculation ahead) to have a slightly more robust VM,and has more "out-of-the-box" security.
One more thing, don't forget that MS has threatened to build a reference implementation of .NET for FreeBSD. (slam away!)
Re:*BSD IS DYING (Score:2)
This actually doesn't supprise me. Since MS is making an .NET implementation for MacOSX. Going from OSX (FreeBSD derrivative on Mach) to FreeBSD would be fairly trivial.
From OSOpinion [osopinion.com]: Reaffirming its support for the Macintosh platform and opening a bevy of new options for Apple's corporate direction, Microsoft this week is expected to announce its plans for implementing the .NET platform on the Mac OS.
Re:*BSD IS DYING (Score:1, Offtopic)
Re:*BSD IS DYING (Score:2)
Re:*BSD IS DYING (Score:1)
That's a choice of the BSD teams. MS is, despite their many, many, many other shortcomings, doing absolutely nothing wrong when they use BSD code in Windows.
The philosophies of the BSD and Linux crowds (or, more specifically the BSD License vs. the GPL) are radically different. In the BSD world, people are more than happy to anonymously contribute code in the hopes that it might improve other projects, proprietary or not. The GPL crowd, while also wanting to improve the quality of other projects, is unwilling to allow their code to be used in anything *but* GPLed code (with LGPL exceptions, of course). I am not going to make a judgement call on which is better (at least not on /.) but I think it is imperative that people understand that difference before flaming companies for using BSD code in their proprietary projects... because the BSD people (the ones who actually *wrote* it) don't give a flying fuck... why should you?
Re:*BSD IS DYING (Score:1, Insightful)
What I mean is that, of course Microsoft can take advantage of BSD licensed code and of course that's what the real programmers of that code had in mind -thus licensing it through BSD.
What they migth haven't in mind is that this way Microsoft can not only take the code, but take it, make it popular (hey, it's a free implementation supported by a big company, isn't it?) and *then* sligthly modify it so it only really works on the Microsoft (TM) Implementation (TM). That's the way Microsoft works and that's *really* why they love BSD license: it is not because the "gifted code" (it a good gift, yes, but Microsoft has money and programmers enough to do it by itself with not too much pain), but because BSD code, and standards based upon them are controlable by them.
(Remember RTF, SMB/CIFS, Kerberos... under some conditions, even bind has problems with Windows clients that Windows DNS hasn't).
Re:*BSD IS DYING (Score:2)
Because, as a working programmer, they are activley supporting a company which is committed to putting me out of work by pushing various legal and illegal tactics to make it hard for non-MS companies to survive. I do give a flying fuck about that, even if BSD programmers don't.
The GPL makes it difficult for programmers to make money from their code but BSD makes it impossible, in the long run, for any programmer to make money unless they have the gracious permission of people like Gates who have plenty of cash to buy government policy and national markets.
TWW
Re:*BSD IS DYING (Score:2)
I'll repeat it again for the hard of thinking: the BSD license means helping people who are totally opposed to the bulk of programmers being able to make a living. It's not the intent of the BSD license but it is the effect.
Its like making bullets and giving them away for free to a room full of people only one of whom (MS) has a gun (monopoly). It's pretty obvious whose going to get shot.
Think once, think twice, think "don't help the bastard that's trying to kill you".
TWW
Re:*BSD IS DYING (Score:2)
At least they'd have to live in fear of a disgruntled employee blowing the whistle. It's not much but it is something.
TWW
The *BSD troll IS DYING (Score:2)
You don't need to be a Kreskin to predict the "*BSD is dying" troll's future. The hand writing is on the wall: There may be no future at all for the "*BSD is dying" troll because the "*BSD is dying" troll is dying. Things are looking very bad for "*BSD is dying" troll. As many of us are already aware, the "*BSD is dying" troll continues to lose market share; red ink flows like a river of blood.
Let's keep to the facts and look at the numbers.
Troll leader Anonymous Coward states that there are 7000 users of "BSD is dying troll". How many users of "Red Hat is dying" are there? Let's see. The number of "BSD is dying" versus "Red Hat is dying" posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 "Red Hat is dying" trolls. "Mandrake is dying" troll on Usenet are about half of the volume of "Red Hat is dying" trolls. Therefore there are about 700 users of "Mandrake is dying" troll. A recent article put "Debian is dying" troll at about 80 percent of the Linux market. Therefore there are (7000+1400+700)*4 = 36400 "Debian is dying" trolls. This is consistent with the number of "Debian is dying" Usenet posts.
Due to the troubles of www.hotgrits.org, abysmal sales and so on, "Debian is dying" troll went out of business and was taken over by "Mandrake is dying" troll who sell another troubled troll.
Major marketing surveys show that the "*BSD is dying" troll has steadily declined in market share. "*BSD is dying" troll is very sick and its long term survival prospects are very dim. If the troll is to survive at all it will be among troll hobbyists and dilettantes. The "*BSD is dying" troll continue to falter. Nothing short of a miracle could save it at this point in time. For all intents and purposes, the "*BSD is dying" troll is dead.
Re:FUD? (Score:2)
Re:YouLittleDevil JustGPLTheCode Penguin :) (Score:1, Informative)
I can't be bothered to answer all of this, so here's the important (as I see them) points:
You have some great code by its the license. Why do you no GPL LGPL the code or at least parts that do not need to be BSD.
Because we *LIKE* BSDL.
BSD license is not very nice when someone yanks their code from the code base and makes it non free. How would you like it if someone gave you a gift "code" and then 6 months later took the gift back "code". Granted most coders do not do this but some do.
FUD. Code cannot be yanked from the code-base. You can't "un-license" code like that. I can take the code and add to it and sell it without revealing my source, but it will still exist in the *BSD code bases for all to see/use/whatever.
Re:BSD promotes Satanism. (Score:1)
Re:BSD promotes Satanism. (Score:1)
Re:What? a Daemon? (Score:5, Interesting)
It happened, however, that people were starting to assume that daemon meant FreeBSD at around the same time as BlowFish became popular, so the openbsd crew decided to use the fish as mascot.
Re:What? a Daemon? (Score:1)
>OpenBSD has nothing to do with the daemon, it's a FISHY!
Yeah right. There's pics like this [openbsd.org], this [openbsd.org] and several like this one [openbsd.org] that feature the good old, red BSD Daemon in them. The fish, whose name is Puffy, by the way, can be seen on some as well.
>please check it first, thus you might achieve accuracy
Exactly.Re:Remote Install Question (Score:2)
Re:OpenBSD/mac68k (Score:1)
Don't floppies work?