Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
BSD Operating Systems

OpenBSD's PF Developers Interview 110

An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@). Start reading from the first half and continue with the second part."
This discussion has been archived. No new comments can be posted.

OpenBSD's PF Developers Interview

Comments Filter:
  • by Anonymous Coward on Saturday May 08, 2004 @01:05PM (#9094214)
    Aside from the fact that netcraft said that all these people are dead, there is one thing that bugs me about this interview.

    Just like BSD, its all done in parallel!
  • PF can Filers By OS (Score:5, Interesting)

    by zulux ( 112259 ) on Saturday May 08, 2004 @01:44PM (#9094399) Homepage Journal
    One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.

    It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)

    • by Anonymous Coward
      The OS fingerprinting really has limited usefulness, because it's so easy to fool it.

      Block external Windows clients? But I'm behind an OpenBSD firewall running pf myself, so connections from my Windows machine will look like OpenBSD. (synproxy ;)

      And what happens when Longhorn starts using a TCP/IP stack indistinguishable from OpenBSD? (not that that's likely...)

      What are the chances of someone attacking (let along successfully) an OpenBSD machine from Windows anyway? More likely they're on Linux or so
  • Wow (Score:1, Interesting)

    by 222 ( 551054 )
    I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.
  • i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.

    also maybe add in some ebtables+iptables stuff as well
  • AuthPF is neat too (Score:5, Informative)

    by myov ( 177946 ) on Saturday May 08, 2004 @08:48PM (#9096848)
    authpf allows you to authenticate remote users, and change the firewall rules. And it's all done by ssh'ing in with authpf as the user's shell.

    Useful if you want to hide services from the outside world (except for selected users), but you don't want the complexity of ssh tunnels/vpn. (ie: I want to give some people access to my ftp server but hide it from the rest of the world, and not give them vpn access to the whole network)
  • by trons ( 531753 ) on Sunday May 09, 2004 @03:34PM (#9101439)
    Don't you people understand... It is not possible for Netcraft to gather any statistical data on how many BSD machines are being used, simply because no one is *forced* to make their machine identify as a BSD machine! Quote from : "There are some, even large, companies that use BSD as routers, firewalls and even servers, without people noticing. That is a reason why no one can give current usage statistics for BSD, because no one is forced to say he is using BSD at all, or in which number." http://mirbsd.bsdadvocacy.org/?bsd-intro Drawing conclusions from statistical date without proper knowledge on the subject is Bad Practice..
  • ...until pf is ported to run on XP?

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."