OpenBSD's PF Developers Interview - Slashdot

Follow Slashdot stories on Twitter

×

OpenBSD's PF Developers Interview 110

Posted by Hemos on Saturday May 08, 2004 @01:04PM from the reading-all-about-it dept.

An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@). Start reading from the first half and continue with the second part."

This discussion has been archived. No new comments can be posted.

OpenBSD's PF Developers Interview

Load All Comments

Search 110 Comments Log In/Create an Account

Comments Filter:

Interview... BSD style (Score:5, Funny)

by Anonymous Coward writes: on Saturday May 08, 2004 @01:05PM (#9094214)

Aside from the fact that netcraft said that all these people are dead, there is one thing that bugs me about this interview.

Just like BSD, its all done in parallel!

Share
twitter facebook
- Re:Did they ask them... (Score:5, Informative)
  
  by grub ( 11606 ) writes: <slashdot@grub.net> on Saturday May 08, 2004 @01:18PM (#9094286) Homepage Journal
  
  pf.conf is cryptic? The manpage and demo files in /usr/share/pf are pretty handy. If you want cryptic shit, try using a Cisco PIX. I maintain 4 of them at work and they suck donkey-wang compared to PF & carp.
  
  Parent Share
  twitter facebook
- Re:Someone's gotta say it (Score:2)
  
  by dipipanone ( 570849 ) writes:
  
  Hmm. Do you think that Ryan is a clean room implementation of Darl, or has another serious breach of SCO's intellectual property taken place?
  
  If I were Ryan, I'd take to the hills before David Boies slaps him with a five billion dollar lawsuit
- Re:Bah (Score:1, Offtopic)
  
  by Erratio ( 570164 ) writes:
  
  I'd rather read the second half first, then the first half can be like a prequel.
  - Re:Bah (Score:2)
    
    by Erratio ( 570164 ) writes:
    
    Nothing more offtopic than responding to a line in the topic.
- Re:Bah (Score:2, Funny)
  
  by Anonymous Coward writes:
  
  Ahh but this is a BSD article so the slashdot effect doesn't apply; the only people here will be people that actually care, and people who just want to flame about BSD dying. So the people in the first group (all 6 of them) actually will rtfa!
  - Re:Bah (Score:1)
    
    by bro1 ( 143618 ) writes:
    
    I think you forgot the third group - random strangers (probably it's only me)
- Re:So the world wants to know... (Score:4, Informative)
  
  by Anonymous Coward writes: on Saturday May 08, 2004 @01:35PM (#9094354)
  
  Could you at least try [google.com] finding it out yourself?
  PF is the Packet Filter in OpenBSD, kind of similar to iptables/ipchains in Linux.
  
  Parent Share
  twitter facebook
- Re:So the world wants to know... (Score:1, Interesting)
  
  by Anonymous Coward writes:
  
  Packet filtering, you might think that would be mentioned in the summary... or the article. But then it wouldn't be Slashdot.
- - Re:the Failure of *BSD (Score:1)
    
    by DashEvil ( 645963 ) writes:
    
    Isn't not liking a project because of the license it's under a `nerd politic'?
    - - Dissemination is the goal (Score:5, Informative)
        
        by ^BR ( 37824 ) writes: on Sunday May 09, 2004 @10:20AM (#9099653)
        
        Spreading technology, not ideology...
        Each time some BSD code is incorporated in a proprietary product the world is likely a better place, you don't want everyone and his dog coding an IP stack, if it was the case it would not be some unpatched windows boxes that would be used as attack launch points, the would be everything from your fridge to your car...
        BTW the license does not discourage anything, it just does not make it mandatory. Common sense makes contributing back a good thing, as maintaining a fork is likely more expensive that contributing back your valuable intellectual property would cost you.
        
        Parent Share
        twitter facebook
      - Re:the Failure of *BSD (Score:3, Insightful)
        
        by DashEvil ( 645963 ) writes:
        
        You never implicity stated that you disliked it, although you could hardly call a comment like "why would you use something like bsd when you can find all the goodstuff in superior products without all the silly egos and nerd politics." friendly.
        
        You disliking it was strongly implied, and then supported by you calling it a failure right now.
        
        Of course, you believe that it is the `weak' license that made it a `failure', but you clearly do not understand the goals of project.
        
        The Goal's of the BSD projects
- Re:OpenBSD problems (Score:5, Interesting)
  
  by Anonymous Coward writes: on Saturday May 08, 2004 @01:46PM (#9094410)
  
  I've read the same thread myself, but I don't think Theo's temper is a problem for OpenBSD.
  Quite the contrary, actually.
  
  He has a project that's rock solid, and he doesn't want forks polluting OpenBSD's good reputation.
  I don't see why that's a problem. After all, OpenBSD is _his_ baby, and it's his call what to do with it.
  I'd probably do the same if I were in Theo's shoes.
  
  Parent Share
  twitter facebook
  - Re:OpenBSD problems (Score:3, Interesting)
    
    by burns210 ( 572621 ) writes:
    
    yea, it is his 'baby' but it is released under and open license, why SHOULDN'T i be able to fork openbsd if i want? If Theo wants an unforkable OS, he shouldn't have started by forking netbsd in the first place!
    - Re:OpenBSD problems (Score:2)
      
      by andkaha ( 79865 ) writes:
      
      why SHOULDN'T i be able to fork openbsd if i want?
      
      Sure, go ahead! That's what the MirBSD [bsdadvocacy.org] people did after all...
    - Re:OpenBSD problems (Score:4, Informative)
      
      by mritunjai ( 518932 ) writes: on Saturday May 08, 2004 @04:16PM (#9095310) Homepage
      
      Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)
      
      Parent Share
      twitter facebook
      - Re:OpenBSD problems (Score:1, Interesting)
        
        by CherniyVolk ( 513591 ) writes:
        
        Oh you can fork OpenBSD to your likeness, the only restriction is that you can't call your fork 'OpenBSD'... name it burnsBSD or whatever and you should be fine ;-)
        
        In most cases, the fork should be named "BrokenBSD" by default.
        
        Re:OpenBSD problems (Score:1)
        
        by CherniyVolk ( 513591 ) writes:
        
        Why was my post modded to troll?
        
        It was a compliment to OpenBSD. If you mess with
        it, you'll probably break it. Hence, some crack
        pot trying to branch his own BSD release should
        name it 'BrokenBSD'.
PF can Filers By OS (Score:5, Interesting)

by zulux ( 112259 ) writes: on Saturday May 08, 2004 @01:44PM (#9094399) Homepage Journal

One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.

It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)

Share
twitter facebook
- Re:PF can Filers By OS (Score:1, Interesting)
  
  by Anonymous Coward writes:
  
  The OS fingerprinting really has limited usefulness, because it's so easy to fool it.
  
  Block external Windows clients? But I'm behind an OpenBSD firewall running pf myself, so connections from my Windows machine will look like OpenBSD. (synproxy ;)
  
  And what happens when Longhorn starts using a TCP/IP stack indistinguishable from OpenBSD? (not that that's likely...)
  
  What are the chances of someone attacking (let along successfully) an OpenBSD machine from Windows anyway? More likely they're on Linux or so
Wow (Score:1, Interesting)

by 222 ( 551054 ) writes:

I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.
- Re:Wow (Score:4, Insightful)
  
  by Moloch666 ( 574889 ) writes: <jeff-junk@noSPam.tds.net> on Saturday May 08, 2004 @02:32PM (#9094694) Journal
  
  We are probably the only 2 people that read this article. I'm with you though. I'm currenly running all Gentoo switched from some use of FreeBSD. I'm seriously considering switching my firewall box to OpenBSD, the features sound awesome.
  
  Parent Share
  twitter facebook
  - I read both pages, and.... (Score:1)
    
    by zogger ( 617870 ) writes:
    
    I tend to agree. After the first sentence I was lost, so they are either damn smart, or a great job of (que: jon lovitz) acttt-tinggg in the interview.
    
    I did like that os filtering idea.
  - pf also available for FreeBSD (Score:5, Informative)
    
    by FlightTest ( 90079 ) writes: on Saturday May 08, 2004 @08:08PM (#9096685) Homepage
    
    pf has been available in ports [freshports.org] for quite a while. Although it only works on the 5.x branch, I'm running it as my firewall on an old 166mhz Pentium.
    Personally, I find FreeBSD easier to deal with, but that's just me.
    
    Parent Share
    twitter facebook
  - FreeBSD has pf(4) support too (Score:2)
    
    by mi ( 197448 ) writes:
    
    See the man-pages [freebsd.org].
- Re:Wow (Score:5, Interesting)
  
  by 0racle ( 667029 ) writes: on Saturday May 08, 2004 @05:46PM (#9095880)
  
  I personally have a lot of respect for the OpenBSD team, and the pf developers in particular, some time in the next week I'll be replacing my little Linksys with a OpenBSD pf firewall, and when I sat down to write the rules for it, it was amazing and appreciated how simple it is to write the rules, and that they're understandable at the same time. Comparing it to iptables that I saw once, the ease of writing the pf rules would have been enough for me to switch over. They also have that reputation thats not bad either.
  
  Parent Share
  twitter facebook
pf vs ipf vs ipfw vs iptables (Score:1)

by ophix ( 680455 ) writes:

i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.

also maybe add in some ebtables+iptables stuff as well
- Re:pf vs ipf vs ipfw vs iptables (Score:5, Informative)
  
  by Homology ( 639438 ) writes: on Saturday May 08, 2004 @06:10PM (#9096022)
  
  i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.
  For an example of setting up firewall for home or small office [openbsd.org], have a look at the execellent PF User Guide> [openbsd.org].
  Tired of sucky download performance when you max your upload on your ADSL connection? Well, PF solves that with packet queueing and prioritization [openbsd.org].
  
  Parent Share
  twitter facebook
  - Re:pf vs ipf vs ipfw vs iptables (Score:4, Insightful)
    
    by Anonymous Coward writes: on Sunday May 09, 2004 @11:22AM (#9099986)
    
    I second that about altq, I have torrents, web browsing and streaming audio all going on my crappy cable modem (upstream sucks) and the day I setup the queueing it was like putting in a second broadband connection that didn't stall or drop out. Highly recommended.
    
    Parent Share
    twitter facebook
- Re:pf vs ipf vs ipfw vs iptables (Score:2, Interesting)
  
  by jimi1283 ( 699887 ) writes:
  
  I can tell you, pf/ipf syntax is so easy when compared to iptables. And pf takes ipf even further by adding shortcuts to common tasks. For example, rather than setting up block rules to stop spoofing, you just do "antispoof for interface" and you're done :)
  I love OpenBSD for firewall/vpn duties... now if they'd just hurry the hell up and implement NAT-t for isakmpd i'd be a happy camper...
AuthPF is neat too (Score:5, Informative)

by myov ( 177946 ) writes: on Saturday May 08, 2004 @08:48PM (#9096848)

authpf allows you to authenticate remote users, and change the firewall rules. And it's all done by ssh'ing in with authpf as the user's shell.

Useful if you want to hide services from the outside world (except for selected users), but you don't want the complexity of ssh tunnels/vpn. (ie: I want to give some people access to my ftp server but hide it from the rest of the world, and not give them vpn access to the whole network)

Share
twitter facebook
It's impossible to create reliable BSD statistics! (Score:5, Informative)

by trons ( 531753 ) writes: on Sunday May 09, 2004 @03:34PM (#9101439)

Don't you people understand... It is not possible for Netcraft to gather any statistical data on how many BSD machines are being used, simply because no one is *forced* to make their machine identify as a BSD machine! Quote from : "There are some, even large, companies that use BSD as routers, firewalls and even servers, without people noticing. That is a reason why no one can give current usage statistics for BSD, because no one is forced to say he is using BSD at all, or in which number." http://mirbsd.bsdadvocacy.org/?bsd-intro Drawing conclusions from statistical date without proper knowledge on the subject is Bad Practice..

Share
twitter facebook
So, what can XP users use... (Score:1)

by RLiegh ( 247921 ) writes:

...until pf is ported to run on XP?
- Re:So, what can XP users use... (Score:2)
  
  by Brandybuck ( 704397 ) writes:
  
  Ummm... How about OpenBSD!

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

44 commentsRedis To Adopt 'Source-Available Licensing' Starting With Next Version
38 commentsFreeBSD 14 Released
37 commentsIn Development Since 2019, NetBSD 10.0 Finally Released
8 commentsOpenBSD 7.4 Released

E = MC ** 2 +- 3db