Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD's PF Developers Interview 110

An anonymous reader writes "ONLamp.com has published a very long interview with 6 OpenBSD's PF developers: Cedric Berger (cedric@), Can Erkin Acar (canacar@), Daniel Hartmeier (dharmei@), Henning Brauer (henning@), Mike Frantzen (frantzen@) and Ryan McBride (mcbride@). Start reading from the first half and continue with the second part."
This discussion has been archived. No new comments can be posted.

OpenBSD's PF Developers Interview

Comments Filter:
  • by Anonymous Coward on Saturday May 08, 2004 @12:05PM (#9094214)
    Aside from the fact that netcraft said that all these people are dead, there is one thing that bugs me about this interview.

    Just like BSD, its all done in parallel!
  • PF can Filers By OS (Score:5, Interesting)

    by zulux ( 112259 ) on Saturday May 08, 2004 @12:44PM (#9094399) Homepage Journal
    One of the coolers things 'bout PF, is that you can add another layer of security to your systems - if you know that you'll never use a Windows box to SSH into your OpenBSD server - you can specifically deny Windows from connecting with a simple PF rule.

    It's great of VPN stuff - all of my VPN equipment is OpenBSD - so I just don't allow any packets from any other OS. This mitigates any attack - now my attacker has to have and OpenBSD computer (or at least spoof one)

    • by Anonymous Coward
      The OS fingerprinting really has limited usefulness, because it's so easy to fool it.

      Block external Windows clients? But I'm behind an OpenBSD firewall running pf myself, so connections from my Windows machine will look like OpenBSD. (synproxy ;)

      And what happens when Longhorn starts using a TCP/IP stack indistinguishable from OpenBSD? (not that that's likely...)

      What are the chances of someone attacking (let along successfully) an OpenBSD machine from Windows anyway? More likely they're on Linux or so
  • Wow (Score:1, Interesting)

    by 222 ( 551054 )
    I actually read the article, and although i can't tell you too much about what it means, i can tell you that these guys sound damn smart. I mean DAMN smart.
  • i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.

    also maybe add in some ebtables+iptables stuff as well
    • by Homology ( 639438 ) on Saturday May 08, 2004 @05:10PM (#9096022)
      i would really like to see a comparison between all of these packet filters with strength and weaknesses and maybe an example of the fliter scripts used for a few common scenerios.

      For an example of setting up firewall for home or small office [openbsd.org], have a look at the execellent PF User Guide> [openbsd.org].

      Tired of sucky download performance when you max your upload on your ADSL connection? Well, PF solves that with packet queueing and prioritization [openbsd.org].

      • by Anonymous Coward on Sunday May 09, 2004 @10:22AM (#9099986)
        I second that about altq, I have torrents, web browsing and streaming audio all going on my crappy cable modem (upstream sucks) and the day I setup the queueing it was like putting in a second broadband connection that didn't stall or drop out. Highly recommended.

    • I can tell you, pf/ipf syntax is so easy when compared to iptables. And pf takes ipf even further by adding shortcuts to common tasks. For example, rather than setting up block rules to stop spoofing, you just do "antispoof for interface" and you're done :)

      I love OpenBSD for firewall/vpn duties... now if they'd just hurry the hell up and implement NAT-t for isakmpd i'd be a happy camper...

  • AuthPF is neat too (Score:5, Informative)

    by myov ( 177946 ) on Saturday May 08, 2004 @07:48PM (#9096848)
    authpf allows you to authenticate remote users, and change the firewall rules. And it's all done by ssh'ing in with authpf as the user's shell.

    Useful if you want to hide services from the outside world (except for selected users), but you don't want the complexity of ssh tunnels/vpn. (ie: I want to give some people access to my ftp server but hide it from the rest of the world, and not give them vpn access to the whole network)
  • by trons ( 531753 ) on Sunday May 09, 2004 @02:34PM (#9101439)
    Don't you people understand... It is not possible for Netcraft to gather any statistical data on how many BSD machines are being used, simply because no one is *forced* to make their machine identify as a BSD machine! Quote from : "There are some, even large, companies that use BSD as routers, firewalls and even servers, without people noticing. That is a reason why no one can give current usage statistics for BSD, because no one is forced to say he is using BSD at all, or in which number." http://mirbsd.bsdadvocacy.org/?bsd-intro Drawing conclusions from statistical date without proper knowledge on the subject is Bad Practice..
  • ...until pf is ported to run on XP?

A triangle which has an angle of 135 degrees is called an obscene triangle.

Working...