Re: Linux or OpenBSD
On Wed, 24.11.2010 at 21:30:05 +0100, ropers wrote: > On 23 November 2010 13:52, Toni Mueller wrote: > > I usually have a use case that can be satisfied > > with one XOR the other system > > So, not with both? > You have weird use cases. I don't think so. See eg. these simple examples: I prefer Linux if I need 1. Web hosting supporting eg. the de_DE.utf8 locale: Impossible with OpenBSD, no-brainer with Linux (This may have changed in 4.8, didn't have time to look into this, yet). 2. ISDN support - OpenBSD has none (for me, a requirement for eg. a PBX) :/ I prefer OpenBSD if I need 3. Firewall/VPNs... I find that OpenBSD really shines in this area, compared to Linux, and appears to be much more secure, too. 4. Routers... :) You are welcome to comment on ways to replace Linux with OpenBSD or vice versa in these use cases. Kind regards, --Toni++
Re: Linux or OpenBSD
On 23 November 2010 13:52, Toni Mueller wrote: > I usually have a use case that can be satisfied > with one XOR the other system So, not with both? You have weird use cases.
Re: Linux or OpenBSD
On Tue, 23 Nov 2010 21:53:55 +0100 Toni Mueller wrote: > Hi, > > On Tue, 23.11.2010 at 14:09:48 -0500, daniel holtzman wrote: > > Perhaps one or more developers would be curious about the crashes? Why not > > donate the machines instead of throw them out? > > ok. I'm not the owner, only the janitor, for these machines. Unless I > figure out a way to put them back to life, in which case the owner may > decide to keep them, I'll try to ship the surplus to interested > developers (please talk to me offline if you're interested). > > > Kind regards, > --Toni++ > >From the previous post (different results, same hw) it sounds like the developers would be troubleshooting hardware problems, not software. I suppose it may expose why Linux is more tolerant of the issues and may bring about improvements or alternatively just annoy the developers because linux shouldn't allow this or that to occur. Similar to windows and linux running fine on virtualbox but puffy saying, I'm not installing on that shit.
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 14:09:48 -0500, daniel holtzman wrote: > Perhaps one or more developers would be curious about the crashes? Why not > donate the machines instead of throw them out? ok. I'm not the owner, only the janitor, for these machines. Unless I figure out a way to put them back to life, in which case the owner may decide to keep them, I'll try to ship the surplus to interested developers (please talk to me offline if you're interested). Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 10:55:30 -0500, and...@msu.edu wrote: > Toni, have you published a list of the hardware thats been causing you > problems? sorry, no I didn't think of it, yet. But I have posted to this list about some of them, most prominently the small PCs with C7 chips. > My experience has been different. Sure, newer hardware can have things > like an ethernet chip that isn't yet supported, but that gets fixed over time > in the vast majority of cases. Overall though, i386 stuff just works for me. I'm usually aware of things that are "work in progress", and don't complain. But my experience has been just rather mixed. > Apologies if you've already done this. Knowing what things out there > that don't (yet) work would benefit everyone, I think. Agreed. The machines which I remember right now have been EOL'ed a few months ago. My dealer also only found out when I asked for a BIOS upgrade (go figure). A dmesg is included below. What's really scary for me is that one particular machine works, while the next refuses to boot, and the next after that crashes somewhere along the way. They're all supposed to be the same and have been purchased in one batch, too, but in fact they are very individual items (except for the machine below, this one came separately). And then, one works with OpenBSD 4.4, the next also works with OpenBSD 4.5, but crashes on OpenBSD 4.6, and so on. That's really hellish for me (but I blame the HW manufacturer)! Linux, also recent Linux, works fine on all of these, as far as I've tested them. My impression is that Linux generally copes better with this kind of stuff, just because of much wider exposure and much bigger manpower, but that's nothing to blame OpenBSD for. Kind regards, --Toni++ OpenBSD 4.7 (GENERIC) #1: Sun May 30 16:44:59 CEST 2010 r...@w3.oeko.net:/usr/S/src.47/sys/arch/i386/compile/GENERIC cpu0: VIA Eden Processor 1200MHz ("CentaurHauls" 686-class) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2,xTPR real mem = 1005940736 (959MB) avail mem = 965959680 (921MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/15/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xfc0c0 (47 entries) bios0: vendor American Megatrends Inc. version "080014" date 10/15/2008 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT acpi0: wakeup devices PS2K(S3) PS2M(S3) USB1(S3) USB2(S3) USB3(S3) LAN1(S4) PCI1(S4) PCI2(S4) PCI3(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: RNG AES AES-CTR SHA1 SHA256 RSA cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 3, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 2 (P0P2) acpicpu0 at acpi0: PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe600 0xce800/0x1000 0xcf800/0x1000 0xd0800/0x1000 0xe7000/0x800! cpu0: Enhanced SpeedStep 1198 MHz: speeds: 1200, 400 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "VIA CX700 Host" rev 0x10 viaagp0 at pchb0: v3 agp0 at viaagp0: aperture at 0xf000, size 0x1000 pchb1 at pci0 dev 0 function 1 "VIA CX700 Host" rev 0x00 pchb2 at pci0 dev 0 function 2 "VIA CX700 Host" rev 0x00 pchb3 at pci0 dev 0 function 3 "VIA CX700 Host" rev 0x00 pchb4 at pci0 dev 0 function 4 "VIA CX700 Host" rev 0x00 pchb5 at pci0 dev 0 function 7 "VIA CX700 Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA S3 UniChrome Pro II IGP" rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: apic 1 int 16 (irq 10), address 44:4d:50:03:0e:d6 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: apic 1 int 19 (irq 11), address 44:4d:50:32:08:19 rlphy1 at rl1 phy 0: RTL internal PHY pciide0 at pci0 dev 15 function 0 "VIA CX700 IDE" rev 0x00: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) wd0 at pciide0 channel 1 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x90: apic 1 int 20 (irq 10) ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x90: apic 1 int 23 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 "VIA CX700 ISA" rev 0x00 iic0 at viapm0 pchb6 at pci0 dev 17 function 7 "VIA VX700 Host" rev 0x00 ppb1 at pci0 dev 19 function 0 "VIA CX700 Host" rev 0x00 pci2 at ppb1 bus 2 azalia0 at pci2 dev 1 function 0 "VIA HD Audi
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 17:45:16 +0100, Alexander Schrijver wrote: > Why don't you run linux on them? You aren't being very environmentally aware > are you? I don't understand what you mean with this remark. The application that I use these machines for requires OpenBSD, so there is very little point in running Linux on them. Also, "throw out" doesn't mean that I put these machines into the dustbin, it only means that I have to remove them from this task. Kind regards, --Toni++
Re: Linux or OpenBSD
On Nov 23, 2010, at 7:50 AM, Toni Mueller wrote: > Hi, > > On Sat, 23.10.2010 at 10:36:54 -0500, Marco Peereboom wrote: >> On Oct 23, 2010, at 8:48, Toni Mueller wrote: >>> Also, Linux is better supported by hardware vendors, and/or much less >>> picky about hardware than OpenBSD is. >> If you consider the garbage these vendors call drivers then sure. >> >> The only debate really comes down to smp and flash. > > nope. I regularly see hardware which is supposed to be good, and which > gives no problems under Linux, which causes a lot of problems under > OpenBSD. I'm just about to throw away a bunch of recent machines that > worked fine with older OpenBSDs, but horribly crash with later > releases, up to the point that they even refuse to boot. > > > -- > Kind regards, > --Toni++ > Perhaps one or more developers would be curious about the crashes? Why not donate the machines instead of throw them out?
Re: Linux or OpenBSD
Quoting Toni Mueller : > Hi, > > On Sat, 23.10.2010 at 10:36:54 -0500, Marco Peereboom > wrote: >> On Oct 23, 2010, at 8:48, Toni Mueller wrote: >> > Also, Linux is better supported by hardware vendors, and/or much less >> > picky about hardware than OpenBSD is. >> If you consider the garbage these vendors call drivers then sure. >> >> The only debate really comes down to smp and flash. > > nope. I regularly see hardware which is supposed to be good, and which > gives no problems under Linux, which causes a lot of problems under > OpenBSD. I'm just about to throw away a bunch of recent machines that > worked fine with older OpenBSDs, but horribly crash with later > releases, up to the point that they even refuse to boot. > > > -- > Kind regards, > --Toni++ Toni, have you published a list of the hardware thats been causing you problems? My experience has been different. Sure, newer hardware can have things like an ethernet chip that isn't yet supported, but that gets fixed over time in the vast majority of cases. Overall though, i386 stuff just works for me. Apologies if you've already done this. Knowing what things out there that don't (yet) work would benefit everyone, I think. --STeve Andre'
Re: Linux or OpenBSD
On Tue, Nov 23, 2010 at 01:50:09PM +0100, Toni Mueller wrote: > nope. I regularly see hardware which is supposed to be good, and which > gives no problems under Linux, which causes a lot of problems under > OpenBSD. I'm just about to throw away a bunch of recent machines that > worked fine with older OpenBSDs, but horribly crash with later > releases, up to the point that they even refuse to boot. Why don't you run linux on them? You aren't being very environmentally aware are you?
Re: Linux or OpenBSD
Hi, On Sat, 23.10.2010 at 10:36:54 -0500, Marco Peereboom wrote: > On Oct 23, 2010, at 8:48, Toni Mueller wrote: > > Also, Linux is better supported by hardware vendors, and/or much less > > picky about hardware than OpenBSD is. > If you consider the garbage these vendors call drivers then sure. > > The only debate really comes down to smp and flash. nope. I regularly see hardware which is supposed to be good, and which gives no problems under Linux, which causes a lot of problems under OpenBSD. I'm just about to throw away a bunch of recent machines that worked fine with older OpenBSDs, but horribly crash with later releases, up to the point that they even refuse to boot. -- Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Sun, 24.10.2010 at 08:20:35 +0530, Siju George wrote: > On Sat, Oct 23, 2010 at 7:18 PM, Toni Mueller wrote: > > Also, Linux is better supported by hardware vendors, and/or much less > > picky about hardware than OpenBSD is. > Not always is it ? of course, my statement reflects only my experience. Which is about what you read. > I have had toswitch from Linux to OpenBSD twice just because of > hardware support. For me, it's just the other way round. But leaving that aside, I usually have a use case that can be satisfied with one XOR the other system, and so I try to adapt the hardware to the requirements wherever possible. -- Kind regards, --Toni++
Re: Linux or OpenBSD
On Sat, Oct 23, 2010 at 7:18 PM, Toni Mueller wrote: > On Wed, 22.09.2010 at 15:47:02 -0400, Brad Tilley wrote: >> Either will work fine so long as you purchase good NICs and avoid >> cutting-edge (untested) hardware. The only things Linux does noticeably >> better is: >> >> * Dealing with SMP >> * Dealing with lot's and lot's of RAM >> * Dealing with huge file-systems > > Also, Linux is better supported by hardware vendors, and/or much less > picky about hardware than OpenBSD is. > Not always is it ? I have had toswitch from Linux to OpenBSD twice just because of hardware support. --Siju
Re: Linux or OpenBSD
On Oct 23, 2010, at 12:33 PM, Jean-Francois wrote: > Le Wednesday 22 September 2010 21:29:31, Rikky Taylor a icrit : >> I was after some general advice. I need to setup a routing firewall with 3 >> interfaces, moderate traffic and a fair amount of NAT'ing in the rules. >> >> Given identical modern server hardware would I expect a performance >> difference between an OpenBSD/PF setup and a Linux/IPTables one? >> >> Rikky > > Hello, > > The question mentioned before is right, a little more description is helping > regarding your infrastructure. > > I'm loving OpenBSD as firewall, it performs well enough and is secure by > default, so if you get rules right, you have very quickly something very good > for an affordable effort. > > Most importantly, you have a very well documented firewall through man pages > and faq, therefore a very small probability of human error, the ever > persisting root of imperfection if I could say. I agree with all of that. Who cares how fast your firewall is if it's compromised? This is not to say PF/OpenBSD is slow, but my point is who wants a Ferrari that blows up unexpectedly when you can have a perfectly reasonable car that never blows up? Security has many facets, but the two I deem most important are: How safe is something from external control and how likely am I to fuck it up allowing someone to take advantage of my system? I can't do much about the former, except to trust people who are smarter than me and have more experience than I, and the latter I can only select that which I believe I won't fuck up. The difference between PF maintenance and IPTables maintenance, in my experience, is significant. PF can seem a little harder at first, because it requires a little bit of thought (at least that's how I felt grokking the new PF match rules. In the beginning of my PF experience, it was trivial to move from ipf to pf.). But once you get it, it's a richer toolset of options. IPTables is just a freakin' huge, long blithering list of chained crap. It drives me nuts messing with consumer firewalls that run IPTables. Writing PF rules is like telling someone "go to the store and get milk", and you might have to explain that once. Writing IPTables rules is like telling someone "stand up". Then "Walk to door". Then "Open door". Keep going until you get to "put milk in fridge". Oh, you might need to explain how to walk, too. Sean
Re: Linux or OpenBSD
Le Wednesday 22 September 2010 21:29:31, Rikky Taylor a icrit : > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > Given identical modern server hardware would I expect a performance > difference between an OpenBSD/PF setup and a Linux/IPTables one? > > > > Rikky Hello, The question mentioned before is right, a little more description is helping regarding your infrastructure. I'm loving OpenBSD as firewall, it performs well enough and is secure by default, so if you get rules right, you have very quickly something very good for an affordable effort. Most importantly, you have a very well documented firewall through man pages and faq, therefore a very small probability of human error, the ever persisting root of imperfection if I could say. Regards, Jean-Frangois
Re: Linux or OpenBSD
On Oct 23, 2010, at 8:48, Toni Mueller wrote: > On Wed, 22.09.2010 at 15:47:02 -0400, Brad Tilley wrote: >> Either will work fine so long as you purchase good NICs and avoid >> cutting-edge (untested) hardware. The only things Linux does noticeably >> better is: >> >>* Dealing with SMP >>* Dealing with lot's and lot's of RAM >>* Dealing with huge file-systems > > Also, Linux is better supported by hardware vendors, and/or much less > picky about hardware than OpenBSD is. > If you consider the garbage these vendors call drivers then sure. The only debate really comes down to smp and flash. > > If you are indifferent between the hackishness of iptables and the > elegance of pf, then go with Linux because of the better hardware, and > keep your fingers crossed that none of the security problems hit you > (you're going to build a firewall, after all, right?). > > > Kind regards, > --Toni++
Re: Linux or OpenBSD
On Sat, 23 Oct 2010 15:48:51 +0200 Toni Mueller wrote: > Also, Linux is better supported by hardware vendors, and/or much less > picky about hardware than OpenBSD is. > Ironically, I've found a system, don't know whether it's bios setup or what, I haven't put my finger on it yet but I can't believe it's the sony dvd drive. You boot off it with windows 7, you need cd driver to continue install, boot off debian, it asks for cd driver to continue install, boot off OpenBSD and everything is fine. :-) There are other examples two, it's not just a one way street, though there's more traffic on the other side. > > If you are indifferent between the hackishness of iptables and the > elegance of pf, then go with Linux because of the better hardware, and > keep your fingers crossed that none of the security problems hit you > (you're going to build a firewall, after all, right?). If your hardware works or you have hardware that works (very very likely), then use OpenBSD.
Re: Linux or OpenBSD
On Wed, 22.09.2010 at 15:47:02 -0400, Brad Tilley wrote: > Either will work fine so long as you purchase good NICs and avoid > cutting-edge (untested) hardware. The only things Linux does noticeably > better is: > > * Dealing with SMP > * Dealing with lot's and lot's of RAM > * Dealing with huge file-systems Also, Linux is better supported by hardware vendors, and/or much less picky about hardware than OpenBSD is. If you are indifferent between the hackishness of iptables and the elegance of pf, then go with Linux because of the better hardware, and keep your fingers crossed that none of the security problems hit you (you're going to build a firewall, after all, right?). Kind regards, --Toni++
Re: Linux or OpenBSD
On Mon, 27 Sep 2010 16:24:14 +0100 - Tethys wrote: > On Sun, Sep 26, 2010 at 11:10 PM, Brad Tilley wrote: > > > I don't mean this as bashing Linux, just pointing out facts. I think > > history shows that OpenBSD has a better track record here (if that means > > anything to anyone). > > Does it though? The only empirical evidence I've seen is with OpenBSD > running in its default configuration, which I'm not aware of anyone > actually using in the real world. I'd be interested to see how an > OpenBSD web server or firewall fared against the Linux distributions > and commercial unices. The default configuration includes PF with ssh and so as you said OpenBSD as a stateful firewall is far more secure than Linux, I don't think that PF rules count as non default. The OpenBSD apache is said to be more secure but this is irrelevent as the discussion was about exploits in a minimal firewall install and so centered around the kernel, it's not clever to run a web server or antivirus on a firewall, especially once operational. The only possible argument for Linux here is perhaps the ease of updates, but I've never had to update an OpenBSD basic firewall for security reasons and so can lock it down further. Things like memory protection tell you OpenBSD kicks ass. This is confirmed by reports of people getting repeatedly 0wned on ipcop and switching to OpenBSD and not looking back. IMHO the only debate here was does Linux behind OpenBSD increase or reduce the security of the network. This would depend on many factors like what runs on client machines and would differ for different exploits. e.g. running snort may stop an attack against an app behind your firewall but may open your firewall and so whole network upto attack due to a packet parsing bug. Therefore a 1-way cable or running snort on the client or creating bastion hosts would be the right idea, but this is often out of the admins control? Even when they have total control, they usually don't bother, not willing the risk to be blamed and so copy the norm. This is why security is a process and takes a good admin and code.
Re: Linux or OpenBSD
Ah the fresh smell of paranoia on a Monday morning! On Mon, Sep 27, 2010 at 05:00:05PM +0200, Martin Schr?der wrote: > 2010/9/27 Joachim Schipper : > > True, but considering some of the "haha Theo suck on this" commentary I > > recall from the rare case where OpenBSD *did* have an issue, this does > > not necessarily reflect a total lack of effort. > > True, but if you read the reports about stuxnet, you start to wonder > how many 0days are stored away for further use by some entities... > > We simply don't know if and who is monitoring theos (or yours) keystrokes. > > Best >Martin
Re: Linux or OpenBSD
On Sun, Sep 26, 2010 at 11:10 PM, Brad Tilley wrote: > I don't mean this as bashing Linux, just pointing out facts. I think > history shows that OpenBSD has a better track record here (if that means > anything to anyone). Does it though? The only empirical evidence I've seen is with OpenBSD running in its default configuration, which I'm not aware of anyone actually using in the real world. I'd be interested to see how an OpenBSD web server or firewall fared against the Linux distributions and commercial unices. Tet -- bIt seems intuitively obvious to me, which means that it might be wrong.b -- Chris Torek
Re: Linux or OpenBSD
2010/9/27 Joachim Schipper : > True, but considering some of the "haha Theo suck on this" commentary I > recall from the rare case where OpenBSD *did* have an issue, this does > not necessarily reflect a total lack of effort. True, but if you read the reports about stuxnet, you start to wonder how many 0days are stored away for further use by some entities... We simply don't know if and who is monitoring theos (or yours) keystrokes. Best Martin
Re: Linux or OpenBSD
On Mon, Sep 27, 2010 at 04:33:03PM +0200, Martin Schrvder wrote: > 2010/9/27 Brad Tilley : > >> The absence of reports doesn't prove that the flaws don't exist (and > >> no, I'm not sitting on a 0day for OpenBSD :). > > > > I agree. I only meant that history shows Linux has these and OpenBSD has > > not (or very few in comparison). That does not mean OpenBSD is perfect > > No. History only shows that many more have been found and published in > Linux than in OpenBSD. True, but considering some of the "haha Theo suck on this" commentary I recall from the rare case where OpenBSD *did* have an issue, this does not necessarily reflect a total lack of effort. Joachim -- TFMotD: ftime (3) - get date and time http://www.joachimschipper.nl/
Re: Linux or OpenBSD
2010/9/27 Brad Tilley : >> The absence of reports doesn't prove that the flaws don't exist (and >> no, I'm not sitting on a 0day for OpenBSD :). > > I agree. I only meant that history shows Linux has these and OpenBSD has > not (or very few in comparison). That does not mean OpenBSD is perfect No. History only shows that many more have been found and published in Linux than in OpenBSD. Best Martin
Re: Linux or OpenBSD
Martin Schrvder wrote: > 2010/9/27 Brad Tilley : >> How many privilege escalation attacks (normal user getting a root shell) >> has OpenBSD had during the last five years? There have been several of > > The absence of reports doesn't prove that the flaws don't exist (and > no, I'm not sitting on a 0day for OpenBSD :). > > Best >Martin I agree. I only meant that history shows Linux has these and OpenBSD has not (or very few in comparison). That does not mean OpenBSD is perfect and will never have a user to root escalation attack. Humans make mistakes in everything, to include the writing of software. Brad
Re: Linux or OpenBSD
2010/9/27 Brad Tilley : > How many privilege escalation attacks (normal user getting a root shell) > has OpenBSD had during the last five years? There have been several of The absence of reports doesn't prove that the flaws don't exist (and no, I'm not sitting on a 0day for OpenBSD :). Best Martin
Re: Linux or OpenBSD
On Sep 27 08:30:55, Ross Cameron wrote: > I also run signed and encrypted binaries, so that even IF you get root > you're rootkit wont work. Yo azz be invincible, true dat.
Re: Linux or OpenBSD
That I will not argue. BUT that is the risk you take (in my wee opinion) when you run any "enterprise" aka stable but old and tested from here to next week for backwards compatability OS like RHEL/SUSE Ent./Oracle Ent./AIX/Solaris/yadda yadda yadda The local root exploit in question does not work on my (extremely trimmed down) Linux distro as I make a point of keeping up to date with patches and dont run old or back ported code wherever I can get away with it. I also run signed and encrypted binaries, so that even IF you get root you're rootkit wont work. No shells, not PHP/Perl/Python, binary-BSD-like-init, custom package management system, extremely cut down Glibc (only whats needed - I use readelf a lot lately lol), chroot jails wherever a daemon is "NEEDED" but as a firewall all I have on there is BIND, DHCPD and SQUID (statically compiled), XML based configuration (for the OS propper, the daemons retain their upstream configuration methodology) that is remotely dropped as an encrypted tarball via SFTP, hardware and software encrypted solid state welded to the board storage, and a bare minimum of drivers compiled into the kernel and modularity expressly forbidden at compile time. And yes I'm paranoid... must be the Pretoria water lol "Opportunity is most often missed by people because it is dressed in overalls and looks like work." Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures. On Mon, Sep 27, 2010 at 12:10 AM, Brad Tilley wrote: > On 09/26/2010 04:54 PM, Kevin Chadwick wrote: > > > It's occured to me that I think what Theo suggested was actually about > > using more than one architecture, which may be a better method over > > Linux. > > How many privilege escalation attacks (normal user getting a root shell) > has OpenBSD had during the last five years? There have been several of > these in the Linux kernel (one just this month). We tested the latest > one and it worked against a fully-patched RHEL box that had the SELinux > "restrictive" policy in place. > > I don't mean this as bashing Linux, just pointing out facts. I think > history shows that OpenBSD has a better track record here (if that means > anything to anyone). > > Brad
Re: Linux or OpenBSD
On 09/26/2010 04:54 PM, Kevin Chadwick wrote: > It's occured to me that I think what Theo suggested was actually about > using more than one architecture, which may be a better method over > Linux. How many privilege escalation attacks (normal user getting a root shell) has OpenBSD had during the last five years? There have been several of these in the Linux kernel (one just this month). We tested the latest one and it worked against a fully-patched RHEL box that had the SELinux "restrictive" policy in place. I don't mean this as bashing Linux, just pointing out facts. I think history shows that OpenBSD has a better track record here (if that means anything to anyone). Brad
Re: Linux or OpenBSD
On Sun, 26 Sep 2010 20:53:57 +0100 Kevin Chadwick wrote: > On Fri, 24 Sep 2010 20:32:27 +0200 > Ross Cameron wrote: > > > > > Thats just my 5c worth and I've always been of the opinion that at least two > > different skins of firewalls should be deployed, build ontop of different > > technologies. > > Makes life a lot harder for whomever you want to keep out. > > > > That's a sound and valid argument. I've even read something said to be > by theo which suggested similar, showing his openness. It's occured to me that I think what Theo suggested was actually about using more than one architecture, which may be a better method over Linux.
Re: Linux or OpenBSD
On Fri, 24 Sep 2010 20:32:27 +0200 Ross Cameron wrote: > > Thats just my 5c worth and I've always been of the opinion that at least two > different skins of firewalls should be deployed, build ontop of different > technologies. > Makes life a lot harder for whomever you want to keep out. > That's a sound and valid argument. I've even read something said to be by theo which suggested similar, showing his openness. There is however a counter argument which is also valid in that you may be adding a less secure stepping stone that has access to all your traffic therefore making an attackers job easier. The famous saying a networks is only as secure as it's weakest point could also be phrased weakest points. Of course, the fact your Linux is specially rolled would likely make it less of a weak point and I'm not knocking your setup but felt it important to make the point. Obviously layer 7 filtering, tcpdump and snort packet parsing also reduce your firewalls security too and should be well placed/controlled/isolated in respect to your time and planning/processes/budget/endpoints.
Re: Linux or OpenBSD
Indeed, I never said that you CANT do it on OpenBSD,... I just mentioned how I do it... That said though the snort+PF combo though is two tools to do the job where I only need on in the wee Linux distro that I (roll myself) use for firewalls. "Opportunity is most often missed by people because it is dressed in overalls and looks like work." Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures. On Fri, Sep 24, 2010 at 9:51 PM, R0me0 *** wrote: > You can to filter layer 7 with snort > > By example, detect bittorrent and p2p traffic with snort and drop it > > 2010/9/24 Ross Cameron > > Depends what you want to do exactly I suppose... >> >> Personally I use Linux based firewalls for many of my sites purely because >> the clients in question want deep packet inspection (aka OSI layer 7 >> filtering) done on the network traffic. >>But that said they are always the second skin firewalls, sitting behind >> PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen >> filter inbound traffic. >> >> Thats just my 5c worth and I've always been of the opinion that at least >> two >> different skins of firewalls should be deployed, build ontop of different >> technologies. >>Makes life a lot harder for whomever you want to keep out. >> >> >> >> >> "Opportunity is most often missed by people because it is dressed in >> overalls and looks like work." >>Thomas Alva Edison >>Inventor of 1093 patents, including: >>The light bulb, phonogram and motion pictures. >> >> >> >> On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor > >wrote: >> >> > I was after some general advice. I need to setup a routing firewall with >> 3 >> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. >> > >> > >> > >> > Given identical modern server hardware would I expect a performance >> > difference >> > between an OpenBSD/PF setup and a Linux/IPTables one? >> > >> > >> > >> > Rikky
Re: Linux or OpenBSD
You can to filter layer 7 with snort By example, detect bittorrent and p2p traffic with snort and drop it 2010/9/24 Ross Cameron > Depends what you want to do exactly I suppose... > > Personally I use Linux based firewalls for many of my sites purely because > the clients in question want deep packet inspection (aka OSI layer 7 > filtering) done on the network traffic. >But that said they are always the second skin firewalls, sitting behind > PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen > filter inbound traffic. > > Thats just my 5c worth and I've always been of the opinion that at least > two > different skins of firewalls should be deployed, build ontop of different > technologies. >Makes life a lot harder for whomever you want to keep out. > > > > > "Opportunity is most often missed by people because it is dressed in > overalls and looks like work." >Thomas Alva Edison >Inventor of 1093 patents, including: >The light bulb, phonogram and motion pictures. > > > > On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor >wrote: > > > I was after some general advice. I need to setup a routing firewall with > 3 > > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > > > > > Given identical modern server hardware would I expect a performance > > difference > > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > > > > > Rikky
Re: Linux or OpenBSD
Depends what you want to do exactly I suppose... Personally I use Linux based firewalls for many of my sites purely because the clients in question want deep packet inspection (aka OSI layer 7 filtering) done on the network traffic. But that said they are always the second skin firewalls, sitting behind PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen filter inbound traffic. Thats just my 5c worth and I've always been of the opinion that at least two different skins of firewalls should be deployed, build ontop of different technologies. Makes life a lot harder for whomever you want to keep out. "Opportunity is most often missed by people because it is dressed in overalls and looks like work." Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures. On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor wrote: > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > Given identical modern server hardware would I expect a performance > difference > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > Rikky
Re: Linux or OpenBSD
* Rikky Taylor [2010-09-23 20:52]: > Isnt pretty much all hardware 64bit capable these days? "capable" doesn't imply "better". -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Linux or OpenBSD
On 2010-09-23, Rikky Taylor wrote: >> F.Y.I. >> I believe PF still? performs better on i386 than it does on amd64. > > So if i have a Sun X4100 should I install the i386 version of OpenBSD or > should I get different hardware for a firewall? "performs better" depends on how you rate performance. Some people will consider raw forwarding speed. Others will consider number of states. I suspect i386 is better for one of these and certainly amd64 is for the other. If you run close enough to the limits that it makes a real difference, you should be testing both for yourself. > Isnt pretty much all hardware 64bit capable these days? No, there's a *lot* of hardware running on arm/mips processors which aren't. Granted not a lot of it is currently running OpenBSD, but still. If you're just talking about current-production x86-compatible hardware, a lot is 64-bit capable, but there are still e.g. geodes, older VIA designs etc, which are still quite widely used and 32-bit only.
Re: Linux or OpenBSD
> F.Y.I. > I believe PF still? performs better on i386 than it does on amd64. So if i have a Sun X4100 should I install the i386 version of OpenBSD or should I get different hardware for a firewall? Isnt pretty much all hardware 64bit capable these days?
Re: Linux or OpenBSD
Chris Dukes writes: > Better metrics are "How hard is it to read my ruleset?" > "How many nasty side effects can I expect while reloading a tweak of my > ruleset?" "What's the signal to noise ratio when I ask for help fixing > my rule set?" Certainly both the first and for the second one, there's an angle that iptables users tend to forget or gloss over: With iptables you actually risk running into weird side effects since your rule set load is a shell script that loads rules incrementally and you can never really be sure what's what unless the first action in your loading script is to flush all existing rules, which of course runs a risk of both killing connections and leaving your network wide open until your block rules are in place. > I think the following from Rusty Russell does an excellent summary > > http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html Yes, it's one of the better summaries by a Linux person, actually a quite sane one. But note the date, a lot has happened on the PF side of the fence since then, not least performance-wise. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Linux or OpenBSD
On Wed, 22 Sep 2010 15:47:02 -0400 Brad Tilley wrote: > Rikky Taylor wrote: > > I was after some general advice. I need to setup a routing firewall with 3 > > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > > > > > Given identical modern server hardware would I expect a performance > > difference > > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > > > > > Rikky > > > Either will work fine so long as you purchase good NICs and avoid > cutting-edge (untested) hardware. The only things Linux does noticeably > better is: > > * Dealing with SMP > * Dealing with lot's and lot's of RAM > * Dealing with huge file-systems > > None of those things are needed for simple firewalls. > > Brad > And PF will filter more packets on slower, quieter hardware, whilst using less electricity. SMP is not needed for a pure firewall because your nic should be the bottleneck b4 the cpu. It also wipes your ass by optimising the ruleset which will be smaller and so fater to start with anyway and fixing up windows non random network port usage, preventing hijacks. It's also much quicker to use and more intuitive. Do you trust something that mangles your packets?, only joking. iptables has many options and you may find something in there you like but a lot of it borders on useless and so you'll spend less time getting what you want done. PF does a lot of cool stuff that you may not even realise is happening, like hiding the number of machines due to timestamp randomisation. You can always use both but I'd always put in PF first. Plus the host running PF is far more secure. I replaced ipcop with OpenBSD. It's a no brainer, as google will tell you. F.Y.I. I believe PF still? performs better on i386 than it does on amd64.
Re: Linux or OpenBSD
I know U, rsss I wrote several rules with netfilter for a long time until this friend said to me about OpenBSD/PF Now i forget how write rules with netfilter Sincerely . I say PF in Vein ! Regargs Spawn 2010/9/22 Chris Dukes > On Wed, 2010-09-22 at 19:29 +, Rikky Taylor wrote: > > I was after some general advice. I need to setup a routing firewall with > 3 > > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > Sorry, that's just too vague to have any meaning. > Come back with a topology and numbers for traffic and subnets. > > > > > > > > Given identical modern server hardware would I expect a performance > difference > > between an OpenBSD/PF setup and a Linux/IPTables one? > > You're zeroing in on the wrong metric. > Better metrics are "How hard is it to read my ruleset?" > "How many nasty side effects can I expect while reloading a tweak of my > ruleset?" "What's the signal to noise ratio when I ask for help fixing > my rule set?" > > I think the following from Rusty Russell does an excellent summary > > http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html
Re: Linux or OpenBSD
On Wed, 2010-09-22 at 19:29 +, Rikky Taylor wrote: > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. Sorry, that's just too vague to have any meaning. Come back with a topology and numbers for traffic and subnets. > > > > Given identical modern server hardware would I expect a performance difference > between an OpenBSD/PF setup and a Linux/IPTables one? You're zeroing in on the wrong metric. Better metrics are "How hard is it to read my ruleset?" "How many nasty side effects can I expect while reloading a tweak of my ruleset?" "What's the signal to noise ratio when I ask for help fixing my rule set?" I think the following from Rusty Russell does an excellent summary http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html
Re: Linux or OpenBSD
On Wed, Sep 22, 2010 at 08:39:36PM -0300, Nenhum_de_Nos wrote: > On Wed, September 22, 2010 18:56, Luis F Urrea wrote: > > On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida wrote: > > > >> "Iptables is ok, until you know PF, after knowing PF you'll never use > >> Linux, at least for firewalls, anymore". > >> > >> +1 > > +1 > > matheus > > -- > We will call you cygnus, > The God of balance you shall be > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > http://en.wikipedia.org/wiki/Posting_style > Perhaps you should stop spamming before lecturing others about top posting.
Re: Linux or OpenBSD
On Wed, September 22, 2010 18:56, Luis F Urrea wrote: > On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida wrote: > >> "Iptables is ok, until you know PF, after knowing PF you'll never use >> Linux, at least for firewalls, anymore". >> >> +1 +1 matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style
Re: Linux or OpenBSD
On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida wrote: > "Iptables is ok, until you know PF, after knowing PF you'll never use > Linux, at least for firewalls, anymore". > > +1
Re: Linux or OpenBSD
Hi Rikky, What I can say to you, as a former Linux user (as firewalls) is: "Iptables is ok, until you know PF, after knowing PF you'll never use Linux, at least for firewalls, anymore". That's is my experience on this subject. Fabio Almeida Em Qua, 2010-09-22 C s 19:29 +, Rikky Taylor escreveu: > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > Given identical modern server hardware would I expect a performance difference > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > Rikky
Re: Linux or OpenBSD
On Wed, 22 Sep 2010 19:29:31 + Rikky Taylor wrote: > I was after some general advice. I need to setup a routing firewall > with 3 interfaces, moderate traffic and a fair amount of NAT'ing in > the rules. > > > > Given identical modern server hardware would I expect a performance > difference between an OpenBSD/PF setup and a Linux/IPTables one? > > > > Rikky You are considering iptables... So you like to be hurting a lot. Go for it, nothing wrong with that , don't let anybody elses reasoning get into the way of fullfilling your fantasies. Seriously, why would you want to to give someone the impression that the gateway/firewall just works, ... use iptables if you want to keep your job; Think of your children.
Re: Linux or OpenBSD
On 22 September 2010 15:29, Rikky Taylor wrote: > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. Define a "fair amount of NAT'ing". Twenty machines in one class C, multiple class B networks filled to capacity...? Also, I would define "moderate traffic". To some here, multiple gigabit links is moderate, to others moderate may be ten workstations as general web/email clients. > Given identical modern server hardware would I expect a performance difference > between an OpenBSD/PF setup and a Linux/IPTables one? Again, it depends on the number of clients, the hardware being used, type of traffic, Linux distribution (Debian or Gentoo will typically yield better performance out-of-the-box than RHEL, Ubuntu, CentOS, etc) and various other factors. Basically, more information is needed for an informed decision but the answer will almost certainly be yes, you'll see a performance difference and it will be in favour of OpenBSD + pf. kmw
Re: Linux or OpenBSD
Rikky Taylor wrote: > I was after some general advice. I need to setup a routing firewall with 3 > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > Given identical modern server hardware would I expect a performance difference > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > Rikky Either will work fine so long as you purchase good NICs and avoid cutting-edge (untested) hardware. The only things Linux does noticeably better is: * Dealing with SMP * Dealing with lot's and lot's of RAM * Dealing with huge file-systems None of those things are needed for simple firewalls. Brad