Linked by Tony Bourke on Thu 29th Apr 2004 19:08 UTC
OpenBSD OpenBSD is a name synonymous with security, having earned the respect and adoration of security-concious sysadmins everywhere. OpenBSD is used in data centers all over the world, is the basis for several security products (from OpenBSD's site), and is even the basis for Microsoft's Services For Unix.
Order by: Score:
Thanks
by Panna on Thu 29th Apr 2004 19:38 UTC

Thanks Tony,
very nice review.
Especially because it's not the notorious Xandros or Suse review.
I'd like to read more reviews about the OS with the nicest logo..

Nice review
by Gabriel Ebner on Thu 29th Apr 2004 19:59 UTC

Though the only 64-bit machine I have is an AMD64.

P.S.: Isn't it a bit late for a 3.4 review when 3.5 is going to be released in two days?

Similar to my experience
by Jason on Thu 29th Apr 2004 20:31 UTC

I ran OpenBSD (i386) for a bit to learn the system and its (hopefully the "its vs. it's" guy notices I used its correctly) security principles. And it was wonderful. Then I started doing some real work (e.g. MIT Kerberos) and things turned on me. e.g. kernel panics.

I wasn't about to become an OpenBSD kernel debugger so I switched to Slackware instead.

Cheers

v about the topic of Unix tools for windows
by Duffman on Thu 29th Apr 2004 20:51 UTC
v RE: about the topic of Unix tools for windows
by Eugenia on Thu 29th Apr 2004 20:53 UTC
added reminder to example /etc/pf.conf
by mike frantzen on Thu 29th Apr 2004 21:06 UTC

just commited a reminder to the default example in /etc/pf.conf to set the net.inet.ip.forwarding and/or net.inet6.ip6.forwarding sysctls in /etc/sysctl.conf. thanks. took me a few minutes to remember too while setting up a test firewall at the PF hackathon a few days ago.

Re: Nice review
by bsdrocks on Thu 29th Apr 2004 21:20 UTC

P.S.: Isn't it a bit late for a 3.4 review when 3.5 is going to be released in two days?

Nope, it's never late for BSDs because there aren't that many reviews of BSDs. In the second page, he did tried the snapshot of 3.5.

Use Packages Instead
by Ray on Thu 29th Apr 2004 21:36 UTC

Most times packages can solve your problems. If you had used the MySQL and PostGreSQL packages, which include various tweaks to get compilations to work better, you might have avoided your problems.

While using ports should theoretically produce the same packages, using packages are at least faster.

Correction, suggestion, and question.
by dpi on Thu 29th Apr 2004 22:37 UTC

"Pretty much the only outside services turned on in OpenBSDby default are sendmail and sshd. Otherwise, the machine is deaf to the world."

Counts only for SSHd and perhaps you don't want the whole world to connect to your SSHd. Sendmail (+ patches) is used internally only to send you status reports. Debian uses this scheme regarding as less services as possible and internal MTA basically as well except that you chose how you want the MTA running. No MTA? No status reports; and you miss something without these. However i wouldn't say the "machine is deaf to the world" because it doesn't run its' internal MTA.

"between Darren Reed (author of IP Filter) and Theo De Raadt (infamous head of the OpenBSD) over licensing issues led to OpenBSD creating its own packet filter."

Led tro Daniel Hartmeier coding PF in silene whole the flamewar continued. Then, it was there, and it was available for OpenBSD 3.0 as an add-on. 3.0 still came with IPF though. Since 3.1 it has been the default and since then it matured. PF can do much more than IPF already and also than IPT. It is also -imo- very, very more user-friendly than either of these 2.

If i may make a suggestion i'd suggest to experiment with SUN Ultra 5 + OpenBSD + PF + Bridging for your firewall. I think you'll like it. You can also redirect from LAN to "bogus IP" (null-routed, vlan) port 22 to the Bridge if you prefer. Or use serial line:) try Snort on it, with ACID, and a database backend, and enjoy your home-made Carnivore ;)

Now some questions: 1) how much power does the Ultra5 consume? 2) How high is your case? According to some statistics i read the case is 11,6 cm high (or should i say "low"?). 3) I'd also like to know how many HDD's it can hold (including taking out the CDROM player) and which HDD's the IDE interface can handle (AT100? ATA133? Any problems regarding the size of the HDD?). The technical documentation i read doesn't correlate with what others have told me, so far...

MySQL problems in OpenBSD
by richardtoohey on Fri 30th Apr 2004 01:23 UTC

I don't know if this was the problem seen ...

In the change log for current (http://www.openbsd.org/plus.html):

"Fix a propolice bug in gcc(1) and unbreak MySQL (mysql bug id 1442)."

See: http://bugs.mysql.com/bug.php?id=1442
and: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=37...

RE: dpi
by cybrjackle on Fri 30th Apr 2004 02:38 UTC

dpi,

It can hold 2 ide hd + 1 if you took the cdrom out. But, the ide bus on u5/10 really suck. I would definatly recommend dropping a scsi card in and jumping to scsi drives. That is what i do w/ my u10's that i have.

whoever,

I run gentoo on all my sun equipment, but i have been thinking of giveing *bsd a try on one of them. The whole 32 vs 64 worrys me some because it sounds like I might not be able to put much on there, is that what everyone is saying? Is there much of the ports packages built for the sparc64 arch?

thx

firewall/dhcp/router
by cybrjackle on Fri 30th Apr 2004 02:43 UTC

one other thing

If i go with openbsd on a u10 to setup a firewall/dhcp/router, i have some qfe cards I could use, but here is the thing i don't know what happens, and i'm a shame to say it ;0

I run linux/solaris <--not much of that anymore, anyway, only on all my boxs. My wife has a win pc and the scarry part is we have road runner cable and she uses aol thing on top of it. Is there any aol crap that i would kill setting a firewall like that up?

I have know idea how aol works and if i kill anything my wife does, well you all know what will happen. :angry:

I run OpenBSD on a Sparc
by Christopher X on Fri 30th Apr 2004 03:49 UTC

Its a SparcStation 5 I believe, the fastest model they make - the 170 mhz. Great damn box, snappy and solid as a rock. However, the OpenBSD folks seem to be against the idea of you compiling a custom kernel. I can understand not supporting a custom config, but is OpenBSD that fragile that doing a custom kernel can through the whole thing off? I'm /not/ trying to troll, it just seems strange to me. I've compiled kernels in FreeBSD and Linux before without a problem. Well all that aside, I've long liked how clean OpenBSD feels and I even like the install method - its all text based but its straight to the point and very verbal about whats gonna happen. Great stuff! Looking forward to upgrading to 3.5!

RE: I run OpenBSD on a Sparc
by blah on Fri 30th Apr 2004 04:21 UTC

I run a 1Ghz + SPARC machines ;)

cool analisys...!!
by BSDero on Fri 30th Apr 2004 04:44 UTC

i have some old sparcstations at home... and i have an SS10 and a SS20 with SMP.

My old SS20 would be really cool for firewall with OpenBSD, but it doesn't supports SMP. Linux does support it all the sparc linux distros are very outdated... =(

Still waiting for fedora/sparc...

BSDero

pf
by Brian P on Fri 30th Apr 2004 04:47 UTC

i learned pf first and then iptables, after doing so i certainly appreciated pf's readable grammer:-) it was quite simple and easy to use, i didn't have to patch a custom kernel, build modules, and userspace tools. i do realize that it's not netfilter's fault that everything can be right there out of the box(patch-o-matic). i thought that editing two files and using pfctl to be dream come true:-) i also like how openbsd handles file immutability. i can set a file to be immutable and the only way it can be changed is if you drop to runlevel 1 all the while pf is still routing traffic!!!!!!!!!!!!! in linux you just have to be root and run chattr:-( oh well, sorry for the rant:-)

i love linux however i appreciate the way some things are done in openbsd that make it easy to use and are security focused

Great article.
by Anonymous on Fri 30th Apr 2004 05:32 UTC

@By cybrjackle (IP: ---.kc.rr.com) - Posted on 2004-04-30 02:38:47

What SCSI card are you using? Sun SCSI cards are expensive...

Check ftp.openbsd.org/pub/OpenBSD/3.4/packages/sparc64/ for packages available to sparc64.

@By Christopher X (IP: ---.ok.ok.cox.net) - Posted on 2004-04-30 03:49:00

I've had issues with custom kernels, so I stick to GENERIC. I haven't had any problems with GENERIC. All my hardware has been supported, and it's fairly quick.

@By BSDero (IP: ---.prodigy.net.mx) - Posted on 2004-04-30 04:44:39

NetBSD-current might support SMP on SPARC. I'm thinking about trying it on a sparcserver 20 SMP I've got. Eventually. ;)

@ cybrjackle
by dpi on Fri 30th Apr 2004 13:13 UTC

"It can hold 2 ide hd + 1 if you took the cdrom out. But, the ide bus on u5/10 really suck. I would definatly recommend dropping a scsi card in and jumping to scsi drives."

This is just for hobbyist purposes. A huge SCSI HDD is a bit too expensive for me, but perhaps using a IDE to SCSI converter might help. Anyway, do you have benchmarks? It doesn't need to be extremely fast. Just as long as it isn't sucky in the same way as the AlphaStation 1000A's IDE interface which is _undocumented_ (doesn't officially exist ;) and gets less than 1 MB/sec for READ operation! In my case, the OS isn't gonna do much by itself, and the bulk data mostly only needs to be read; not written.

Btw you can expect SPARC64 to be running fine server apps. At least it runs Base fine [includes Apache 1.3.x + Patches]. I say expect, because SPARC64 is OpenBSD's (at least Theo's) favorite platform.

For a serious firewall i'd suggest a low-power consumer + CF such as Soekris (12W) or ViaC3. You can even hack OpenBSD on these since the hardware is supported.

@dpi
by Anonymous on Fri 30th Apr 2004 13:16 UTC

"because SPARC64 is OpenBSD's (at least Theo's) favorite platform."

I think it's AMD64 now ;)

RE: scis
by cybrjackle on Fri 30th Apr 2004 13:45 UTC

Symbios Logic SYM22801

Works great on Gentoo/sparc

btw someone said Linux is out dated, not Gentoo/Debian on sparc.

http://dev.gentoo.org/~bazik/hw.php

pf rule examples
by SFN on Fri 30th Apr 2004 14:06 UTC

For those interested in trying out pf, there is a wiki that contains various examples of pf rules at http://zhware.ath.cx/wiki/index.php/CompendiumOfPFRules

no way
by Anonymous on Fri 30th Apr 2004 16:05 UTC


Sorry, this security-conscious sysadmin has 0 interest in openbsd. I'm a bit annoyed with the flowery language describing openbsd.

Theo is a HUGE drawback for the project. Recall, he was booted by the other developers from NetBSD for being too much of a PITA.

RE: no way
by Anonymous on Fri 30th Apr 2004 17:28 UTC

"Sorry, this security-conscious sysadmin has 0 interest in openbsd."

Well then, don't read the article, and don't comment on it. I'm a little tired of all the Linux commentary, but I don't comment about that on their threads.

You have a choice - read it or don't. Nobody will care. Leave those of us who DO read it alone.

you didn't hit the bullet
by Panna on Fri 30th Apr 2004 19:52 UTC

> I'm a little tired of all the Linux commentary,
He doesn't show himself being a Linux advocate.
Most of them didn't know Theo at all.
And I think the security-conscious sysadmin points out an for him valid point:
Theo is a man that splits.
And not only Theo.
The overall tone in the newsgroups and mailing-lists is rather harsh and often unfriendly.
BUT:
Doesn't this fit into OpenBSD??
I think it fits.
The most "paranoid" operating system can't be developed by hippies.
If you don't have an "I don't care what you think" - attitude you are starting making compromises.
And this is a behaviour you didn't find in the OpenBSD camp(remember the ipfw fight).



on setting up X
by thoren on Fri 30th Apr 2004 20:59 UTC

All of the OpenBSD-sparc64 boxes i've played with so far have had a /usr/X11R6/README. Which is basically a documented XF86Config for all possible sun hardware configurations (not very long actually). Basically you can cut the middle out of it, comment out the mouse and vid options you don't have, cp it to /etc/X11/, and you're all good. They even cover dual displays and such.

on setting up X
by TonyB on Fri 30th Apr 2004 21:01 UTC

I hit up Google before looking at the README, and found a working config, so it worked out fine anyway.

Why is he compiling stuff by himself from source? OpenBSD (like all the other BSD's) have a ports system that contain patches that fix compilation and runtime problems. Instead of mucking about with source, the ports are there ready to use.

I've used MySQL on OpenBSD on a sparc64 box (heck, my website ran on that for quite a while), and I never had problems with MySQL from ports. Ran like a charm right from the get go. OpenBSD's port system also creates "fake" installations and generates packages which can be used on other machines. And with the flavour system, you can tweak it to your needs.

There's actually no need to compile stuff by yourself. Many have done the problemsolving already and automated it in the ports system, so use that to your advantage.

coolvibe
by TonyB on Sat 1st May 2004 08:34 UTC

If you read the article, you'd see that I used the ports version of PostgreSQL, but it died with the same error as my own compiled version. ;)

Also, the OpenBSD ports collection does not include MySQL 4.0, nor does the packages. It only includes MySQl 3.x. Perhaps 3.5 has added MySQL 4.0, I haven't checked since it was released only a few hours ago.

I prefer to compile by source for many applications, especially when comparing performance between various operating systems. I can keep the software version the same, and the build environment the same. When switching from one operating system to another, it's a great way.

Generally I don't have any problems with compiling by source on x86 systems. For non-x86, such as SPARC64, there are some pieces that don't work with basic source, and in that case I'll fall back to ports or packages. Sometimes it fixes the issue, sometimes it doesn't.

Another reason to use ports is with applications that are particularly cumbersome and/or time consuming to compile. An example would be KDE or Gnome. If it's something simple like tcsh, I'll happily use a package.

But for MySQL, PostgreSQL, Apache, OpenSSH, etc. I prefer compiling from source whenever I can. Packages and Ports are convienient and can solve problems (but not always), but aren't a total replacement. That'd be rather silly if it was.

RE: you didn't hit the bullet
by Wrawrat on Sat 1st May 2004 14:20 UTC

...and you didn't either. I'm pretty sure his point was that he's tired of all the praise that Linux get so he doesn't read Linux these articles nor post a "you all suck" post just because he doesn't like it.