Linked by Thom Holwerda on Wed 20th Sep 2006 21:03 UTC, submitted by Jason Dixon
OpenBSD Pre-orders for OpenBSD 4.0 are now available in the online store. Five architectures on three CDs in a soft-shell DVD case. Check out the highlights of OpenBSD 4.0. This new release adds support for many wireless chipsets, as well as support for the UltraSPARC III, and much, much more.
Thread beginning with comment 164192
To read all comments associated with this story, please click here.
Try it
by tomfitzyuk on Thu 21st Sep 2006 10:49 UTC
tomfitzyuk
Member since:
2006-01-25

Over the past few days I have run OpenBSD on my desktop machine (amd64).

I ran across a few problems:
1. In the console, Alt+Left and Alt+Right acted as Left and Right respectively; however, when I showed this on #openbsd, a channel member looked through the relevant source code, found the problem and submitted the diff file to the appropriate place... I think it's great OpenBSD has people like that. (Other OSs could have people who do that, I've just never seen it done through IRC). Also, I got some good advice from bsdforums.org

2. It seems impossible to transfer data to or from FTP servers from a machine with Packet Filter (OpenBSD's firewall) without allowing all out connections for high ports. This isn't much of a problem because it's unlikely anything would try to send data through those ports from the machine. It becomes less of a problem if you specify which user can send from those ports.

However, iptables is able to handle this by reading the PORT command (this is in the FTP protocol) and determining which port is going to be used for the data port.

BTW, I'm only considering passive FTP here.

3. A few programs I regularly use (mpd, ncmpc) haven't been built for 3.9 but are in current (and hence will be in 4.0). I could follow -current rather than -stable but it's not recommended (though I figure now that the ports tree has been locked, it should be fine).

When I hadn't used OpenBSD and was considering doing so, I heard that their community was the harshest out there. While OpenBSD's community is harsh (mailing lists, IRC), I think it's for two reasons:
1. People don't want to spend time answering questions which can be solved by looking in the docs (man pages, FAQ, mailing list archives, Google).
2. By not holding peoples hands through setting up, maintaining and configuring OpenBSD, it forces users to learn how to research properly, which in the long run is best... IMO.

Reply Score: 4

RE: Try it
by Soulbender on Thu 21st Sep 2006 12:01 in reply to "Try it"
Soulbender Member since:
2005-08-18

"However, iptables is able to handle this by reading the PORT command (this is in the FTP protocol) and determining which port is going to be used for the data port. "

On a workstation I don't see why this matters in any way.
On a firewall you'd use ftp-proxy for this. Well, you could probably use ftp-proxy on a workstation too but why bother?

Reply Parent Score: 2

RE[2]: Try it
by tomfitzyuk on Thu 21st Sep 2006 12:20 in reply to "RE: Try it"
tomfitzyuk Member since:
2006-01-25

--- On a workstation I don't see why this matters in any way. ---
Despite how it's just a workstation, doesn't mean I'm going to want it much less secure than that of a server. I would prefer to have one outgoing port open for FTP rather than 20,000.

--- On a firewall you'd use ftp-proxy for this. Well, you could probably use ftp-proxy on a workstation too but why bother? ---
I know ftp-proxy would be used for a firewall, to allow machines behind the firewall to use FTP properly; however, ftp-proxy doesn't allow the actual machine with PF (be that a firewall machine, or a workstation with PF) to access FTP properly.

I tried redirecting packets from 127.0.0.1 port 21 to 127.0.0.1 port 8021 (the port on which ftp-proxy listens) but this never worked.

I know it's not much of a problem, I'd just prefer to only have the neccessary ports open.

As to why I'm running PF on a workstation, I'm going to uni in a week and they only allow one computer connected to their network, meaning no firewall machine... and since I need a firewall, it must be on the workstation.

Reply Parent Score: 1