Linked by Oliver on Fri 11th Mar 2011 23:32 UTC
GNU, GPL, Open Source "Now that Linux is the most popular free Unix-like operating system, it shouldn't be a surprise that some projects have begun treating non-Linux operating systems as second-class citizens. This isn't out of contempt for the BSDs or OpenSolaris, it's just a matter of limited manpower: if almost all the users of the application have a Linux operating system and if all the core developers are using Linux themselves, it's difficult to keep supporting other operating systems. But sometimes the choice to leave out support for other operating systems is explicitly made, e.g. when the developers want to implement some innovative features that require functionality that is (at least for now) only available in the Linux kernel."
Thread beginning with comment 465964
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Not mutually exclusive
by tony on Sun 13th Mar 2011 07:47 UTC in reply to "RE[4]: Not mutually exclusive"
tony
Member since:
2005-07-06

"[What does OpenBSD do that Linux doesn't?

pf and a proper, simply and elegant packet filtering DSL. State-full packet filtering that can be sync'ed between multiple, failover firewalls.
bgp that integrates seamlessly into the packet filter and understands VRRP/CARP states.
CARP
IPSEC implementation that can be understood and configured by mere mortals.
Great man pages.
I'd go on but I have other things to do today.
" [/q]

I asked for things that OpenBSD provides that Linux doesn't.

That's mostly a list of features that Linux already provides. Provides with various opensource projects, kernel modules, or VM appliances like Vyatta. In fact, Vyatta makes it easier to setup network routing and services than it is in OpenBSD (although that's a matter of exposure and experience).

The rest are nit-picky rhetoric. pf? I like pf. I liked it when it was ipfilter, and OpenBSD decided to make their own. I prefer it over Linux firewalling, but they both provide Layer 4 firewalling.

The problem is, Layer 4 isn't enough anymore. Attack vectors are mostly Layer 7 now, SQL injections and the like. OpenBSD has nothing for that, save for what you can run on top of it like ModSecurity (which you can do on Linux, and better, because Linux almost always trounces OpenBSD in performance and scalability).

Decent man pages? That's a matter of opinion. And in the age of Google and project communities, man pages are nice, but not a viable differentiator. Certainly if that's what a project makes it stand on, it doesn't have much to stand on.

IPSEC by mere mortals? I think you're suffering from what's known as "the curse of knowledge". Most of us find it incredibly difficult when we understand something intimately to comprehend how someone else could find it difficult. Case in point: http://www.symantec.com/connect/articles/zero-ipsec-4-minutes

That doesn't look "mere mortal"-ish to me, but I don't do OpenBSD IPSEC configuration. I understand Cisco CLI (both IOS and NX-OS) like the back of my hand, but it drives new comers insane (as it did me).


oh yah, and OpenSSH. you know, the dominant SSH implementation but since it's actually portable I guess it doesnt count in this context.


It's portable and ubiquitous, pretty much the only game in town.

I'm all for variety, but the BSDs haven't kept up. They have niche uses (and incredibly good ones) and I don't think they should be abandoned (I use FreeNAS for instance, although its ZFS implementation was a joke).

Data centers are moving towards virtualization because power and cooling are running out. iSCSI, FCoE, and 10 Gbit are where storage is moving to. Security is being breached with SQL injection and other Layer 7 attacks.

The BSDs aren't leading in any of those areas. They're following, or just outright deficient.

Reply Parent Score: 4

RE[6]: Not mutually exclusive
by Oliver on Sun 13th Mar 2011 07:57 in reply to "RE[5]: Not mutually exclusive"
Oliver Member since:
2006-07-15

Linux is following MacOS and Windows on the desktop. It's the copycat of Solaris etc. on the server. Leading? Linux is a UNIX mock-up, hopping around between technologies because they don't have a clue about long-term goals. You know, software design instead of mere hacks, that just work.

Reply Parent Score: 4

RE[7]: Not mutually exclusive
by Phucked on Tue 15th Mar 2011 17:27 in reply to "RE[6]: Not mutually exclusive"
Phucked Member since:
2008-09-24

Linux is following MacOS and Windows on the desktop. It's the copycat of Solaris etc. on the server. Leading? Linux is a UNIX mock-up, hopping around between technologies because they don't have a clue about long-term goals. You know, software design instead of mere hacks, that just work.


Can you make a point without trolling Linux?

Yes Linux is a Unix clone a clean room interpretation of UNIX if you will. Its goals is whatever one can think of and more!

I remember back in the 90's when the UNIX old guard used to laugh at Linux and say it matters not because it does not run any big servers or super computers, it does not scale beyond 4 cpus its only usable on x86 and mk68 cpus etc...

now Linux leads the way in terms super computer use, its more portable than NetBSD, it scales up and beyond 4,096 cpus. Now if I can go back to thoser usergroups I used to read and say how do you like Linux now? maybe they would be speechless!

Reply Parent Score: 1

Soulbender Member since:
2005-08-18

I asked for things that OpenBSD provides that Linux doesn't.


And I gave you a number of them.

In fact, Vyatta makes it easier to setup network routing and services than it is in OpenBSD


Uhm, not in my book.

That doesn't look "mere mortal"-ish to me


Welcome to 5 years ago. Perhaps you should keep up to date with what's going on in OpenBSD instead of blindly assume they're lagging.


The problem is, Layer 4 isn't enough anymore


No, of course it isn't but it's still important. And we're talking about networking and firewalls here, not web hosting.

Data centers are moving towards virtualization because power and cooling are running out. iSCSI, FCoE, and 10 Gbit are where storage is moving to.


Right and what do you run on virtualization? Operating systems. like BSD. and Linux. and Windows.
Virtualization is great because the host supports all these technologies like iSCSI, FCoE etc so that the guests doesn't have to worry about it.

The BSDs aren't leading in any of those areas


And what? Linux is? KVM is awesome but not exactly a leader.

Edited 2011-03-13 08:08 UTC

Reply Parent Score: 2

RE[6]: Not mutually exclusive
by oiaohm on Mon 14th Mar 2011 02:18 in reply to "RE[5]: Not mutually exclusive"
oiaohm Member since:
2009-05-30

"[What does OpenBSD do that Linux doesn't?

pf and a proper, simply and elegant packet filtering DSL. State-full packet filtering that can be sync'ed between multiple, failover firewalls.
bgp that integrates seamlessly into the packet filter and understands VRRP/CARP states.
CARP
IPSEC implementation that can be understood and configured by mere mortals.
Great man pages.
I'd go on but I have other things to do today.
" [/q]

You were asked for what bsd does that Linux does not. I see a BSD person who has not been following what Linux can do. Yes all those features do exist for Linux.

CARP and VRRP are done differently as user-space plugins into firewall. Particular with VRRP that has a patent issue this avoids the GPL license of the linux kernel. http://off.net/~jme/vrrpd/ and http://www.ucarp.org. Technically VRRP support in kernel could come back and legally effect you. Also there are other solutions linux can use as well. http://www.linuxvirtualserver.org/ That BSD has no support for and was pre both VRRP and CARP. So a lot of areas running pure Linux have had no reason to implement either of VRRP or CARP since LVS covers all the networking layers and VRRP and CARP dont.

IPSEC is not that hard on linux.

Functionally in Linux is done different. Since netfilter on Linux is a hybred kernel design. Part userspace part kernel space. And it really makes bugger all difference for performance if part is userspace or kernel space. Makes a differences for secuirty and issue handling. If carp or VRRP goes wrong in Linux you can kill the services and restart them no stuff up. Same cannot be said of openbsd implementation.

And to pfsync BSD golden card. Is not so golden. conntrack-tools. Another userspace solution addon gives pfsync state between servers. What is the advantage of this. conntrack-tools and kernel don't have to match. So all machines can be on the same conntrack-tools even if they are running different kernels. So state syncing is not kernel dependent for operation. Also in broken sync transfers conntrack is simple to terminate. Of course most BSD users have never enabled conntrack on Linux to find that lot of the missing firewall features magically appear once conntrack is enabled with is userspace parts. Userspace parts are responsible for the sync.

Simple fact your claims were valid 5 years ago. Not valid now. Linux has implemented the features differently that is all. The problem is taking the BSD implementation way and looking at Linux the same way and saying features are missing when they are not. Linux kernel + a set of userspace parts is the Linux firewall system. Where BSD is more contained to the kernel.

Even bgp support also can integrate seamlessly into Linux firewall.

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

I see a BSD person who has not been following what Linux can do.


Actually, since i've been using BSD, Linux and Windows daily in a professional capacity for more than 10 years I know exactlly what they can and can't do. The point is, and I wasn't really clear on that, is that I get all the features I need for a solid firewall out-of-the-box with OpenBSD. I don't have to go hunting for solution X and somehow make that work with solution Y. It's all there and it's well integreated from the moment installation is done.
Perhaps Linux has some or all of these things now but there was a time when it didn't.

Technically VRRP support in kernel could come back and legally effect you.


Well, that's why we have CARP and admitedly I forgot that it has been ported to Linux. Still, it originated on BSD while Linux was stick with patent-encumbered VRRP. It's something that BSD had while Linux didn't.
Btw, LVS is using VRRP.

IPSEC is not that hard on linux.

Perhaps not but it's harder. Of course, you can just use openvpn instead that works on many platforms proving that innovation is not depending on making stuff Linux-only.

The problem is taking the BSD implementation way and looking at Linux the same way and saying features are missing when they are not.


Wow, that's almost like who you guys do it, only vice-versa.
"Linux is doing it in userspace and thus it's much better. There's 5 bilion different userspace ways of doing this and that's much better because...uhm...that's how Linux do it".

Same cannot be said of openbsd implementation.

"I see a Linux person who has not been following what BSD can do."

CARP on openbsd is an interface. If it fuscks up you destroy the interface and re-create it.

So state syncing is not kernel dependent for operation.

No, it's instead depending on application version. Btw, you can run pfsync between kernels of different versions.

Even bgp support also can integrate seamlessly into Linux firewall.


Please give me an example where Quagga/Zimbra/XORP understand VRRP state.

At the end of the day, it's funny how so many Linux fans just can not admit that there are things that Linux isn't the best choice for.

Reply Parent Score: 2