“I’m busy and want to sleep soundly and not with one eye on my internet-exposed hosts. Therefore I picked OpenBSD 3.5 as the operating system for the firewalling router handling my new home office connection.” Read the article at ComputerWorld.
The Source : OpenBSD revisited
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
if you rely on an openbsd firewall only, you are not secure.
your applications, server or otherwise, which pass through the firewall (which some must, otherwise why are you connected to the internet?) must also be secure, and then in turn the OS these apps run on, and also then the users who use these systems.
firewalls don’t cure security problems.
What is the upgrade process for OpenBSD? I keep hearing how great OpenBSD is but from what I read on the web site they only support releases for about a year. That means upgrading often. How does one handle the upgrades? It seems like it would be a hige pain to get to a machine once a year if it’s off in a remote location.
If you are interested in OpenBSD you should probably pick up Absolute OpenBSD as a reference… it explains everything including how to set up Open for easy upgrades etc. There is always the FAQ on the website too… but if you don’t have more than one computer at the time you may just want to have a handy book around 😉
Isn’t PF also in FreeBSD? So isn’t the ‘PF’ advantage not relevant when comparing OpenBSD to FreeBSD?
Nothing to say about patch management though, just curious about PF.
Some would say that pf is “strongest” on its native platform – smaller vector for bugs, reviwed by its native developers and first to recieve latest features (freebsd is still integrating altq into 5.x). The presence of PF is not so much relevant when comparing OpenBSD and FreeBSD, but it is relevant when comparing firewall offerings on the two platforms.
“What is the upgrade process for OpenBSD?”
Toss in floppy/cdrom, select upgrade, wait a few $ime, done. Also possible with chroot.
“I keep hearing how great OpenBSD is but from what I read on the web site they only support releases for about a year. That means upgrading often. How does one handle the upgrades?””
They indeed support releases for (almost) exactly a year since they release every half a year. So when 3.5 came out 3.3 became unsupported and 3.4 will be unsupported when 3.6 comes out (novembre iirc).
“It seems like it would be a hige pain to get to a machine once a year if it’s off in a remote location.”
I basically agree it isn’t easy nor pleasant in some situations. Upgrading a Linux kernel remotely however, isn’t pleasant either.
“Isn’t PF also in FreeBSD? So isn’t the ‘PF’ advantage not relevant when comparing OpenBSD to FreeBSD?”
Yes PF is ported to FreeBSD and NetBSD. These ports lay behind a little bit. It depends, and depends on what features you need. Afaik PF and its ports are pretty complete now. OpenBSD is also the main development target OS. Also, when you want to run PF on FreeBSD (NetBSD: dunno) you’ll need to compile the module and when you want AltQ you’ll need to recompile your kernel as well. All that might lead to theoretical or practical advantages when using OpenBSD while other (dis)advantages also have influence on choice; the choice running OpenBSD, or not, doesn’t solely rely on PF.
One of the really nice things about OpenBSD is that most of the drivers are included in the GENERIC kernel, meaning that things just work out of the box.
Take sound for example. Under FreeBSD and DragonFly (not sure about NetBSD as it’s been a while since I’ve used it), you are required to do one of three things in order ot get sound working.
1) kldload snd_whatever
2) add snd_load_whatever=”YES” to /boot/loader.conf
3) recompile the kernel with ‘device pcm’
None of those three options are too terribly hard, but with OpenBSD, the sound drivers are built right in, and things like KDE will work happilly with them right from the first time you install it.
Nice thing is, that it’s not just sound card drivers that are built in, but also things like IPsec and pf – things that would require a recompile under the other BSDs.
Just something to think about.
Heh. I had a stupid moment.
add snd_whatever_load=”YES” to /boot/loader.conf
I think you are understating what a firewall does for you. Sure, the application you have opened up your firewall to use needs to be secure, but all the holes in the OS are covered by the firewall and are protected.
For example, the Welchia worm ran rampant throughout the company I work for a little less than a year ago. Everybody was hit except me (running an OpenBSD and pf firewall in front of my Windows machines) and the three Linux developers (for obvious reasons).
The way you stated your post, it sounds like a firewall means nothing unless your apps and client OS are secure. This just isn’t true. 100% security is probably impossible to attain, but a correctly configured pf firewall on OpenBSD will get you most of the way there.
There’s a pf port for FreeBSD 5.x. As for -current, it’s in the base system already. I’m here (-current) using it without any problems. Feels quite like ipfilter, but much cleaner and more flexsible IMO.
Give it a shot if you’re in the mood for changing your firewall/NAT facility (probably along with your OS?). [Oh..those horrible iptable syntaxes..]
“There’s a pf port for FreeBSD 5.x. As for -current, it’s in the base system already. I’m here (-current) using it without any problems. Feels quite like ipfilter, but much cleaner and more flexsible IMO.”
Does -current version include AltQ support in PF?
Take sound for example. Under FreeBSD and DragonFly (not sure about NetBSD as it’s been a while since I’ve used it), you are required to do one of three things in order ot get sound working.
1) kldload snd_whatever
2) add snd_load_whatever=”YES” to /boot/loader.conf
3) recompile the kernel with ‘device pcm’
I didn’t have to recompile my kernel on FreeBSD to get sound working. I just added snd_ich_load=”YES” to /boot/loader.conf
I didn’t have to recompile my kernel on FreeBSD to get sound working. I just added snd_ich_load=”YES” to /boot/loader.conf
My point was that it’s not out of the box on FreeBSD, and is in OpenBSD. In FreeBSD and DragonFly, you have to go out of your way to enable it, wheras under OpenBSD you don’t do f*ck all after the install for it to work.