Contributed by grey on from the more news from the freed firmware dept.
Jeremy Andrews of kerneltrap.org has a feature interview with Theo de Raadt regarding the recent push from the OpenBSD community to try and get wireless chipset vendors such as Texas Instruments to open source their firmware. The full story can be found here.
It is also worth noting (and is discussed a bit in Jeremy's interview) that the ath driver was imported with a free Hardware Abstraction Layer (HAL) yesterday. Exciting progress, but what about those TI ACX cards? Bill Carney et al at TI I guess still need encouragement to get on board.
(Comments are closed)
By Anthony (68.145.111.152) on
Comments
By Nate (24.112.240.105) on
Hell, OpenNTPd has helped too.
Comments
By Anonymous Coward (67.71.76.239) on
By Anthony (68.145.111.152) on
I think the IPF spat raised a lot of eyebrows but it's the very rapid progression of features and capabilities that's gained acceptance for PF and by extension OpenBSD. It went from being a pet project of Theo because he was (percieved as) being a prick to being included by default on all the BSDs, with talk of all of them moving towards it as the default. Also, I read somewhere that the Linux Netfilter people wanted to bring Netfilter up to OpenBSD 3.3 PF equivilant capabilities by 2006 or so, and PF has hardly been sitting still in that time.
I don't know about the security... Linux people are pretty happy with their security capabilities, such as they are.
Comments
By Anonymous Coward (67.71.79.67) on
I believe Theo himself has a big and great part of it all. For one, he's the leader just as Linus is to Linux and that's a big needed thing, a leader, and he's a damn good one at that too!
FreeBSD and NetBSD, I've never hear of such one person other than maybe JKH?
In a sense or two, Theo is '[re]defining' standards, security and setting those standards for all other OSS projects as a whole, including proprietary vendors such as Cisco, MS, etc. Some people might think he's an asshole, but he's got a great vision and he sticks to his guns! He deserves a hell of a lot more attention and a shitload more credit - for what he's doing, what he's done and what he will continue to do for us all.
One thing I really like that he said was:
One guy at Intel claims that Mandrake Linux has "signed" this contract. In the past I might have found that fascinating, but increasingly I am not surprised because the corporate ways of Linux vendors are starting to override the Linux idealism.
That's one of the nice things about OpenBSD - OpenBSD *is* FREE. IMHO, too many corporations are destorying the original Linux idealism where'as OpenBSD will remain, OpenBSD.
Don't want to start a war... I might be drunk right now, but I'm just contributing my personal thoughts and opinions here.
By Charles Hill (216.229.170.65) on
Care to back that up, or at least point out a credible source?
Reading through Daniel Hartmeier's Design and Performance of the OpenBSD Stateful Packet Filter (pf) over at http://www.benzedrine.cx/pf-paper.html shows iptables beating pf in every measure: less loss, greater thruput, lower latency, higher maximum packet handling. I believe this document is almost 2 years old, though.
I was looking for a decent comparison of features and wasn't able to find one thru Google. The best I got were anecdotal opinions along the lines of "pf has better syntax but iptables is faster".
While we are moving into winter in the Northern Hemisphere, I haven't heard any reports of hell freezing over so I seriously doubt the Netfilter people said anything along the lines of "we'll catch up to where pf is today sometime around 2006". If so, drug tests would be in order.
Does anyone have a feature comparison list of pf and iptables/netfilter? I am curious as to which does what and why, etc.
-Charles
Comments
By baldusi (24.232.81.8) on
Speed with 1.0 pf version versus a relativelly mature ipchains is not a fair comparison. But even if it was, speed is not what ipchains was lagging behind. It's features and correctness. So you can't really compare since the statefullness of Linux is not 100% but fuzzily "good enough". The syntax is awful. The nat and routing are not integrated. Bandhwidth shaping is not integrated nor as feature rich. There's nothing like tags. There's no CARP. There's a lot of things that are not there. Plaing and simple. Go read each documentation and see what I mean.
By sthen (81.168.66.229) on
Of course there's options like packet scrubbing, TCP state modulation (to protect firewalled hosts with poor sequence randomisation), authpf, filtering by uid, filtering by host OS (e.g. 'greylist all port 25 coming from windows but leave Unix alone'), etc. Automatic ruleset optimisation, in more recent versions, too.
I find having the bandwidth management and NAT integrated into the firewall ruleset, with sane syntax, very helpful, too.
By Anthony (68.145.111.152) on
By Matt Van Mater (65.205.28.104) on
I think that there have been significant improvements in the past few years for both iptables as well as pf so this comparison doesn't mean crap. (unless you're running openbsd 3.0, which I hope you're not)
Comments
By Charles Hill (216.229.170.65) on
Comments
By Matt Van Mater (65.205.28.104) on
One thing you will see on the mailing lists is that there aren't benchmarks because what really matters is how the solution works in your environment with your setup. I know that sounds like a copout, but it makes sense.
You'd need to have a standard procedure for how to generate the traffic, what kind of rules to make (and then you get into semantics of whether rules are identical), how to log the traffic statistics, and most importantly how to interpret the results and identify the causes of the results like Daniel did. You could take it a step further than Daniel took and discuss the hardware involved (ie performance of intel fxp drivers vs realtek rl drivers: there will be a difference between them). Then if you really want to follow good scientific method, every step needs to be documented fully so others can reproduce the tests in their own environment to duplicate the results and verify the analyst's claims.
I personally don't have the time or desire to benchmark PF against a firewalling program that I have no intention of using regardless of the performance results. I think most PF users would agree with me on that point, so I don't think you're going to get a nice writeup like that from someone who actually knows what they're talking about (like Daniel, Henning or Cedric).
Comments
By Charles Hill (216.229.170.65) on
Actually, I used that one because it was the only real in-depth document I could find in 15-20 minutes of googling.
I'm not really interested in performance comparisons. I am interested in feature comparisons -- what one does that the other doesn't, etc.
I think I'm just going to have to go through the docs of both and create my own chart.
-Charles
Comments
By Anthony (68.145.111.152) on
All I've ever found has been HOWTOs. They tell you hwo to do X for a small set of common X, but I never found anything resembling a comprehensive manual.
By M.Raju (66.23.211.29) on
By codguy (66.30.142.180) on
Well, I'm still running v3.1 on a 24/7 connected machine that runs as a simple firewall and serves a bit of static web content. Yes, I've kept my patching up-to-date, but as you can imagine it's getting harder and harder since even v3.4 is now EOL'ed...
I guess that's a testimony to how robust and well-designed OBSD is, but hey, I'm probably preaching to the choir with this.
Yeah, yeah, yeah, I know there are many reasons to upgrade, and I'll probably make some time in the near future to move the machine to v3.6. But it's sure great to be able to connect a machine 24/7, and not worry about it for several years except for some basic patching. Again, probably preaching to the choir with this...
--codguy
By Anonymous Coward (211.30.147.144) on
Comments
By Anthony (68.145.111.152) on
Great. Zealotry.
The fact is that some people don't accept it. It doesn't matter if it makes sense or not because it's the factual truth.
By psyops4 (65.240.90.135) on
Comments
By tedu (67.124.88.60) on
Comments
By psyops4 (65.240.90.135) on
By baldusi (24.232.81.8) on
Comments
By Anonymous Coward (68.209.252.42) on
Comments
By baldusi (24.232.81.8) on
Comments
By grey (207.215.223.2) on
The increasing availablity of LinuxBIOS from motherboard vendors (Tyan is noteworthy) is laudable, and in a similar way, one might wish to support hardware vendors who cooperate with F/OSS as much as possible; assuming you get the required functionality from such products.
By Anonymous Coward (140.221.238.137) on
Comments
By Anonymous Coward (66.230.74.196) on
By psyops4 (65.240.90.180) on
By Anonymous Coward (130.233.223.83) on
Comments
By Anonymous Coward (140.221.252.222) on