OpenBSD celebrated release 3.5 on 1 May 2004. In honor of this release, Federico Biancuzzi interviewed the developers of OpenBSD’s PF, a powerful and flexible packet filtering interface. This is the second half of an interview. Elsewhere, the DaemonNews Ezine was released with new articles.
OpenBSD PF Developer Interview, Part 2
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
there is no question that these dudes rock.. PF is by far the best stateful p filter.. sorry cisco you may be a close 3rd.. all I ask is if there would be an easier way to see the log files.. like a pftop tool.. scripts are cool to do a tcpdump yada.. yada.. yad.. but it would be nice..
KEEP UP THE OUTSTANDING WORK.. me emb3dd3d
PF is an awesome piece of software, but either the team just isn’t interviewable or the questions were wrong — it’s hard to find anything of substance in the interview.
I thought it was a great interview. A great continuation of the first part.
You did read all four pages, didn’t you?
these guys are some of the best developers in the world
I found it a great interview because i obtained loads of knowledge i otherwide had to obtain via CVS logs, ICB, Mailing lists and Undeadly.org. This simply saved loads of time.
In 15 minutes you get enlightened about the new features in PF*, problems the developers stumbled upon, possible future features and details about the development process. Great, IMO.
(*) and PF-related programs such as packet sniffers, IDS, etc.
One point of criticism: they mentioned Soekris. The company which develops the Soekris boxes is one for which Wim Vanderputte is IIRC working for. They didn’t mention the ViaC3 which is at least as interesting, if not more interesting.
Ofcourse there’s a correlation between my PF interest, current knowledge about PF and my value of the interview.
… is a good comparason between pf, ipf, ipfw, iptables, iptables+ebtables, and ipchains
i want to know what each can and cant do without having to learn all of them so i can see for myself.
i have googled for it in the past and came up empty, but i think i will google for it again for good measure:)
You won’t find one for a long time. Many people request such things, but they are a waste of time to the people that use these firewalls, as it will not change their mind as to which is better.
It requires someone like you to do these things, those that already know how to use multiple firewalls have already decided which they prefer and do not need such a study.
So few who claim they love security don’t use OpenBSD but some other choice for OS? I mean is it because they simply are without knowledge about how to use a *Nix of OBSD’s level? Geee I hear a lot of people saying “use linux this, use linux that, it’s so secure” wouldn’t they just be better off using OpenBSD?
I find this fact odd…
I guess it’s probably because those people just follow the crowd or probably use whatever is easier/familiar to them. That choice of OS might be MS Windows, or it might be Linux. Although, I would really question the sanity of someone using MS Windows for anything security related. I mean, really!
I’m sure Linux can be just as secure as OpenBSD, but I still don’t trust it. That’s just my personal opinion. There are distributions that are security focused, but if the OS isn’t built for security from the ground up then I’m still not going to trust it.
OpenBSD has a very strong focus on security and clean correct code. This is something that should be on people’s minds when they look for an OS to handle security related functions. The OpenBSD builds the OS from the ground up to be as secure as possible. That’s very important and something that people should take into consideration.
So why is it that people choose other OS’s over OpenBSD or any of the other BSD’s for that matter (even their security record is better than most other OS’s), I think it’s due to ignorance and possibly FUD. Don’t get me wrong, ignorance isn’t necessarily a bad thing. Everyone is ignorant about something. We can’t know it all. All I’m saying is that they just don’t know enough about the BSD’s to really understand how good they are.
Will this ever change? I doubt it. Maybe one day the BSD crowd will stop being so quiet and make some noise so that people will get the message.
“So few who claim they love security don’t use OpenBSD but some other choice for OS?”
Obviously because there are other reasons why one wouldn’t chose for OpenBSD. The reasons differ, but they’re there. Wether they’re valid or not (== opinion) and what they are i leave aside because that’s beside the point and is most likely flamebait anyway. There’s enough Google food about it already.
I’ll name one which is sometimes overlooked. In the past, OpenBSD didn’t have certain security features which were already in Linux/FreeBSD/NetBSD. For example verified exec (VX), W^X alike implementation, stack protector, etc. No, please don’t mention Stephanie…