Re: FreeBSD 11.0 Released

[John Newman]

On Wed, Oct 12, 2016 at 07:16:47AM -0400, John Newman wrote:
> >> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
> >> dropped by Open and Dragonfly BSD, for license and
> >> other reasons, including being a dead project.
> >> last release: e9d51c6e58f549c4ab499254c81c90d2
> >> 
> >> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
> >> NPF is Net's, IPFW3 is Dragon's. All actively maintained
> >> by their own communities. PF is ported to all.
> > 
> > Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you 
> > want to call it.
> > 
> > Pf has made some nice improvements in the years since, but there is no 
> > doubt it started as a clone of IPF so Theo could include the superior 
> > software firewall mechanism in openbsd without the license restrictions.
> > 
> > 
> > John
> 
> I've always thought the IPFW mechanism in FreeBSD was crap, compared to 
> IPF/PF, just as an aside... 
> 
> Years ago IPF was actually also ported to Solaris and Linux. I used it on 
> some Sun boxes when I was just a little guy a long fucking time ago.  
> 
> 
> John
> > 
> 

Off-topic - I can't stand the way the phone email clients I habitually
use format email. The results come out looking horrible. It's rare
that I have a chance to reply to the list from an actual computer
(generally I'm too busy when I'm in front of a real computer)...

Anyway, I suppose I could start using mutt on android :P 


John


signature.asc
Description: PGP signature

Re: FreeBSD 11.0 Released

[John Newman]

> On Oct 12, 2016, at 7:04 AM, John Newman  wrote:
> 
> 
>>> On Oct 12, 2016, at 12:48 AM, grarpamp  wrote:
>>> 
>>> On Tue, Oct 11, 2016 at 2:28 PM, John Newman  wrote:
>>> Yes I use FreeBSD 10
>>> it has supported PF
>>> for a long time, which it basically stole from
>>> openbsd (who stole it from Darren Reed).
>> 
>> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
>> dropped by Open and Dragonfly BSD, for license and
>> other reasons, including being a dead project.
>> last release: e9d51c6e58f549c4ab499254c81c90d2
>> 
>> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
>> NPF is Net's, IPFW3 is Dragon's. All actively maintained
>> by their own communities. PF is ported to all.
> 
> Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you want 
> to call it.
> 
> Pf has made some nice improvements in the years since, but there is no doubt 
> it started as a clone of IPF so Theo could include the superior software 
> firewall mechanism in openbsd without the license restrictions.
> 
> 
> John

I've always thought the IPFW mechanism in FreeBSD was crap, compared to IPF/PF, 
just as an aside... 

Years ago IPF was actually also ported to Solaris and Linux. I used it on some 
Sun boxes when I was just a little guy a long fucking time ago.  


John
> 

Re: FreeBSD 11.0 Released

[John Newman]

> On Oct 12, 2016, at 12:48 AM, grarpamp  wrote:
> 
>> On Tue, Oct 11, 2016 at 2:28 PM, John Newman  wrote:
>> Yes I use FreeBSD 10
>> it has supported PF
>> for a long time, which it basically stole from
>> openbsd (who stole it from Darren Reed).
> 
> No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
> dropped by Open and Dragonfly BSD, for license and
> other reasons, including being a dead project.
> last release: e9d51c6e58f549c4ab499254c81c90d2
> 
> PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
> NPF is Net's, IPFW3 is Dragon's. All actively maintained
> by their own communities. PF is ported to all.

Right, but all the SYNTAX was stolen from IPF.  Or copied. Whatever you want to 
call it.

Pf has made some nice improvements in the years since, but there is no doubt it 
started as a clone of IPF so Theo could include the superior software firewall 
mechanism in openbsd without the license restrictions.


John

Re: FreeBSD 11.0 Released

[grarpamp]

On Tue, Oct 11, 2016 at 1:08 PM, Tom  wrote:
> You didn't ask, but: if you ever use FreeBSD for a longer time, you'll
> never go back to Linux. At least not voluntarily :)

Many don't get that the Linux "distros" are often just that,
distributions... of the same damn thing... they make some app
bundling and packager choices but that's about it. Except for
the commercial ventures like RedHat which do contribute sizeable
raw development.
Whereas the BSD's all picked something long ago and generally
stick with it to this day, with blending across them...
Open - secure, free
Free - serving, all around utility, hardware, storage
Dragon - clustering
Net - platforms including your toaster

> In the end you'll need to compare them yourself, features, policies,
> hardware support, security, whatever.

That's the key as always. Someone really needs to
maintain a giant wiki table with this and the bsd's.

Re: FreeBSD 11.0 Released

[Tom]

On Wed, Oct 12, 2016 at 02:18:40AM -0400, grarpamp wrote:
> > Also of note that GNU also has its own kernel, Hurd (microkernel-based),
> > which is still under development a couple of decades later.
> 
> So is plan9 and a bunch of other stuff that still hasn't
> gone anyware. Oh well.

But don't worry, it's already scheduled for 2057. Be prepared ...



- Tom

Re: FreeBSD 11.0 Released

[grarpamp]

On Wed, Oct 12, 2016 at 2:04 AM, Shawn K. Quinn  wrote:
> It is important not to confuse Linux, the kernel, with GNU, the actual

I don't. Sure there's bsd-gnuland and linux-bsdland hybrids now too.
Yet to a bsd user, the linux kernel is the most visible trackable thing
to them guiding what they can do with any linux (even though to match
a bsd base you have to pack at least binutils and glibc to linux kernel...
but that's mostly moot herein).

> Also of note that GNU also has its own kernel, Hurd (microkernel-based),
> which is still under development a couple of decades later.

So is plan9 and a bunch of other stuff that still hasn't
gone anyware. Oh well.

Re: FreeBSD 11.0 Released

[Shawn K. Quinn]

On Wed, 2016-10-12 at 01:50 -0400, grarpamp wrote:
> Linux is on it's own M.m.r release model.

It is important not to confuse Linux, the kernel, with GNU, the actual
operating system. Linux, the kernel, and GNU, the operating system, are
developed mostly independently of each other. Technically, there is no
requirement that one run only a GNU variant under Linux, the kernel, or
that GNU must run only under Linux, the kernel (in fact there is or at
least was a port of GNU to the FreeBSD kernel at one time).

Also of note that GNU also has its own kernel, Hurd (microkernel-based),
which is still under development a couple of decades later.

-- 
Shawn K. Quinn 

Re: FreeBSD 11.0 Released

[grarpamp]

>>> 0 * * * * cd /usr/src && make world
>
> Looks really promising. Doing something like this automatically on the
> Linux Kernel + monkey patching, would probably break in the first try.

Open uses continuous integration, they're picky about it.
Free spreads the same idea across whatever RELENG_M
branches are open... 9,10,11 right now, and adds release
branches. Linux is on it's own M.m.r release model.
It's all pretty reliable so long as you look over your
output to detect relatively rare build fail.

> Same goes with the Gentoo port system.

Ports on any os seem like will always be spotty,
far too many dependencies and upstream change.
That's more or less expected.

Re: FreeBSD 11.0 Released

[grarpamp]

On Tue, Oct 11, 2016 at 2:28 PM, John Newman  wrote:
> Yes I use FreeBSD 10
> it has supported PF
> for a long time, which it basically stole from
> openbsd (who stole it from Darren Reed).

No. Ipfilter (aka: Ipf) is Darren's / Phil's and has been
dropped by Open and Dragonfly BSD, for license and
other reasons, including being a dead project.
last release: e9d51c6e58f549c4ab499254c81c90d2

PF (packet filter) is Open's, IPFW2 (ipfirewall) is Free's,
NPF is Net's, IPFW3 is Dragon's. All actively maintained
by their own communities. PF is ported to all.

Re: FreeBSD 11.0 Released

[Ben Mezger]

Thanks Tom, I will look into it more and perhaps give it a try. OpenBSD
has lots of packages, but unfortunately not the ones I really need.

>> Oh - and not caring about security doesn't lead to an insecure system
>> neccessarily. Many years ago we made an audit of some BSDi machine: it
>> had all patches installed and was top secure. However, nobody have been
>> logged in since a couple of years. So, why was it so secure? Because:
>> 
>> 0 * * * * cd /usr/src && make world

Looks really promising. Doing something like this automatically on the
Linux Kernel + monkey patching, would probably break in the first try.
Same goes with the Gentoo port system.

On 11/10/16 15:43, Tom wrote:
> On Tue, Oct 11, 2016 at 02:13:28PM -0300, Ben Mezger wrote:
>> As I am still trying to understand OpenBSDs core, is there a main reason
>> I should check out FreeBSD (except the reasons you pointed out)?
> 
> In the end you'll need to compare them yourself, features, policies,
> hardware support, security, whatever.
> 
> I just happen to like FreeBSD more and Theo de Raadt less :)
> 
>> How is the default security on FreeBSD?
> 
> Why, pretty good I'd say. 
> 
>> "FreeBSD devs don't really care much about security as much as they should"
>> How true is this statement?
> 
> Replace "FreeBSD Users" with "human beings" and the sentence might be
> true. Of course there are uncaring FreeBSD users, as are uncaring
> Windows, OSX or OpenBSD users.
> 
> Oh - and not caring about security doesn't lead to an insecure system
> neccessarily. Many years ago we made an audit of some BSDi machine: it
> had all patches installed and was top secure. However, nobody have been
> logged in since a couple of years. So, why was it so secure? Because:
> 
> 0 * * * * cd /usr/src && make world
> 
> :-)
>  
>> 1. How does FreeBSD handle ASLR? If any, does it use SEGVGUARD?
>> 3. How about W^X?
>> 4. Trusted Path Execution?
> 
> I'm not sure about all those things, google will help you with details.
> Maybe HardenedBSD, NetBSD or - as you're already using - OpenBSD might
> be better suited from this perspective.
> 
>> 2. How easy can I sandbox software? Using jails only?
> 
> There's bhyve. I use jails and am very happy with it.
> 
> 
> 
> - Tom
> 

-- 
Kind Regards,
Ben Mezger

Met vriendelijke groet,
Ben Mezger

Re: FreeBSD 11.0 Released

[Tom]

On Tue, Oct 11, 2016 at 02:13:28PM -0300, Ben Mezger wrote:
> As I am still trying to understand OpenBSDs core, is there a main reason
> I should check out FreeBSD (except the reasons you pointed out)?

In the end you'll need to compare them yourself, features, policies,
hardware support, security, whatever.

I just happen to like FreeBSD more and Theo de Raadt less :)

> How is the default security on FreeBSD?

Why, pretty good I'd say. 

> "FreeBSD devs don't really care much about security as much as they should"
> How true is this statement?

Replace "FreeBSD Users" with "human beings" and the sentence might be
true. Of course there are uncaring FreeBSD users, as are uncaring
Windows, OSX or OpenBSD users.

Oh - and not caring about security doesn't lead to an insecure system
neccessarily. Many years ago we made an audit of some BSDi machine: it
had all patches installed and was top secure. However, nobody have been
logged in since a couple of years. So, why was it so secure? Because:

0 * * * * cd /usr/src && make world

:-)
 
> 1. How does FreeBSD handle ASLR? If any, does it use SEGVGUARD?
> 3. How about W^X?
> 4. Trusted Path Execution?

I'm not sure about all those things, google will help you with details.
Maybe HardenedBSD, NetBSD or - as you're already using - OpenBSD might
be better suited from this perspective.

> 2. How easy can I sandbox software? Using jails only?

There's bhyve. I use jails and am very happy with it.



- Tom

Re: FreeBSD 11.0 Released

[grarpamp]

>> ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/
>
> crypto signature and downloading the checksums from the same (possibly

They're in the release announcement linked in OP.

As I've said before, FreeBSD has issues with strong cryptographic
provenance, stemming from their choice of repo, on out to iso's and
packages. But they're getting better fast. ie: They're almost, if not
100%, reproducible builds now... see new flags to ar(1) for a simple
example, commitlogs 'reproducible'.

> As an aside, why big vendors choose linux (android, wireless routers,
> etc) instead of the permissive BSD license (do the fuck what you want,
> no GPL, no Stallman)? (BSD appears to support less hardware, but for few
> bucks this can be solved).

Vendors are cheap, including not paying devs to "do the fuck they want",
so they choose whatever licence won't get them sued (either is fine),
and whatever os has been cobbled together for their hardware, and
is known to the vendors cobbled together team. That's usually linux,
or windows.

Re: FreeBSD 11.0 Released

[Georgi Guninski]

On Tue, Oct 11, 2016 at 01:50:20AM -0400, grarpamp wrote:
> Alternative OS news [not Windows, not Linux]...
> 
> ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/

Nice to see open source competition :)

How do I verify the ISOs from the above plain ftp url, there is no
crypto signature and downloading the checksums from the same (possibly
owned) site doesn't make much sense.

As an aside, why big vendors choose linux (android, wireless routers,
etc) instead of the permissive BSD license (do the fuck what you want,
no GPL, no Stallman)? (BSD appears to support less hardware, but for few
bucks this can be solved).

Re: FreeBSD 11.0 Released

[grarpamp]

https://www.freebsd.org/ports/

FreeBSD 11.0 Released

[grarpamp]

Alternative OS news [not Windows, not Linux]...

https://www.freebsd.org/releases/11.0R/announce.html
https://www.freebsd.org/releases/11.0R/relnotes.html
https://www.freebsd.org/features.html
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
https://forums.freebsd.org/
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.0/