On 30 Mar 2004, Jon Carnes wrote: > OpenBSD firewalls now have redundant fail-over built into them. The > protocol used for linking the redundant fail-over firewalls is CARP > (Common Address Redundancy Protocol).
CARP is of course one of the major highlights of the upcoming 3.5 release. But there are others. 3.5 has reignited by interest in OpenBSD (recompiling my system just to patch it and lack of PAM/nsswitch is what puts me off). There were some nice changes to pf (OpenBSD's firewall... like iptables if you're only exposed to Linux... but arguably much more feature rich than its Linux counterpart). Some great load balancing stuff was added to pf in the 3.5 release. You now have a "sticky address" which lets you redirect ports on a round robin basis, but have a source hash to set an affinity between a source and destination. pfsync lets you synchronize the state tables between a number of firewalls that are working in parallel so you can effectively load balance your firewalls without disrupting established stateful connections. The great spamd daemon now supports greylisting (this alone is enough to get me to upgrade). BGP daemon is now built in (another great reason to upgrade). pgrep and pkill. I take these for granted on Linux and utter explitives when they are on my other *NIX systems. Now they are on OpenBSD as of 3.5. Huge improvements to TCP/IP stack. I'd love to see some before & after performance benchmarks. Quoting directly from the features page: "OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold)." Wow. Firefox is now bundled. For non x86 architectures gcc 3.3.2 is now included with ProPolice support. x86 does not lend itself well to extensions like ProPolice so that arch is still at gcc 2.95.3. A bunch of neat OpenSSH features are added. sshd can now force an incoming client to change their expired password. You can put host keys in DNS now, also. See the full list for yourself at http://openbsd.org/35.html -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
