[ale] OpenBSD, FreeBSD

Michael H. Warfield mhw at wittsend.com
Tue Dec 14 19:52:59 EST 1999 

On Tue, Dec 14, 1999 at 03:31:21PM -0500, jj at spiderentertainment.com wrote:

> Dave Brooks wrote:

> > the ports tree).  However, OpenBSD is my BSD of choice  -- it's secure
> > out of
> > the box and it's rock-solid.  (Plus, you can't beat that "Armed to the
> > Gills"
> > Blowfish on their t-shirts).  The support community behind OpenBSD is a)
> > small,

	Wouldn't swear to it but it sure looks like they got that from
"Sherman's Lagoon" <www.slagoon.com>.  At least it's awfully similar to
the Blowfish in Toomey's screen saver and occasional comic strip visitor.
Except the blowfish keeps having an unfortunate encounter with a sword
fish...  :-)  I've run into a bunch of people who have the Sherman's
Lagoon screen saver and don't even know where it came from...

> > b) knowledgeable, and c) sometimes a tad abrasive.  This tends to scare

	Theo?  A tad abrasive?  Nah!  :-)  (Duck)

	Not as long as you have a thick skin.  (Duck again)

	For the record, I've shared a few beers with Theo.  I found him
opinionated as I'm sure he found me (If he remembers me at all...  Gets
a bit fuzzy after a few beers at 1AM in a bar in San Antonio).  I don't
agree with all of his opinions and I'm sure he doesn't agree with all of
mine.  He can be real hard on the nerves if you aren't prepared for him
and I can really see where he would scare the bejesus out of newbies.
Don't get into a debate with him unless you are REALLY prepared to defend
your arguments rationally.  Over all...  I like dat man and respect him,
even if I don't agree with him 100%.

> > off
> > some OpenBSD newbies (especially those migrating from the "friendly"
> > linux-
> > community), but as long as you show that you have some sort of a clue,
> > they'll
> > be more than happy to help you out.

> I'm getting back to unix programming and hopefully I can contribute some small
> programs.

> My issue is performance and security, I don't care much about flexibility
> anymore. I like linux because it is alot more friendlier then MS, at least
> with linux you can tell if something failed, in MS you get a GPS. But the
> company I work for has *outgrowed* linux, we have more attacks and different
> stuff.

> My ideal goal by the end of next May is to strip a linux kernel from alot of
> the stuff that I would not normally need on a PII-400 Raid5 Megaraid.
> I looked at the kernel code and I can see it will be if not the biggest task I
> have ever done, the most challenging one.

	I would suggest looking over the Bastille Linux security hardening
script.  They've just released version 1.0 to rave reviews at the SANS
security conference.  This is second hand.  I haven't laid my hands on it
personally, yet.  Planning on it for today or tomorrow so I can incorporate
it into my upcoming security tutorials at LinuxWorld.  :-)  You might also
want to look at the Lids (Linux Instrustion Detecton System) project but
I'm not as comfortable with the direction that's going in (some of their
stuff interfers with dynamic firewalls) and it's got a ways to maturity.

> I would think that the *BSD is alot faster then Linux ? no ?

	Why would you think that?  I know of a lot of people who think just
the opposite.  And *BSD is almost an oximoron in and of itself because of
the differences between the BSDs.

	Define "alot".  I've been seeing "a LOT" of fuzzy meaningless
buzz-terms like "blows the socks off" and "alot faster" in this thread.
I've been wondering if the list suddenly got inhabited by a bunch of
markedroids or used car salesmen.  :-/

	FreeBSD has made claims that they have a higher performing TCP
stack than Linux and have some numbers to back it up.  Those same numbers
tell me that unless you are bidding a loaded OC-48 or better, you are
unlikely to see much of a difference and even then not much.  NFS is a
different matter and if you are using the user space NFS daemon, Linux is
not going to come out looking all that great.  The kernel land nfs stuff
rocks pretty good though.

	Note:  FreeBSD != OpenBSD

	I'm unaware of anyone making similar performance claims for OpenBSD.
There have been some discussions about whether OpenBSD was faster than
Linux for network sniffing IDS (Intrustion Detection Systems) products such
as NetRanger or the ISS RealSecure (neither are officially on Linux).  Those
discussions got into esoteric packet sniffing issues such as user/kernel
transisions, task switches, multipacket transfers in the BPF, etc.  If you
are on that level of nits to pick, you probably don't need help from this
list.  Marcus has his opinion on that, Alan Cox has his, and both can back
them up.  So you pays your nickel and you takes your chance.  Chances are,
most of us couldn't measure they difference if our lives depended on it.

	OpenBSD most definitely rolls out of the box in a much more secure
state than the vast majority of Linux distros.  I'm hoping that a combination
of code audits from RedHat et al, plus the Bastille Linux hardening scripts,
plus the efforts of the other secure Linux projects will give us something
along the same lines for Linux now.  Loosening of the crypto regs (RSN...
the drafts are posted and there's already been talk of crypto in the kernel
sources) will also go a long way toward that end.  OpenBSD comes out of
Canada and they've been able to roll hardened crypto into the package for
some time now (this is NOT true of FreeBSD).

	Security also depends a lot on your ability to manage the system.
I find the Linux systems much easier to manage than the BSD systems.  Maybe
it's because I'm more use to the Linux stuff, maybe it's because there are
more administrative tools out there for Linux, maybe some of it's the
difference in little things like the SysV init vs the BSD init.  I personally
favor the SysV init so I don't have 200 different customised rc scripts
on 200 different servers.  That's also why I dumped Slackware and started
using RedHat ages ago (because of managing the rc scripts on dozens, if not
hundreds of SLIGHTLY different servers).  Maybe it's because I think PAM
rocks and platform specific stuff like you get on OpenBSD is a pain in the
ASS in mixed environments (said as he dons his asbestos underwear ready for
the anti-pam bigots who just click the safeties off their flame throwers).
Until you use it and manage it in your environment, what we say one way or
the other is going to have little impact on what you experience.

	I have Linux, FreeBSD, and OpenBSD (and SCO Unix, and Solaris, and
Solaris x86, etc, etc) running side by side, here at home and at the office.
I LIKE Linux.  FreeBSD and OpenBSD are perfectly acceptable with no
prejudice against them or anyone that uses them in preference to Linux.
But, realistically, none of them (Linux, OpenBSD, or FreeBSD) really blow
the other two out of the water in security, reliablity, or performance
The human factor there is just too big.

> Thx :)

> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list