class: center, middle # OpenBSD 6.8 and you ## How to have fun with the world’s most important free software project [](https://www.openbsd.org/) This presentation: [home.nuug.no/~peter/openbsd_and_you_68/](https://home.nuug.no/~peter/openbsd_and_you_68/) --- # The World’s Most Important Free Software Project [OpenBSD](https://www.openbsd.org/) has been around for 25 years (started October 1995) * OpenBSD is *[proactively secure](https://www.openbsd.org/security.html#goals)* with only 2 remote holes in default install in 20+ years * OpenBSD pioneered and is still leading in *[code audit](http://www.openbsd.org/security.html#process)* * OpenBSD has all security enhancements *[enabled by default](http://www.openbsd.org/security.html#default)*; hard to disable * OpenBSD is open source, free software and enables *[independent verification](http://www.openbsd.org/security.html#watching)* (should be a strong hint for app developers too) <div class="footer"><img src="banner1.gif"></div> --- # The World’s Most Important Free Software Project * OpenBSD has a high profile quality image based on code quality and real world use * OpenBSD is upstream (origin) for several widely used pieces of software (OpenSSH, OpenBGPD, PF, OpenSMTPd, LibreSSL, iked, mandoc and others, for complete list see [www.openbsd.org/innovations.html](https://www.openbsd.org/innovations.html)) * OpenBSD has been ‘growing up in public’ with code generally accessible via [anonymous CVS](https://www.openbsd.org/anoncvs.html) (the first of its kind) since 1995 – transparent process, development discussions on public tech@ mailing list <div class="footer"><img src="banner1.gif"></div> --- # whoami (Who am I?) Peter N. M. Hansteen <peter@bsdly.net> OpenBSD user since OpenBSD 2.5 (1999) Security Engineer -- Unix/Linux sysadmin, networker Wrote [The Book of PF](https://www.nostarch.com/pf3) based on experience and conference lectures (tutorials) Blog at [bsdly.blogspot.com](https://bsdly.blogspot.com) about (lack of) sanity in IT Yes, I'll do another book any decade now <div class="footer"><img src="banner1.gif"></div> --- # What is OpenBSD? Welcome to OpenBSD: The proactively secure Unix-like operating system. (from the default /etc/motd) [www.openbsd.org](https://www.openbsd.org/) Motto: Free, functional, secure (also: Secure by default) <div class="footer"><img src="banner1.gif"></div> --- # You are already an OpenBSD user! You may not know it, but you are. OpenBSD code is in * macOS, iOS * Blackberry * Android * Solaris * Cisco networking products (and likely others) * All Linux distributions, all Unixes ... and Microsoft put [OpenSSH](https://www.openssh.com/) in base on recent Windows versions The next 15+ slides slant technical, but don't wander off just yet ... <div class="footer"><img src="banner1.gif"></div> --- # Why use OpenBSD? Proactive security *All of these have been [enabled by default](http://www.openbsd.org/security.html#default) for 10+ years:* **Exploit mitigation** * *Address space randomization* (aka ASLR) no fixed jump targets or gaps * *W^X* memory can be writable XOR executable * *Guard pages* 'fence-like' unreadable, unwritable page after [malloc()](http://man.openbsd.org/malloc)ed chunks, detect overruns * *Privilege separation* daemons run bulk of their code as different non-privileged users (most in chroot without shell) - [sshd](https://man.openbsd.org/sshd) was the first, the rest followed * *Privilege revocation* privsep'd daemons drop privilege as soon as possible <div class="footer"><img src="banner1.gif"></div> --- # Why use OpenBSD? Proactive security (cont) **Exploit mitigation (cont)** * *chroot* jail -- daemons run in restricted environment ($HOME /var/empty, no shell) * *ProPolice* random stack gap inserted, fixed returns fail Newer developments include: * OpenBSD 5.9 introduced *[pledge(2)](https://man.openbsd.org/pledge)* syscall to restrict program behavior to predeclared profile * OpenBSD 6.2 introduced *KARL* (kernel address randomized link) - kernel relinked with randomized layout for each boot, see the [undeadly.org article](http://undeadly.org/cgi?action=article&sid=20170613041706) or the [tech@ message](https://marc.info/?l=openbsd-tech&m=149732026405941) (kernel object files grew base by ~300MB) * OpenBSD 6.4 introduced *[unveil(2)](https://man.openbsd.org/unveil)* syscall to restrict file system access to predeclared profile *"Where it is possible to spot damage, fail hard"* <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: A short history Descended from 'BSD Unix' - Berkeley Software Distribution BSD lived at the CSRG, UC Berkeley from 1974 (also Ken Thompson's 1975 sabbatical) -> active development until c 1992 BSD was the home of the TCP/IP reference implementation CSRG's DARPA research funding ended c 1992, initial 386BSD (Jolitz et al 1991-1992) spawned [FreeBSD](https://www.freebsd.org/) (BSD on PC architecture) and [NetBSD](https://www.netbsd.org/) (BSD on anything), BSDI (commercial - 1-800-ITS-UNIX generated USL vs BSDI lawsuit, settled 1994) [OpenBSD](https://www.openbsd.org/) forked from NetBSD 1995 (tree created Oct 18, 1995) The first project to provide [anonymous, public CVS](http://www.openbsd.org/anoncvs.html) - *See code change in real time!* <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: Recent history *Release every six months* (May and November), most recently [OpenBSD 6.8](https://www.openbsd.org/68.html) October 18, 2020 (49th release, 25 years). Emphasis on security and usability (yes, devs run it on their laptops). Home of several popular portable products (sub-projects): * OpenSSH (ssh everywhere, 97% market share) * OpenNTPD (network time daemon) * OpenBGPD (routing daemon) ( continues ...) <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: Recent history (cont) Home of several popular portable products (sub-projects): * PF ('firewall' - packet filter plus tools) * OpenSMTPD (Mail server) * OpenIKED (VPN key exchange) * LibreSSL (libtls - [remember Heartbleed?](https://www.youtube.com/watch?v=GnBbhXBDmwU)) Also OpenBSD httpd, dhcpd, ipsec tools suite, full list at [www.openbsd.org/innovations.html](https://www.openbsd.org/innovations.html) Also invented hackathons - [www.openbsd.org/hackathons.html](https://www.openbsd.org/hackathons.html) Since OpenBSD 3.0, each release has usually come with at least one [song](http://ftp.eu.openbsd.org/pub/OpenBSD/songs/). OpenBSD 6.0 had 6 to mark *end of CD releases* <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: Code audit, security Early and continuing emphasis on security - code audit started 1995 and still ongoing: * Assume hostile environment * Look for unsafe behaviors * Find one bug, fix similar bugs everywhere in the tree * *(repeat ...)* Lead to exploit mitigation techniques (W^X, privsep, ASLR, see eg [www.openbsd.org/papers/ven05-deraadt/index.html](https://www.openbsd.org/papers/ven05-deraadt/index.html) and the 10 years later [www.openbsd.org/papers/ru13-deraadt](https://www.openbsd.org/papers/ru13-deraadt)) First free OS with *strong crypto* in base, illegal to re-export from the US early on(!) <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: Goals (mainly achieved) *Secure, correct code* *Usable system* - sane defaults, complete and readable documentation ([man pages](https://man.openbsd.org/) -- commit of new features without matching man page not allowed -- plus [FAQ](https://www.openbsd.org/faq/) and other guides) *Free to use* - short (2 paragraph) BSD license preferred (see [www.openbsd.org/policy.html](https://www.openbsd.org/policy.html)) Also see [www.openbsd.org/goals.html](https://www.openbsd.org/goals.html) By a small team: Approx 100 active developers (historically '~356 hackers'), see [marc.info/?l=openbsd-misc&m=144515087006177&w=2](http://marc.info/?l=openbsd-misc&m=144515087006177&w=2) <div class="footer"><img src="banner1.gif"></div> --- # Why use OpenBSD? It's a UNIX. A real UNIX (no **systemd**) Uncluttered base system - full install w/X, compilers etc is approx 962MB total on amd64 No services enabled (listening) by default. Installer asks if you want to run [sshd(8)](https://man.openbsd.org/sshd) Full featured system (c, c++ (clang or gcc), perl and tools in base) Supports modern to fairly ancient hardware across [13 platforms](https://www.openbsd.org/plat.html) (alpha, amd64, arm64, armv7, hppa, i386, landisk, loongson, luna88k, macppc, octeon, powerpc64, sparc64) -- [powerpc64](https://www.openbsd.org/powerpc64.html) *new* in OpenBSD 6.8 Ported software in package system (*11234* packages prebuilt on amd64 for [OpenBSD 6.8](https://www.openbsd.org/68.html)) Clear separation of base system and packages <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? IPSEC OpenBSD pioneered IPSEC in general, with IPSEC in the base system since OpenBSD 2.1 (1997) Major usability upgrade in OpenBSD 3.8 – [ipsecctl(8)](https://man.openbsd.org/ipsecctl) and [/etc/ipsec.conf](https://man.openbsd.org/ipsec.conf) - ```shell # Set up two flows: # First between the machines 192.168.3.14 and 192.168.3.100 # Second between the networks 192.168.7.0/24 and 192.168.8.0/24 flow esp from 192.168.3.14 to 192.168.3.100 flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.12 ``` (Compare with others, eg Microsoft’s 36 dialogs and counting - [www.openbsd.org/papers/asiabsdcon07-ipsec/index.html](https://www.openbsd.org/papers/asiabsdcon07-ipsec/index.html)) IKE v2 support in [iked(8)](https://man.openbsd.org/iked) (OpenIKED) *«IPSEC shouldn’t be this hard. The defaults should make sense.»* *Bonus: [ikectl(8)](https://man.openbsd.org/ikectl) generates config for Windows and macOS clients too* <div class="footer"><img src="banner1.gif"></div> --- # Why use OpenBSD? PF PF, the OpenBSD packet filter, debuted in OpenBSD 3.0 (December 1, 2001) * Replaced IPFilter (ipf) due to performance and licensing * High-performance packet filter with (essentially) human-readable config (and listing running rules is readable too) * Ties in to several other tools/features * Ported to several other systems (FreeBSD → macOS, iOS, NetBSD → Blackberry, OpenBSD → Solaris) Since OpenBSD 4.6, PF is enabled by default; **[rc](https://man.openbsd.org/rc)** has default rule set to let you fix after booting with invalid **[pf.conf](https://man.openbsd.org/pf.conf)** Also [The Book of PF](https://www.nostarch.com/pf3) or the much-repeated [PF tutorial](https://home.nuug.no/~peter/pf/newest/) and the [rewritten PF tutorial](https://home.nuug.no/~peter/pftutorial/) <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? Traffic shaping The new queue and priorities system replaced 15 year experiment ALTQ in OpenBSD 5.5: ```shell queue rootq on $ext_if bandwidth $ext_bw queue main parent rootq bandwidth 20479K min 1M max 20479K qlimit 100 queue qdef parent main bandwidth 9600K min 8000K max 18M default queue qweb parent main bandwidth 9600K min 8000K max 18M queue qpri parent main bandwidth 2000K min 700K max 2500K \ burst 4000K for 3000ms queue qdns parent main bandwidth 100K min 12K \ burst 600K for 3000ms queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 ``` Tie into PF rules with **match** or **pass** with **set queue** [OpenBSD 6.2](http://www.openbsd.org/62.html) added the *FQ-CoDel* 'fair share' queueing (anti-bufferfloat), see [pf.conf(5)](https://man.openbsd.org/pf.conf#QUEUEING) and [Fixing bufferbloat on your home network with OpenBSD 6.2 or newer](https://pauladamsmith.com/blog/2018/07/fixing-bufferbloat-on-your-home-network-with-openbsd-6.2-or-newer.html) <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? PF tools: Proxies, l7 inspection Two proxies in base: *[ftp-proxy](http://man.openbsd.org/ftp-proxy)* and *[tftp-proxy](http://man.openbsd.org/tftp-proxy)* Enable cross-firewall traffic for those protocols with divert-to: ```shell pass in on egress proto tcp to port ftp divert-to $proxy port ftp-proxy pass out proto tcp from $proxy to port ftp ``` See the man page or examples in the [old](https://home.nuug.no/~peter/pf/newest/ftpnewproxy.html) or [new](https://home.nuug.no/~peter/pftutorial/#35) tutorials Others (squid, snort) from packages hook in via **divert-to** too <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? PF tools: spamd Minimally SMTP-capable daemon, **divert-to** hook-in (used to be **rdr-to**) * Initially a blacklist-importing *tarpit* (answer 1 byte per packet, 1 packet per second or less) * Since OpenBSD 4.1, *greylisting* by default * OpenBSD 3.8 introduced *greytrapping*: use bogus addresses in own domains as spammer traps * *Combines nicely* with content filtering (and reduces incoming volume to be content filtered) I've supplied spam-eating *appliances* based on this (insert in SMTP signal path, leave others untouched) See man [spamd](https://man.openbsd.org/spamd) + [spamd.conf](https://man.openbsd.org/spamd.conf) as well as tutorial [examples](https://home.nuug.no/~peter/pftutorial/#51). See also [bsdly.blogspot.com](https://bsdly.blogspot.com) keyword spam <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? CARP - redundancy Service redundancy was needed, so * [carp(4)](https://man.openbsd.org/carp) virtual network interface - patent free successor to Cisco's VRRP router redundancy protocol, for general redundancy. Introduced in OpenBSD 3.5 (May 1 2004) * Virtual IP address for failover or load balancing modes * With [ifstated(8)](https://man.openbsd.org/ifstated) helper daemon toolbox 'full service cluster solution' * Firewall redundancy with state table sync via [pfsync(4)](https://man.openbsd.org/pfsync) (again a virtual network interface) * IPsec SA and SPD redundancy with failover via [sasyncd(8)](https://man.openbsd.org/sasyncd) <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? relayd - load balancing [relayd(8)](https://man.openbsd.org/relayd) does several things: * L3 balance over address pools w/dead host detection * L7 balance, filter and redirect based on L7 (HTTP headers etc) characteristics * TLS (SSL) termination to offload backend * upstream router balancing (filter criteria or dead host detection) <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? vmm and switchd - virtualization and SDN you can trust OpenBSD [vmm(4)](http://man.openbsd.org/vmm), with supporting daemon [vmd(8)](http://man.openbsd.org/vmd) were introduced in OpenBSD 6.1. * full-featured hypervisor for amd64 and i386. Initial design and test with OpenBSD guests only, now also runs Linux guests well. OpenBSD [switchd(8)](http://man.openbsd.org/switchd), introduced in OpenBSD 6.1. * OpenFlow sflow controller, for software defined networks in combination with vmm. See the [OpenBSD Virtualization FAQ](http://www.openbsd.org/faq/faq16.html) for how to get started. It's worth noting that [OpenBSD/sparc64](http://www.openbsd.org/sparc64.html) has been LDOM host and guest capable for several years already. <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? Innovation, security, verifiability, transparency *[OpenBSD innovation](http://www.openbsd.org/innovations.html)* is upstream for code used everywhere (OpenSSH, PF, others). Features may be available elsewhere, security features typically enabled by default when ready in OpenBSD, *ahead of others* Users (customers) increasingly demand transparency, verifiable process OpenBSD has been developed under code audit (aka *growing up in public*) for more than 20 years - *only 2 remote holes in default install in all that time* OpenBSD pioneered and still leading in code audit OpenBSD *has all security enhancements enabled by default*; hard to disable Open source and OpenBSD in particular *enables independent verification* (should be strong hint for app developers too) *OpenBSD quality image* – do the right thing the first time around <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? Replace proprietary products OpenBSD replaces proprietary systems as a low-cost, admin-friendly, secure high-performance option * Runs well on generic hardware and common hypervisors * Full featured platform w/best of breed toolbox for network-centric roles: Firewall, Router, VPN (net2net, net2endpoint), Spamkill, Load balancer, Traffic shaper, SSL/TLS termination/relaying, General Unix server roles, Secure development platform * Compares favorably with proprietary Unix or Linux in most server roles * Once they get a hang of it, techs love the system For external support, leverage existing European competence – [M:tier](https://mtier.org) (UK/NL), also see [www.openbsd.org/support.html](http://www.openbsd.org/support.html) <div class="footer"><img src="banner1.gif"></div> --- # Why OpenBSD? It’s good on your desktop or laptop too! *OpenBSD works well as a workstation too*. OpenBSD is one of the main [X.org](https://www.x.org/) development platforms. If the hardware is supported by X, Bob’s your uncle Common ‘desktop’ software such as browsers (Firefox, Chromium), Libreoffice, editors etc are available as packages Recent wifi drivers ([iwm(4)](https://man.openbsd.org/iwm)) developed on OpenBSD, ported to FreeBSD Most (probably all) OpenBSD developers run OpenBSD on their laptops Some apps need pampering via [sysctl](https://man.openbsd.org/sysctl)s or memory settings, ask me for specifics (or look it up)! (See eg [OpenBSD and the modern laptop](https://bsdly.blogspot.com/2017/07/openbsd-and-modern-laptop.html) or [Transition to OpenBSD (BSDCan 2014)](https://home.nuug.no/~peter/transition/bsdcan2014/) - I may revive those tutorials if there’s interest) <div class="footer"><img src="banner1.gif"></div> --- # Why not OpenBSD? I was going to say let's not go there, but Your project may have specific requirements (commercial software) that doesn't run (well) on OpenBSD Your staff may be unfamiliar with the system (but that's fixable) Staff familiar with a Unix typically up & running within days – and end up loving it You don't know if your hardware is supported Actually, common hardware generally is supported When in doubt, do a test install on spare unit <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD vs the competition Based on a poll on a corporate-internal forum, all *NetScaler* features people actually use (load balancing, SSL termination, “content switching”) are available with the tools in the OpenBSD base system or easily available in packages such as apache, squid, varnish. Compares favorably with other Unixes in general server (and even desktop) roles. *License fee*: $0 (donations encouraged) *Up front investment required*: Training *Setup costs*: Hardware + time worked *Short term perks*: Highly motivated employees, visible and attractive competence. *Long term perks*: Enhanced personal or corporate image, emphasis on quality, security, reliability, transparency. <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD 6.8 news The most visible changes in [OpenBSD 6.8](https://www.openbsd.org/68.html) are: * new *[powerpc64](https://www.openbsd.org/powerpc64.html)* platform for PowerNV (non-virtualized) systems with POWER8 and POWER9 CPUs * Numerous kernel improvements such as better time measurements across several architectures, (see eg [this article](https://undeadly.org/cgi?action=article;sid=20200708055508)), [updated graphics support](https://undeadly.org/cgi?action=article;sid=20200608075708) + numerous improvements in hardware support with updated drivers across several platforms. * Numerous network stack improvements, including those [described](https://undeadly.org/cgi?action=article;sid=20200921110059) by kn@ in his k2k20 hackathon report. * [wg(4)](https://man.openbsd.org/wghttps://man.openbsd.org/wg), an in-kernel driver for WireGuard VPN [reported previously](https://undeadly.org/cgi?action=article;sid=20200622052207) * [login_ldap](https://man.openbsd.org/login_ldap) added to base [reported previously](https://undeadly.org/cgi?action=article;sid=20200913081040) * FFS2 improvements see [this](https://undeadly.org/cgi?action=article;sid=20200326083657) article and [this](https://undeadly.org/cgi?action=article;sid=20200528091634) <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD 6.8 news, continued * LibreSSL 3.2.2 with TLSv1.3 enabled for both client and server, and a new-and-improved X509 certificate chain validator (see beck@'s k2k20 hackathon [report](https://undeadly.org/cgi?action=article;sid=20200921105847)). * more *[unveil(2)](https://man.openbsd.org/unveil)*ing * Further anti-ROP ([return oriented programming](https://en.wikipedia.org/wiki/Return-oriented_programming)) work across several platforms * Several enhancements to [vmm(4)](https://man.openbsd.org/vmm) + [vmd(8)](https://man.openbsd.org/vmd) * Continuing SMP improvements, particularly in the network stack * Improved capabilites in a number of IEEE 802.11 wireless stack including *join* (see [hostname.if(5)](https://man.openbsd.org/hostname.if)) * Further mitigations of Intel CPU bugs See the [release page](http://www.openbsd.org/68.html) and the [changelog](http://www.openbsd.org/plus68.html) for the gory details <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD: On the horizon Ongoing work in OpenBSD post 6.8, slithering into -current: * *[unveil(2)](https://man.openbsd.org/unveil)*-ing of base system programs continues * Continuing development of [vmm(4)](https://man.openbsd.org/vmm), [switchd(8)](https://man.openbsd.org/switchd) and related virtualization components with added features * Continuing *SMPization* of all parts of the network stack (out from biglock) And of course incremental improvements continue to turn up everywhere. You can take a peek via [www.openbsd.org/plus.html](https://www.openbsd.org/plus.html) and mailing lists <div class="footer"><img src="banner1.gif"></div> --- # OpenBSD resources [www.openbsd.org](https://www.openbsd.org/) The official OpenBSD website – to donate: [www.openbsd.org/donations.html](https://www.openbsd.org/donations.html) and please do donate, corporates may prefer [www.openbsdfoundation.org](https://www.openbsdfoundation.org/) - a Canadian non-profit [undeadly.org](https://undeadly.org/) - The OpenBSD Journal news site [bsdly.blogspot.com](https://bsdly.blogspot.com/) - My rant^H^H^H^Hblog posts [www.tedunangst.com/flak/](https://www.tedunangst.com/flak/) tedu@ on developments Michael W Lucas: [Absolute OpenBSD, 2nd ed.](https://www.nostarch.com/openbsd2e) Peter N. M. Hansteen: [The Book of PF, 3rd ed.](https://www.nostarch.com/pf3) Henning Brauer: [OpenBSD sucks (… least)](https://quigon.bsws.de/papers/2015/eurobsdcon/) This presentation: [home.nuug.no/~peter/openbsd_and_you_68/](https://home.nuug.no/~peter/openbsd_and_you_68/) <div class="footer"><img src="banner1.gif"></div> --- # Feedback form Please go to the URL indicated by the QR code to provide feedback on this talk:  <div class="footer"><img src="banner1.gif"></div>