FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Adam-2
Asking this on the OpenBSD list gives it a tone:

I have no background in IT security and operating systems other than Windows (I hated it less than Ubuntu, actually). I have found in the archives that in general you can recommend OpenBSD to anyone without any background to start tinkering with. So, there might be no benefit of a learning curve of FreeBSD --> OpenBSD, as I, may have wrongly guessed?

What I'd like is a secure wireless router and a file server (for my mobile devices in the first place, really). Many suggested the PC Engines APU board here. Check. Can it handle both roles, router and file server, or, is it a good idea to have one device for these 2 roles in the first place? It would encounter very modest load on both of its roles.

I have no intention whatsoever to run any x86/amd64 desktop software on NIX in the post-PC world (in the desktop space, really).

It would also be an interesting side-note on how do you see the future of (NIX on) desktop PCs (already a dead market as and old post here suggested), or embedded/ARM mobile devices and NIX, perhaps other than iOS/Android derivatives of the latter.

But the main point of my question is, the server. Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Peter Nicolai Mathias Hansteen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/27/15 12:27, Adam wrote:
> Asking this on the OpenBSD list gives it a tone:
>
> I have no background in IT security and operating systems other
> than Windows (I hated it less than Ubuntu, actually). I have found
> in the archives that in general you can recommend OpenBSD to anyone
> without any background to start tinkering with. So, there might be
> no benefit of a learning curve of FreeBSD --> OpenBSD, as I, may
> have wrongly guessed?

I've been on the "OpenBSD unless some specific requirement trumps it"
track for some years now, mainly because the system comes with
sensible defaults (essentially everywhere else you will find some
silly things that need to be turned off or tweaked in order to be
useful) and things generally make sense, at least to this greying old
hack.

And when I've needed to improvise something from 'found object'
equipment, I've found that OpenBSD is a very good starting point.
You'll find various war stories on the net, one frequently referenced
one is Michael Lucas' one (http://blather.michaelwlucas.com/archives/605
).

> What I'd like is a secure wireless router and a file server (for my
> mobile devices in the first place, really). Many suggested the PC
> Engines APU board here. Check. Can it handle both roles, router and
> file server, or, is it a good idea to have one device for these 2
> roles in the first place? It would encounter very modest load on
> both of its roles.

The PCengines kit looks capable enough at least for the small scale of
a number of things, but your specification is really open ended. How
much space does that file server need to offer? How much physical
space is the equipment allowed to fill up? At this point, the FreeBSD
camp would point out that they have ZFS for infinite flexibility in
building multi-terabyte storage pools, while the OpenBSD side has
mainly FFS2 and softraid, and possibly a ported HAMMER on the horizon
at some point. That said, both modern SSDs and multi-terabyte spinning
platters are handled quite well, thank you, by FFS2 on OpenBSD.

I've done enough work with both OpenBSD and FreeBSD as routers for
wireless networks that I've seen that yes, they will work, but support
for the newer-flavor protocols such as ac just isn't there yet, and
setting up with a separate wireless access point is likely to get you
better performance. Using the OpenBSD box as the router, firewall,
DHCP server and so forth has left me saner at least, but actually
getting a link for wireless equipment is likely better handled by
special-purpose hardware.

As to the question of splitting file server duties out to a separate
box, I'm pretty sure any modern hardware will be able to perform both
routing and file serving duties at the same time, unless of course
your use case is somehow extremely demanding.

I'd say the more relevant concern would be security - your router is
likely more or less in direct contact with the big bad internet of
shady characters and misconfigured equipment, and you need to consider
the possibility that 'they' manage to compromise your internet-facing
device.

If that device is not the one that holds files that you care about one
way or the other (as in, you more likely than not made a backup of
your config files, right?), 'they' would need to repeat their success
at the separate file server in order to get at your data. There are a
number of ways to limit the available attack surface using the tools
in the base system such as ssh, pf and various others you've heard about
.

> I have no intention whatsoever to run any x86/amd64 desktop
> software on NIX in the post-PC world (in the desktop space,
> really).
>
> It would also be an interesting side-note on how do you see the
> future of (NIX on) desktop PCs (already a dead market as and old
> post here suggested), or embedded/ARM mobile devices and NIX,
> perhaps other than iOS/Android derivatives of the latter.

Hm. I'm typing this on a 2014-vintage Clevo laptop running OpenBSD (a
recent amd64 snapshot), and I've only used not-unix software on
desktops and laptops when forced to do so during the last ten or more
years. It's quite possible that we're entering the post-desktop age,
but do keep in mind that at the moment, the majority of the
touchscreen devices such as phones and tablets run a unixish system
underneath the designed-for-one-finger interface. And for my own part,
getting any real work done requires a unix, whick in my case tends to
be OpenBSD unless something specific to the occasion trips me up.

- - Peter
- --
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
iQIcBAEBAgAGBQJWB+K4AAoJELJiGF9h4DyeNlkP/Rt0cdP8hRWZAhLZkZ6CeB87
fk2UbA7bK6ToEqtQ6y+UdJEBVuqLtajvWvHeNRnLjf5reg0GKg7TxUvcyW3IlTk7
mNsd9h1ZK/xAdVmA6IfdLiSkrFn/wHEem/zU6ZdJ08eueaV+c/R1VVSaO7MiIX9v
Mf4Phemhmrda6jnel1CByI6LSymLJOpHBTmx/5pgHXoxEXdW2lCOg2QSLxL9wctv
mRjhXTWGbDuQno9EITkWYrvtIUAn79emr0u2xuvkGWH+MtfEoz0qvK629AeIAVdt
UU1mbHPIW+uYs1wF5o3Mirv2zdm9Eyj591UZL/ENKlsE/6Vc3TSQBN6iVGcUyKNr
9AC3hhCzHz+HSvkqGG3jdGXJYeBG/NMPcTP/98Sh/p3iJP3jpdiLlG+OuklD5MlB
e9D/fQ+LursodGQySWAaIc5lCxirXTUQVjsfV5TJQ4jlGcklV0rYfA3CfteqpOhj
kD5qLZdIl51Q5yNFwyFh/z86NGYYQP+UfCR6DWrLednVD3ek189eP7aUugc0VoYJ
lS/T86IzVFRGt357Fji/Xc1p5K4TahG0mop0Z4arT70gSPzAp6ukrk+lfsFBIdYV
GIXLAKctzA9ImrgI8Am0Te9AH6P4i1ZdHYu+i+ozESZwWYLK6blGYUIDUTPhnkxf
vS3ae7Rb2k6rW7qQ/Uxi
=V0Or
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
In reply to this post by Adam-2
I've used both FreeBSD and OpenBSD for the best part of two decades. I'd say
that OpenBSD is definitely the simpler of the two in terms of configuration.
Much simpler and purer I'd say.

Both will be capable for what you are looking for. Although I'd say OpenBSD is
slightly lighter on resources and smaller footprint so better for embedded
devices and the likes. The one thing OpenBSD misses in the file server role is
a modern file system. That said for FreeBSD and ZFS you want at least 4GB of
ram anyways.

I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the best
of both worlds.

-Matt

—
Matt Hamilton
Quernus
[hidden email]
+44 117 325 3025
64 Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246


> On 27 Sep 2015, at 11:27, Adam <[hidden email]> wrote:
>
> Asking this on the OpenBSD list gives it a tone:
>
> I have no background in IT security and operating systems other than Windows
(I hated it less than Ubuntu, actually). I have found in the archives that in
general you can recommend OpenBSD to anyone without any background to start
tinkering with. So, there might be no benefit of a learning curve of FreeBSD
--> OpenBSD, as I, may have wrongly guessed?
>
> What I'd like is a secure wireless router and a file server (for my mobile
devices in the first place, really). Many suggested the PC Engines APU board
here. Check. Can it handle both roles, router and file server, or, is it a
good idea to have one device for these 2 roles in the first place? It would
encounter very modest load on both of its roles.
>
> I have no intention whatsoever to run any x86/amd64 desktop software on NIX
in the post-PC world (in the desktop space, really).
>
> It would also be an interesting side-note on how do you see the future of
(NIX on) desktop PCs (already a dead market as and old post here suggested),
or embedded/ARM mobile devices and NIX, perhaps other than iOS/Android
derivatives of the latter.
>
> But the main point of my question is, the server. Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Stuart Henderson
On 2015-09-27, Quernus <[hidden email]> wrote:
>
> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the best
> of both worlds.

This has an impact on security, of course.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Seth
In reply to this post by Adam-2
On Sun, 27 Sep 2015 03:27:46 -0700, Adam <[hidden email]> wrote:
> What I'd like is a secure wireless router and a file server (for my  
> mobile devices in the first place, really). Many suggested the PC  
> Engines APU board here. Check. Can it handle both roles, router and file  
> server, or, is it a good idea to have one device for these 2 roles in  
> the first place? It would encounter very modest load on both of its  
> roles.

For servers FreeNAS on either HP MicroServers or ixsystems MiniNAS  
hardware best meets my needs.

For network devices I prefer OpenBSD on PCEngines Alix and Apu hardware.

For wireless I always use a dedicated AP (access point) usually EnGenius  
hardware connected to one of these Belkin power timers. [1]

Pop the button on the timer to turn on AP when you need to use WiFi on  
your smartphone or whatever.

Otherwise it stays off, reducing attack surface and human exposure to  
electro-smog (especially important if you have pregnant women or small  
children in proximity to access point)

[1] http://www.belkin.com/conserve/socket/

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Niels
In reply to this post by Adam-2
On 27 Sep 2015, at 12:27, Adam <[hidden email]> wrote:

> I have no background in IT security and operating systems other than
> Windows (I hated it less than Ubuntu, actually). I have found in the
> archives that in general you can recommend OpenBSD to anyone without
> any background to start tinkering with. So, there might be no benefit
> of a learning curve of FreeBSD --> OpenBSD, as I, may have wrongly
> guessed?

“Simple, but not always easy” - that’s how I would put it.
You have to be comfortable working without a GUI.

Having used OS X for 15 years, OpenBSD was my first foray into
command-line and server “administration”. I did consider Linux, FreeBSD
and, of course, OS X - systems that I had previously used or toyed with
for desktop use. However OpenBSD’s focus on security (e.g. secure system
defaults) and simplicity gave me, being a novice, the most confidence of
putting something out that would be accessible from the internet. Bad
settings can break almost any security a system provides by default
(voice in my head: "don’t screw up!"). With OpenBSD I had the least
nagging doubts whether I forgot/missed something essential, where I
would to improve on the defaults, security-wise (which I, nevertheless,
did).

Also, I definitely found OpenBSD’s documentation best to work with.
This is especially true for the man pages, which I have found to be
concise and well-maintained.


> What I'd like is a secure wireless router and a file server (for my
> mobile devices in the first place, really). Many suggested the PC
> Engines APU board here. Check.

I have an APU here. For low to medium workloads, it should work well as
a router on OpenBSD. My APU is running (FreeBSD-based) pfSense at the
moment but I’m contemplating switching to OpenBSD, as I don’t need most
of pfSense’s bells and whistles.

For best wireless experience, i.e. 802.11ac or to get more out of
802.11n, you’d probably prefer to run Linux. Or, even better, use a
dedicated access point.

For file serving, the APU is very limited in its number of SATA ports
and availability of cases and cooling solutions. For file hosting,
standard 2.5” or even 3.5 drives (in RAID) give greater bang for the
buck. PC Engines’ cases won’t take standard drives (only mSATA).

Also, as Peter mentioned, there are more flexible file system options
once you look beyond OpenBSD.


> Can it handle both roles, router and file server, or, is it a good
> idea to have one device for these 2 roles in the first place? It would
> encounter very modest load on both of its roles.

Good to separate these roles from a security standpoint.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
In reply to this post by Stuart Henderson
In what way? If you mean the hypervisor does not provide adequate separation
between VMs then that is not really an issue as I control the host and all
VMs. If any are compromised then I have bigger issues.

-Matt

—
Matt Hamilton
Quernus
[hidden email]
+44 117 325 3025
64 Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246


> On 27 Sep 2015, at 16:10, Stuart Henderson <[hidden email]> wrote:
>
>> On 2015-09-27, Quernus <[hidden email]> wrote:
>>
>> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the
best
>> of both worlds.
>
> This has an impact on security, of course.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

quartz-2
In reply to this post by Adam-2
>I have found in the
> archives that in general you can recommend OpenBSD to anyone without
> any background to start tinkering with. So, there might be no benefit
> of a learning curve of FreeBSD -->  OpenBSD, as I, may have wrongly
> guessed?

OpenBSD is about as easy to pick up as any other *nix, so long as you
understand the fundamentals (ie; how to navigate a system using a
command line, etc). The only thing that tends to throw people off is
that OpenBSD uses a somewhat non-standard way of dividing disks up into
partitions.

A lot of people use both systems regularly (myself included) and can
offer their thoughts about their personal gripes for each, but you'll
have to post using a non-disposable email address for people to reply to
directly since no one wants to start an on-list flamewar over this stuff.

You might also want to subscribe/post this question to
"[hidden email]" (their equivalent list to
"[hidden email]")


> What I'd like is a secure wireless router and a file server

In general, one of OpenBSD's main strengths is security whereas one of
FreeBSD's main strengths is storage. For example, FreeBSD needs a lot
more futzing to really lock down properly, and OpenBSD lacks things like
ZFS (and the extreme reliability options it provides).


>Can it handle both roles, router and
> file server

Well it depends a lot on what you're considering "modest loads". If this
is a home system serving half a dozen devices, only pushing a megabit or
two of net data, and only hosting a single drive for file sharing with
no fancy options, then basically any hardware that still boots will
handle both roles. (Like literally, a Pentium II or III will work fine).


>is it a good idea to have one device for these 2
> roles in the first place?

Maybe. It depends a lot on your risk/cost assessment.

Personally I always advocate for a router/firewall to be a dedicated
device and put all your other services hosted on other hardware inside
your LAN. That way you can lock down the router for security but still
let your other systems run whatever they need to without messing around.
However, if you have money/size/power constraints then mixed solutions
are sometimes the lesser of many evils.

OpenBSD and FreeBSD are both perfectly capable of serving both the
router and file server roles if you don't need the advanced features of
the other. Although if you do, and you really only want an all-in-one
device, then you should probably sit down and try to decide if security
or storage options are more important to you and start from there.

As a side note though, either way I would strongly advocate splitting
out the wifi into an external WAP connected to the router via ethernet.
Internal wifi cards always seem to be a pain on any *nix system- there
are about a billion chipsets and drivers seem to like breaking for
random reasons. Also, separate devices means you don't have to
compromise for physical location- the WAP can go wherever it gets the
best signal strength and the router can go where ever it's easiest to
administrate and/or interface with your ISP.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Theo de Raadt
In reply to this post by Adam-2
> Quernus <[hidden email]> wrote:
>> On 27 Sep 2015, at 16:10, Stuart Henderson <[hidden email]> wrote:
>>
>>> On 2015-09-27, Quernus <[hidden email]> wrote:
>>>
>>> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the
>best
>>> of both worlds.
>>
>> This has an impact on security, of course.
>
>In what way? If you mean the hypervisor does not provide adequate separation
>between VMs then that is not really an issue as I control the host and all
>VMs. If any are compromised then I have bigger issues.

We don't need to make precise claims about which parts will break, nor
how.

The problem here is the process of gluing all-the-parts together
without evaluating what is oging on.  You need not talk about big
issues once things go worng -- you do have big issues right from the
start, just like everyone else.

Once you hook a system up to the internet, it is the internet that is
trying to push the buttons of the system.

By combining many disparate pieces together, you require all those
layers of software to make the right decisions, and never make wrong
decisions.  You require all the programmers to be largely infallable.

You are testing all the parts at once.

There's a general rule which may apply here:

    More software, more bugs.

It is clear that your priority is on gaining more operational
features, rather than greater quality.

I know lots of people are doing the same.  Anyways, good luck with it
long term.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Theo de Raadt
In reply to this post by Adam-2
>Yup. Alas, utopia doesn't exist. We all have to make compromises
>and prioritise our requirements and trade offs. For me, this is a very
>nice blend of security, manageability and convenience for my use-case.
>YMMV.

Perhaps you threw out the security when you mixed it all together.

Face it -- you don't know.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
In reply to this post by Theo de Raadt
> On 27 Sep 2015, at 18:01, Theo de Raadt <[hidden email]> wrote:
>
>> Quernus <[hidden email]> wrote:
>>> On 27 Sep 2015, at 16:10, Stuart Henderson <[hidden email]> wrote:
>>>
>>>> On 2015-09-27, Quernus <[hidden email]> wrote:
>>>>
>>>> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the
>> best
>>>> of both worlds.
>>>
>>> This has an impact on security, of course.
>>
>> In what way? If you mean the hypervisor does not provide adequate
separation
>> between VMs then that is not really an issue as I control the host and all
>> VMs. If any are compromised then I have bigger issues.
>
> We don't need to make precise claims about which parts will break, nor
> how.

I’m not asking that. I was just curious as to what the basis was for the
‘this has an impact of security’ statement with no context or backup of
the statement.

> The problem here is the process of gluing all-the-parts together
> without evaluating what is oging on.  You need not talk about big
> issues once things go worng -- you do have big issues right from the
> start, just like everyone else.
>
> Once you hook a system up to the internet, it is the internet that is
> trying to push the buttons of the system.

Indeed, hence the statement ‘This has an impact on security, of course’
could be applied to attaching any software or hardware of any kind to any kind
of network. Writing this email ‘has an impact on security, of course’.
Opening my front door in the morning 'has an impact on security, of course’.
It is a uselessly vague statement on it’s own.

> By combining many disparate pieces together, you require all those
> layers of software to make the right decisions, and never make wrong
> decisions.  You require all the programmers to be largely infallable.
>
> You are testing all the parts at once.
>
> There's a general rule which may apply here:
>
>    More software, more bugs.
>
> It is clear that your priority is on gaining more operational
> features, rather than greater quality.

Yup. Alas, utopia doesn’t exist. We all have to make compromises and
prioritise our requirements and trade offs. For me, this is a very nice blend
of security, manageability and convenience for my use-case. YMMV.

> I know lots of people are doing the same.  Anyways, good luck with it
> long term.

Thanks! I’m blogging about how it is turning out. So far seems to be working
pretty nicely.

-Matt

—
Matt Hamilton
Quernus
[hidden email]
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

quartz-2
In reply to this post by Peter Nicolai Mathias Hansteen
> At this point, the FreeBSD camp would point out that they have ZFS
> for infinite flexibility in building multi-terabyte storage pools,

>That said, both modern SSDs and multi-terabyte spinning
>platters are handled quite well, thank you, by FFS2 on OpenBSD

As an aside, people sometimes confuse ZFS with XFS or GlusterFS or other
stuff. ZFS is designed around extreme data reliability and integrity,
not huge array size or high end performance. ZFS is an all-in-one
disk+filesystem that incorporates partitions, multi-parity RAID,
backups, and directory structure into one unified thing. It features
raid-write-hole prevention, triple-redundant checksumming of both data
and metadata, built-in block duplication, advanced journaling, atomic
copy-on-write, and the ability to snapshot arbitrary parts of the system
which can then be rolled back after a problem, among other things. ZFS
is far more than something that 'just handles multi-terabyte pools'.

Now, whether a home user NEEDS all these reliability features is a
different question, but if you decide you do, OpenBSD (along with most
other *nixs) doesn't have anything remotely comparable.


>That said for FreeBSD and ZFS you want at least 4GB of
>ram anyways.

This is a common misconception. The ARC wants to cache your entire array
in ram if it can, so it will expand to fill whatever's available. You
can run ZFS with limited ram, you'll just see a performance hit if you
try to do lots of random reads on things that aren't cached.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

quartz-2
In reply to this post by Matt Hamilton-2
> In what way? If you mean the hypervisor does not provide adequate separation
> between VMs then that is not really an issue as I control the host and all
> VMs. If any are compromised then I have bigger issues.

The most secure system should be the host, not the guest. A super secure
guest inside a VM doesn't help much if the insecure host is compromised.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
> On 27 Sep 2015, at 18:35, Quartz <[hidden email]
<mailto:[hidden email]>> wrote:
>
>> In what way? If you mean the hypervisor does not provide adequate
separation
>> between VMs then that is not really an issue as I control the host and all
>> VMs. If any are compromised then I have bigger issues.
>
> The most secure system should be the host, not the guest. A super secure
guest inside a VM doesn't help much if the insecure host is compromised.

Indeed.

But that doesn’t matter in my scenario. I want a FreeBSD machine connected
to the net. Whether or not it contains an OpenBSD VM in it as a guest
doesn’t (IMHO) significantly affect it’s security.

-Matt


—
Matt Hamilton
Quernus
[hidden email] <mailto:[hidden email]>
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Mihai Popescu-3
In reply to this post by Adam-2
Just bumping into this thread and I wonder are the following just
jokes, aren't they?

> Otherwise it stays off, reducing attack surface and human exposure to
> electro-smog (especially important if you have pregnant women or small
> children in proximity to access point)


> In what way? If you mean the hypervisor does not provide adequate separation
> between VMs then that is not really an issue as I control the host and all
> VMs. If any are compromised then I have bigger issues.


> The most secure system should be the host, not the guest. A super secure
> guest inside a VM doesn't help much if the insecure host is compromised.


> But that doesn't matter in my scenario. I want a FreeBSD machine connected
> to the net. Whether or not it contains an OpenBSD VM in it as a guest
> doesn't (IMHO) significantly affect its security.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Eric Furman-3
In reply to this post by Matt Hamilton-2
On Sun, Sep 27, 2015, at 01:11 PM, Matt Hamilton wrote:

> > On 27 Sep 2015, at 18:01, Theo de Raadt <[hidden email]> wrote:
> >
> >> Quernus <[hidden email]> wrote:
> >>> On 27 Sep 2015, at 16:10, Stuart Henderson <[hidden email]> wrote:
> >>>
> >>>> On 2015-09-27, Quernus <[hidden email]> wrote:
> >>>>
> >>>> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the
> >> best
> >>>> of both worlds.
> >>>
> >>> This has an impact on security, of course.
> >>
> >> In what way? If you mean the hypervisor does not provide adequate
> separation
> >> between VMs then that is not really an issue as I control the host and all
> >> VMs. If any are compromised then I have bigger issues.
> >
> > We don't need to make precise claims about which parts will break, nor
> > how.
>
> I’m not asking that. I was just curious as to what the basis was for
> the
> ‘this has an impact of security’ statement with no context or backup
> of
> the statement.
>
> > The problem here is the process of gluing all-the-parts together
> > without evaluating what is oging on.  You need not talk about big
> > issues once things go worng -- you do have big issues right from the
> > start, just like everyone else.
> >
> > Once you hook a system up to the internet, it is the internet that is
> > trying to push the buttons of the system.
>
> Indeed, hence the statement ‘This has an impact on security, of
> course’
> could be applied to attaching any software or hardware of any kind to any
> kind
> of network. Writing this email ‘has an impact on security, of
> course’.
> Opening my front door in the morning 'has an impact on security, of
> course’.
> It is a uselessly vague statement on it’s own.
>
> > By combining many disparate pieces together, you require all those
> > layers of software to make the right decisions, and never make wrong
> > decisions.  You require all the programmers to be largely infallable.
> >
> > You are testing all the parts at once.
> >
> > There's a general rule which may apply here:
> >
> >    More software, more bugs.
> >
> > It is clear that your priority is on gaining more operational
> > features, rather than greater quality.
>
> Yup. Alas, utopia doesn’t exist. We all have to make compromises and
> prioritise our requirements and trade offs. For me, this is a very nice
> blend
> of security, manageability and convenience for my use-case. YMMV.
>
> > I know lots of people are doing the same.  Anyways, good luck with it
> > long term.
>
> Thanks! I’m blogging about how it is turning out. So far seems to be
> working
> pretty nicely.

You really don't get it. Running OpenBSD in a VM gives you no
security benefits of OpenBSD. Your base security will be your
host, in this case FreeBSD. And on top of that you are running
a very complex piece of software, the VM. Who knows what
security holes are in it.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
> On 27 Sep 2015, at 22:38, Eric Furman <[hidden email]> wrote:
>
> You really don't get it. Running OpenBSD in a VM gives you no
> security benefits of OpenBSD. Your base security will be your
> host, in this case FreeBSD. And on top of that you are running
> a very complex piece of software, the VM. Who knows what
> security holes are in it.


I do get it. I guess you wrote this before reading my last reply. That
explains the situation.

Yes, the base security will be my host. Putting an OpenBSD VM on there does
not (IMHO) significantly decrease the security of that host. I agree that it
is adding complexities and there could be potentially unforeseen security
issues due to the combination. e.g. something like OpenBSD’s ability to
generate random number could somehow be affected by the underlying VM that
would not be present on bare metal.

Here is the actual blog post I wrote a while back about the setup:

https://www.quernus.co.uk/2015/07/27/openbsd-as-freebsd-router/
<https://www.quernus.co.uk/2015/07/27/openbsd-as-freebsd-router/>

The main goal of running OpenBSD in a VM was to provide easier configured and
more convenient IPSEC tunnel termination than FreeBSD can offer out of the
box.

-Matt


—
Matt Hamilton
Quernus
[hidden email]
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Theo de Raadt
> > On 27 Sep 2015, at 22:38, Eric Furman <[hidden email]> wrote:
> >
> > You really don't get it. Running OpenBSD in a VM gives you no
> > security benefits of OpenBSD. Your base security will be your
> > host, in this case FreeBSD. And on top of that you are running
> > a very complex piece of software, the VM. Who knows what
> > security holes are in it.
>
>
> I do get it. I guess you wrote this before reading my last reply. That
> explains the situation.
>
> Yes, the base security will be my host. Putting an OpenBSD VM on there
> does not (IMHO) significantly decrease the security of that host. I
> agree that it is adding complexities and there could be potentially
> unforeseen security issues due to the combination. e.g. something like
> OpenBSD's ability to generate random number could somehow be
> affected by the underlying VM that would not be present on bare metal.

Any additional code you run, beyond the minimum, increases your exposure

You are so clueless.  It's amazing.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Matt Hamilton-2
> On 27 Sep 2015, at 22:57, Theo de Raadt <[hidden email]> wrote:
>
>>> On 27 Sep 2015, at 22:38, Eric Furman <[hidden email]> wrote:
>>>
>>> You really don't get it. Running OpenBSD in a VM gives you no
>>> security benefits of OpenBSD. Your base security will be your
>>> host, in this case FreeBSD. And on top of that you are running
>>> a very complex piece of software, the VM. Who knows what
>>> security holes are in it.
>>
>>
>> I do get it. I guess you wrote this before reading my last reply. That
>> explains the situation.
>>
>> Yes, the base security will be my host. Putting an OpenBSD VM on there
>> does not (IMHO) significantly decrease the security of that host. I
>> agree that it is adding complexities and there could be potentially
>> unforeseen security issues due to the combination. e.g. something like
>> OpenBSD's ability to generate random number could somehow be
>> affected by the underlying VM that would not be present on bare metal.
>
> Any additional code you run, beyond the minimum, increases your exposure

Indeed. Which is why you are typing this on a typewriter, right? I mean, I don’t know what editor you use, emacs, vi, mg, whatever… but that is additional code right? That has increased your attack surface. But you deem that an appropriate compromise to absolute security as you want feature and convenience.

> You are so clueless.  It's amazing.


No. The fact that I have tried an experiment and have a setup that has different priorities on it’s requirements to someone else’s setup or requirements is not clueless. It is different. OpenBSD just does not offer the functionality (e.g. a large, redundant filesystem, ala ZFS) I need to get the job I want to do done on it’s own. So I need additional software to achieve that. End of story. Yes it is a larger attack surface, yes it is added complexity. I fully understand that. But I need additional software to achieve my end goals.

This thread started with someone who is starting to learn and wanted to know which OS, OpenBSD or FreeBSD would be best for their requirements. I don’t feel putting forward an idea that you could run OpenBSD as a VM and have both is so unreasonable.

-Matt


Matt Hamilton
Quernus
[hidden email]
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number: 09076246

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

Eric Furman-3
On Sun, Sep 27, 2015, at 06:22 PM, Matt Hamilton wrote:

> > On 27 Sep 2015, at 22:57, Theo de Raadt <[hidden email]> wrote:
> >
> >>> On 27 Sep 2015, at 22:38, Eric Furman <[hidden email]> wrote:
> >>>
> >>> You really don't get it. Running OpenBSD in a VM gives you no
> >>> security benefits of OpenBSD. Your base security will be your
> >>> host, in this case FreeBSD. And on top of that you are running
> >>> a very complex piece of software, the VM. Who knows what
> >>> security holes are in it.
> >>
> >>
> >> I do get it. I guess you wrote this before reading my last reply. That
> >> explains the situation.
> >>
> >> Yes, the base security will be my host. Putting an OpenBSD VM on there
> >> does not (IMHO) significantly decrease the security of that host. I
> >> agree that it is adding complexities and there could be potentially
> >> unforeseen security issues due to the combination. e.g. something like
> >> OpenBSD's ability to generate random number could somehow be
> >> affected by the underlying VM that would not be present on bare metal.
> >
> > Any additional code you run, beyond the minimum, increases your exposure
>
> Indeed. Which is why you are typing this on a typewriter, right? I mean,
> I don’t know what editor you use, emacs, vi, mg, whatever… but that is
> additional code right? That has increased your attack surface. But you
> deem that an appropriate compromise to absolute security as you want
> feature and convenience.
>
> > You are so clueless.  It's amazing.
>
>
> No. The fact that I have tried an experiment and have a setup that has
> different priorities on it’s requirements to someone else’s setup or
> requirements is not clueless. It is different. OpenBSD just does not
> offer the functionality (e.g. a large, redundant filesystem, ala ZFS) I
> need to get the job I want to do done on it’s own. So I need additional
> software to achieve that. End of story. Yes it is a larger attack
> surface, yes it is added complexity. I fully understand that. But I need
> additional software to achieve my end goals.
>
> This thread started with someone who is starting to learn and wanted to
> know which OS, OpenBSD or FreeBSD would be best for their requirements. I
> don’t feel putting forward an idea that you could run OpenBSD as a VM and
> have both is so unreasonable.

OK, I read your blog. I see you are running this on x86 hardware.
X86 hardware provides NO real hardware virtualization.
You are clueless. Your VM and OpenBSD in the configuration
gives you NO added security. Just convenience. If that's all
you care about, fine, but don't delude yourself into thinking
that you are somehow adding security by running OpenBSD
in this fashion.
VM's give you no added security unless you are running them
on hardware that has been designed for that purpose, such
as IBM mainframes or the AS400. Probably some others
I'm leaving out, but NOT x86 hardware.
Just search for VM and security on the internets and see
what comes up. Secure they are not.

12