Differences in the *BSDs

What is the difference between FreeBSD, OpenBSD, and NetBSD?

Brett

Start here -> http://www.daemonnews.org/200104/bsd_family.html

Most non-BSD people might think Open is secure, Net is portable and Free performs well as a server, but that might not always be the case. It depends on what you want to do with it. In general, Free is the best overall. Net is not just portable, it's the most stable OS on earth. Open is secure but less stable.
Some people might think running a plain router/firewall, Open is the way to go. That's absolutely wrong approach. For this situation, NetBSD is your best friend.

Hello,

I'm very curious why you stated netBSD is superior to openBSD for a firewall/router box. I'm a newbie to *nix. I just want to learn -- and use the best tool for the job.

Could you please elaborate on why you believe netBSD is superior to openBSD?

I'm a programmer/analyst. I'm going to build a couple of new boxes to learn *nix.


Thank you very much for sharing. NetBSD doesn't get much mention compared to open and free BSD. I'm looking forward to learning more about it's capabilites regarding security/firewall/router uses.

Thanks again,

Louis

As I mentioned in my last post, Open is less stable. As a plain firewall/router box, you obviously should have everything disabled other than just the firewall or perhaps sshd. When everything is disabled, you only need to worry about the reliability of the firewall. When this box doesn't serve multi-users environment, you have less local exploits to worry about.

Open (prior to 2.9-current) uses the same firewall (IP Filter) as the one NetBSD uses. However, they perform differently. Open is targeted on security first and stability second while Net with stability first and portability second.
Open's code is highly audited for security, therefore, it's very paranoid (in TCP wrapper term). Open's developers also have an adnormal mind for their decision bug. When it's overly paranoid, the kernel can panic easily in the event of a suspicious attempt, as a result, you will have to reboot your box more often. Unlike Net and Free, you are given an opportunity to configure whether to be paranoid or to discard/drop the connections silently.

You might wonder why the same IP Filter perform differently on Open and Net/Free.
Just because IP Filter on Open was highly modified. Keep in mind, default IP Filter code is already rock-solid.

Do you know why was IP Filter removed from Open?
IMHO, Darren (the author of IP Filter) was pissed when someone (OpenBSD) modified his code heavily. When you released a software and someone think there are better way to do this and do that and you don't like to open for suggestion, you would get pissed and modify your license.

So Net or Free for a plain firewall?

Free is targeted on configurability first and security second. So Net is your best choice.

How about the new Packet Filter in Open?
It's new, therefore its stability is in doubt. Even if it's mature, the decision bug of Open's developer presists.

>> Could you please elaborate on why you believe netBSD is superior to openBSD?

Each BSD has different goal. I can't say one is superior in overall environment.
Free tends to balance the overall environment quite well. That said, if you are new to BSD and with less than one year of UNIX background (Linux experience doesn't count toward UNIX experience), you are better off to go for FreeBSD to make your life easier. Net and Open is not suitable for beginners.

Hello,

Thank you very much for your replies to my questions. I very much appreciate your sharing.

From what you've shared, it sounds like FreeBSD is the BSD to get started with, since I'm new to *nix (been programming MVS/OS390 mainframes for 12 years).

A couple of questions for you, freebsd, if you would.

First, what's a decision bug?

Second, you mentioned OpenBSD is more likely to need to be rebooted due to how it handles suspicious situations compared to NetBSD. Is it your experience that OpenBSD firewall +/or router boxes often need to be rebooted? How often? I'm really interested in this. The impression I've gotten from reading -- as I have no personal experineces with BSD yet to draw upon -- is that OpenBSD is a good choice for a firewall. Guess maybe the "common wisdom" just gets repeated by those with little or no practical experience; I could accept that as probable in the case of openBSD.

There is a book entitled Building Linux and OpenBSD firewalls. I take it you feel the book is misguided, and probably not a lot of use then? I appreciate an experienced person's point of view. I bought the book, but haven't begun studying it yet.

Third, you mention Linux experience doesn't count for UNIX. Could you elaborate, please? Working full time, I have to choose wisely what to spend time learning. I'm wanting to learn UNIX and system administration for a possible move into that area from being a senior programmer/analyst.

From what you've mentioned, it definitely sounds like FreeBSD is the one to focus on. I'm wondering if you feel there is any need to focus on Linux at all, and if so what areas and why. Couldn't one's personal PC and their network be all FreeBSD? What would they be missing with all the ports available that they couldn't live without, I wonder?

There is a lot of age discrimination in applications development as one ages. I'm thinking sytem administration in the UNIX world would be better in this regard. I'm soon to be 39. From what I've learned about FreeBSD, I really appreciate the approach taken to development. Much more mature that what I sense characterizes Linux developement. I hope this path is possible for a 40ish person. Any sharing or advice on this is appreciated.

From what little I have learned so far, I'm wondering if one can secure a FreeBSD box just as well as an OpenBSD server box using attributes, permissions, chroot, et all.
The reason OpenBSD interest me is the advertised greater security. Security seems to be a major issue holding back deployment in large, mission critical systems dealing with lots of dollars. I'm wondering how much one gives up security wise with FreeBSD, properly installed and administered.

Coming from the mainframe world, and appreciating a mature, robust OS that works quite well, FreeBSD seems the most appealing as far as I can tell as a newbie to *nix at this point.

Thank you again, very much for sharing. I really want to lean this stuff -- and choose well what to learn and focus on.

Take care,

Louis

>> what's a decision bug?

Same software on different OS can behave differently by patching. It's a matter of personal preference or decision.
OpenBSD developers chose to patch the stock IPF heavily in purpose to make it more secure, but they failed to consider the reliability and stability. All versions of IPF on OpenBSD (except 2.8-current and 2.9-current prior to removal date) had the same old decision bug of panicking the kernel (need reboot). Specifically, it was about chksum (you can do a search on Open's mailing list to find out more).
In Free and Net, the same IPF behave properly (drop packets silently) because they didn't modify IPF as much. OpenBSD's developers are pretty aggressive and they often think they are the smartest group on earth. IMHO, it's good to concern about security, but stability and reliability are as important, which Open's developers don't have a clue. Don't get me wrong, I do run two OpenBSD boxes.

>> Is it your experience that OpenBSD firewall +/or router boxes often need to be rebooted?

Twice per month for versions other than 2.8-current and 2.9-current, which they are no longer available for download or not equipped with IPF any longer. That said, 2.9 Release has the same decision bug. Yes, they finally changed their decision 4 months prior to the removal of IPF, which I think was way too late.
In addition, for 2.7 Release and 2.8 Release, you can't even do traceroute, because they screwed up and patched IPF incorrectly.
Note, all these are real fact and can be found from the mailing list, not just my personal experience.

>> I take it you feel the book is misguided

Not really. Books often cover the basics to get you started. Practically, you need trials, make mistakes and errors.

>> you mention Linux experience doesn't count for UNIX. Could you elaborate

Linux is targeted for UNIX newbies who have just migrated from Windows. Therefore, they are targeted on user-friendly first, configurability second. Note, I am not trying to start a flame war here. Linux kernel (2.4) itself is great, but the distributors who package Linux often are UNIX illiterate. As a result, end-users would never have a clue what's the right thing to do this or that in the true UNIX world.
File system layout is a good example (nothing to do with the kernel). In most Linux distributions (except Slackware), they have misunderstood what /usr/local is for. Say Apache, 95% of Linux users would install it to /usr/local/apache (PREFIX of /usr/local/apache), which is plain bad. I mentioned this issue in several forums here before.

>> I'm wondering if you feel there is any need to focus on Linux at all

Don't waste your time on Linux. You will gain nothing.

>> and if so what areas and why

There is no universal way of doing things in Linux, depending on the distribution's preference. In Free/Open/Net, there's only one correct and consistent way.

>> Couldn't one's personal PC and their network be all FreeBSD?

Absolutely. Linux people may say FreeBSD is server OS while Linux is for desktop. I strongly disagree with this.
Linux is in one dimension - desktop only, while FreeBSD is great for both server and desktop.

One might argue, I have got more programs to play around with and you BSD people don't.

Inexperience concept. In FreeBSD, you can play around with as many software as Linux, and with stability, security, configurability and durability. Don't forget, *BSDs have got Linux emulator, in case you really need to install something that has never been ported to *BSDs. Check my other post Setting up ports.

>> I hope this path is possible for a 40ish person

I am not any younger at age of 30.

>> I'm wondering if one can secure a FreeBSD box just as well as an OpenBSD

Absolutely. With iptable in Linux, it's now possible to do the same thing for a plain firewall/router box. You should have heard about what stateful firewall is versus stateless one prior to 2.4 kernel in Linux. Linux people who are using iptable might think it's the greatest firewall ever. But they probably didn't know IPF, being a stateful firewall, has been available in *BSDs for years. Linux is still playing catch-up with BSDs in security and is several years behind.

>> The reason OpenBSD interest me is the advertised greater security

False advertisement and misleading.

>> I'm wondering how much one gives up security wise with FreeBSD, properly installed and administered

Net/Free can be configured to be as secure as Open, practically and technically.

>> FreeBSD seems the most appealing as far as I can tell as a newbie to *nix at this point

Yes. There is no reason to waste your time on learning Linux when FreeBSD can do things more securely and better with configurability, scalability and durability. Once you start playing with BSDs, you would never go back to Linux.

I really appreciate the curtesy of your replies to my questions. Thank you very much for taking the time to share. I've found your sharing most helpful and quite insightful. You obviously have a lot of knowledge and experiences to draw upon.

Based on what you and others have shared, I'm going to use FreeBSD as my learning platform for UNIX.

Best wishes in all regards,

Louis

In most Linux distributions (except Slackware), they have misunderstood what /usr/local is for. Say Apache, 95% of Linux users would install it to /usr/local/apache (PREFIX of /usr/local/apache), which is plain bad. I mentioned this issue in several forums here before. <--could somebody provide some links so that I may reference this. Thanks in advance

>> provide some links so that I may reference this

Yes.

1) Do a search with keyword /usr/local under my username in All Forum.

2) Read the thread in this order:

mod_auth_mysql
Problem mod_auth_mysql using apxs
php mysql apache on Redhat 7.1
prefix

Let me repeat, having a consistent directory layout can make your life easier.
In *BSDs, you will never see files and directories all over the places and conflicting one another.

thanks fbsd

Using ports is as dynamic as compiling from src.
1) You can edit /usr/ports/www/apache13/Makefile directly (this is static way)
Note: after cvsup'ing your ports tree, this Makefile will be edited back to the original.
2) You can add make option just like running the configure script when you compile Apache from src (many *BSD users don't know this) <-I'm one of them

Amen to that! This was the most pleasant thing I found about making the switch to FreeBSD from Linux. But if you insist on staying with Linux, at least... please... do yourself a favor and use Slackware. At least they try to emulate Unix.

I am 35, and have only been a *BSD user for about 3 years. The great thing about computing in a BSD Unix environment is that is probably the least likely to have "age discrimination". I make my living right now doing web application development, all on FreeBSD systems.

Don't believe what the popular computer press says about Unix being difficult and quirky and "non-intuitive". The interface makes complete sense, and is not difficult if you don't mind *reading* (what a forgotten art). No, it's not point-and-click, but a point and click interface should be for the END USER, not for someone who really wants to run a serious computing environment. Of course stlouislouis should know that, coming from a mainframe environment .

IMHO, when you really want to accomplish something with your system, Unix (especially FreeBSD) is much easier to deal with than anything Microsoft puts out. I speak from experience, having done several web applications in ASP/VBscript/IIS, before throwing up my hand in disgust, and saying "never again". The problem is that nothing is consistent, when you deal with those systems. Just when you think you have it figured out, some remote bug pops up that blows your application away. And of course, the reason Microsoft does so well is that the consultants just love to recommend M$oft, because it keeps them coming back every month to fix another stupid problem.

I really think now is perfect time to get into Unix, because many businesses are starting to question the wisdom of using all-microsoft networks. Imagine an office fileserver that is doesn't even need to be rebooted once a year, runs just great on older hardware, and costs the company 1/3 of what a similar Microsoft soution would cost. (1/3 is a generous estimate, I could even imagine 1/10, in some situations). Even better yet, imagine a perfect thin-client network, where *all* applications and user preferences reside on the server, so the only time you need to send the techs out to a user's desk are when the monitor or the ethernet card fails. Oh, and by the way, you can still run those in-house legacy Windows apps, or even DOS apps.

See these articles:

http://www.oreillynet.com/pub/a/bsd...ry_Daemons.html

http://www.onlamp.com/pub/a/bsd/200...BSD_Basics.html

http://www.linuxworld.com/site-stor...1/1018.tco.html

Hi Rycamor,

Thanks for sharing. If it's OK to ask, what type of web apps do you develop? Had any chance to work with PostgreSQL? If so, do you like it?

Thanks again and take care,

Louis

Thanks for starting it and for the others that replied to it as well.
I was wondering the same thing and now I'm going to install FreeBSD to start with and try the other *BSD's soon after. Great info in this thread for newbies like me!

THX
SG

I work with PHP, Perl, MySQL and PostgreSQL (and Javascript on the client side). I very much think PostgreSQL is one of the best databases out there. In the past, I have had to confine most of my work to MySQL, because it had to be hosted by other commercial hosting companies, most of whome do not support PostgreSQL. Now that I am starting to provide hosting, I am specifying PostgreSQL for the more complex apps.

I work with a friend who is a true Unix guru, who does network programming, SNMP, administration, etc... We are planning to start a true Application Service Provider (ASP) company, possibly with the name www.rightasp.com

Mainly the apps I have done are a combination of public websites, e-commerce, and internal intranet apps. The external website stuff usually involves some sort of customized database interaction that you can't get "out of the box". The internal apps tend to be replacements for distributed desktop apps which extend the reach of the application, so that the app can be shared with offices at multiple locations.

For example, my latest project is a sales lead-tracking system, where the parent company can receive leads on prospective clients, and then distribute those leads to satellite offices, simply by choosing that office in the data entry. This emails a link to the satellite office, which provides further data entry for prospect details, and tracks every update done by the satellite office. Thus the parent company gets realtime data as to when each piece of information about the prospect is updated. Right now I am in the middle of providing reporting functionality, with detailed statistics. I am outputting reports in right from the Unix machine in RTF (Rich Text Format), so the users can get nice printable output, but also can save the reports as Word documents, and customize them. The funny part about this project is that the leads are received from yet another company, in the form of a Java terminal on an old AS400 application. So we had to figure out how to grab text captures from the terminal, and run some Perl regex scripts to split the fields out and enter them in the database. It's been a pretty fun job .

This is the kind of thing that is going to be needed more and more, as companies realize how limited their traditional desktop applications are. My advice: get to know a respected computer consultant in the area; someone who provides hardware, networking, installations, etc... His/her customers will be asking more and more about where to look for serious web application development.