Page 2 - Linux RedHat VS FreeBSD

freebsd,

Though OpenBSD 3.0 no longer has the same ipf, it now has pf (Packet Filter) which was written by the OpenBSD team. It's excellent, and remarkably free of bugs, especially for a first release. Some people have even noticed a 30%+ speed increase over ipf.

I would rather have the djb stuff (like you), but the versions of BIND and sendmail included in OpenBSD have been audited line by line, and I feel pretty safe running them.

And how can you bash the reliability and stability of OpenBSD? I've never seen it crash in normal use. A few issues with kernel compiles and whatnot, but nothing that wouldn't happen with another OS.

>> it now has pf (Packet Filter)

Yeah, but it's too new to claim stable.

>> the versions of BIND and sendmail included in OpenBSD have been audited line by line

Doesn't matter as those world-most insecure software are still insecure no matter how you audit the src. You still can see a huge exploit list on errata. And you can see how often those software update their versions and why they need an update? Mainly because of bugfix on exploits far more than new features.
Maybe there should be a djbBSD but too bad that won't happen because of djb's strict licensing. You can say just to make a djbware system default is not even possible.

>> how can you bash the reliability and stability of OpenBSD?

Because they are concentrated on security. Like IPF in 2.X, there was only one stable release on 2.9-current dated after May 2001 and before its removal date. You can find out more here and here.

>> nothing that wouldn't happen with another OS

Same IPF was very stable on FreeBSD/NetBSD but not on OpenBSD because they audited ipf aggressively and made things broken all over the places.

No matter what you say, I'm still pretty damn happy with pf - reliability, speed, and ease of use.

And as I say, I'd rather have the djb software, but I don't worry to much about running the sendmail that's included (I don't run the BIND). Though BIND and sendmail may not be all that secure, OpenBSD does have 4 years without a remote hole in the default install - which includes sendmail.

And reliability - yes, the main focus at OpenBSD is security, but you'd have a hard time convincing me that it comes at the expense of stability.

Well, one of my friend used use OpenBSD 2.9 on the very heavy traffic on OpenBSD server. He always has the problem with the stabiity and reliability, so he decided to give FreeBSD a shot. He found out that FreeBSD is much more better than OpenBSD, which he doesn't has any of problem for long time by now. It's much faster than OpenBSD as well.

>> OpenBSD does have 4 years without a remote hole in the default install

In reality there is no such thing as default install. A default install doesn't make your OS useable. Say NetBSD and FreeBSD's /etc/defaults/*.conf files, those are the defaults that doesn't know what your hostname is. When you add your hostname to /etc/rc.conf, that's no longer a default install. Similarily, to enable ipfilter you would need to change ipfilter_enable="NO" in /etc/defaults/rc.conf to ipfilter_enable="YES" in /etc/rc.conf, that's no longer a default install.
BTW, if you haven't read the two threads I posted previously, here's the summary:

OpenBSD mistakenly and aggressively changed the behavior of IPF to make it more sensitive when there is a checksum mismatch in IP header. When this occurs, FreeBSD/NetBSD, being RFC compliance would discard those silently. RFC1122 section 3.2.2 specifies that very clearly. OpenBSD, on the other hand, trying to be aggressive, chose (a decision bug) to panic your kernel when such event occurs.
When should that checksum error occurs?
When using return-icmp-as-dest(xxx) or return-icmp.
Why should I use return-icmp-as-dest(xxx) and what's its benefit?
It's to send an error message to the remote end and tell him no service (udp) is running on this port immediately without delay. You can say it's somewhat equivalent to sending return-rst (RESET) in TCP. Doing so is very common on port 113 to avoid timeout.
Why should OpenBSD changed that?
Because they think they are smart *** and should panic your kernel forcing you to reboot. That's a sign of instability.
Was that the reason of IPF removal?
One of the reasons but not all. OpenBSD audited every line of code as you mentioned, including IPF that was being modified heavily. There were so many OpenBSD users on IPF's mailling list complaining about IPF problems in OpenBSD. Darren (IPF's author) confirmed it was OpenBSD's mistakes entirely.
What other common problems?
traceroute behind OpenBSD's IPF was broken in 2.8. ping was broken in 2.7. ftp-proxy was broken in 2.8. None of those was broken in NetBSD and FreeBSD.
You said you are damn happy with PF, perhaps you are addicted to OpenBSD?
For me, I don't care what OS I am going to run. If there are better alternatives (Free/Net) I'd choose either one of those without a doubt. I do care about stability, security and reliability. When an OS can't satisfy all three, I just won't run it, of course I am talking about running servers on that OS (my only desktop remains win98 and I don't hate M$). I just choose the right OS for the right task.

>>You said you are damn happy with PF, perhaps you are
>>addicted to OpenBSD?

No, I'm just damn pleased with it. I'm not really much of an OpenBSD advocate, just a happy user. I've run various flavors of linux, windows, and FreeBSD (though not recently). Right now, I'm most pleased with OpenBSD. If it stops working, I'll look for something else, but right now, I like it.

>> If it stops working, I'll look for something else

Cool.

And when you begin to do mission critical stuffs on 3.0, be prepared to look for alternative.
Don't get me wrong, I don't hate OpenBSD. I still run two OpenBSD boxes because they are still much better than Linux for real server stuffs. But it's just my personal preference that I like FreeBSD and NetBSD more than OpenBSD. Having run all 3 of them for years, I've found NetBSD to be most stable.

Another excellent thread.

If you haven't used a UNIX based system before but plan to, RedHat might be a nice 'user friendly' place to start. However, I spent four or five years playing with linux on and off and found it very confusing (so many distributions, so many different ways of installing and configuring the different distros) - when I eventually tried FreeBSD it was a breath of fresh air to have the system installation and configuration immaculately planned out for you (even to the point you get a man page about the filesystem hierarchy as mentioned above!).

Personally I really like windows as a workstation. I don't think MS is 'lame' or for 'lusers' etc etc - at the end of the day it's a nice environment for workstation activities such as web design, games playing, office based activities (ala MS Office) etc etc. With this I have one box set up as a workstation (with win95!) and one box set up as a server (with FreeBSD 4.4) and this is a setup I would highly recommend to anyone interested in learning more about UNIX.

Never use the FreeBSD box for workstation activities (ie DO NOT run X windows - IMO it is far more inferior to windows as a GUI) - in fact never turn your FreeBSD monitor on!!! Simply use a good windows ssh client (ie SecureCRT http://www.vandyke.com) to 'ssh' into the freebsd machine and complete any activities you need to complete on the freebsd box that way. This has the benefit that you become familiar with the UNIX CLI quickly. I even have my windows machine start up secureCRT with a default login to the freebsd box each time I boot into my windows box. In this way you get the best of both worlds - the power of freebsd as a server environment and the simplicity and ease of use of windows for a workstation.

Taking it one step further - you can also set up Samba on your freebsd box to allow you access to the whole freebsd filesystem from the windows machine (ie in windows Explorer) - obviously whilst there are some things to keep in mind here (only run the smbd server on the lan NIC, don't open special files in win, don't convert unix files to dos format etc) it can be very convenient for learning how the freebsd/UNIX filesystem hierarchy is organised.

That's my 2 cents anyway - FreeBSD is highly recommended over Red Hat - although you should probably try Red Hat as well, just to see how they compare.

I think the Theo issue can start (once more) a flame war but, without getting off-topic:

I like the way linux (err.. redhat) handles stuff in a relaxed manner. This is because I dont use it on productions systems if I can help it, but for experimenting. For learning also, it is a great system, as long as you dont install X (hehe), because theres plenty of documentation, manuals, howto's and so on. One piece of advice though: Dont use ANY of the automated configuring scripts/programs, like linuxconf or else. They are evil!

For production systems I use OpenBSD. I've used it till 2.9, havent had any experience with 3.x series, so I donno what to say about its reliability (Though I think I will miss IPF on it... good that Darren is working with other fellas to get obsd patches going)

Till 2.9, OpenBSD has been rock-stable with me, the configuration is strict and unforgiving and i think its just great, though I must say that it has been hard for me to learn, and I have to thank a lot of guys from #unixhelp for helping me where the doc's couldnt.

.pd

Pda0: Don't quite agree with that, if you take away linuxconf, X and all the hand holding there are not very many good reasons left to use Redhat.

I still use Redhat on 50% of my servers, but I'm slowly migrating to FreeBSD. The biggest problem I found was with upgrade paths, a pre redhat-7 (RHN enabled) distribution is a royal pain in the arse to keep up to date, so much so that its easier to re-install than bother trying to upgrade all the packages. - So I'm stuck with a couple of Redhat 6.1 boxes, which are very tiring to upgrade.

Possibly the only reasonable justification for using Redhat in a server environment is that most binary only commercial software is available for and supported on the Redhat Linux distribution.

FreeBSDs compatibility layer does work extremely well though and in some situations I've found it better than using redhat itself, at least you can tailor your /compat/linux directory to whatever base redhat distribution your commercial app requires. Which would typically require an annoying up/down grade on a Redhat system.

After just a couple of days with FreeBSD all i can say is RedHat ->R.I.P.

I agree with most of the assessments. I believe with any of the *BSD flavors, the issue also is, if you do it, you do it right. Your OS, especially *BSD, is only as good as how well you configure it.

If you use FreeBSD as your first non-Windows OS and you are comfortable with it, by all means use it. You should also look at Linux as a possible springboard into the BSD world, since some people, especially Unix newbies, may initially find *BSD overwhelming without help.

Since I only have time to visit this forum sporadically I seem to come in late in the debates. Sorry for that.


I have a question for you freebsd. You said - "I've found NetBSD to be most stable."

I was wondering why you recommend FreeBSD to most people when you say NetBSD is more stable? Are there any specific reasons to use FreeBSD over NetBSD?

I'm not running any NetBSD servers, and only infrequently encounter them, so I value your input on this since you seem to have used the system for some time.

I am hesitant to introduce NetBSD to my nets, since I have almost no experience with it. Not that I've heard anything bad about it, but as you replied to someone, it's one thing to fiddle around at home and a whole different bowl of stew to introduce it into a mission critical environment. (Not an exact quote, but close enough. )


/Fjodor

>> I was wondering why you recommend FreeBSD to most people when you say NetBSD is more stable?
>> Are there any specific reasons to use FreeBSD over NetBSD?

I know, I am no freebsd but I know where you can find freebsd's other very good posts at http://forums.devshed.com/showthrea...3343&forumid=31 ... FreeBSD is very good for the newbie. Also, it makes the life easier.

>> why you recommend FreeBSD to most people when you say NetBSD is more stable?

Because most starters want configurability first, and perhaps stability second. Also, FreeBSD seems to be much easier to administer for BSD newbies, especially there are a lot more ports in the ports collection.
Free and Net both have taken a little different approach. For instance, Free's 4.5-STABLE still hasn't updated XF86 to version 4.X, still using very old version of Perl. Although Net tends to be more conservative in general, they have upgraded those long ago.
Another thing that makes Net more stable than Free is Net's rock-solid source code. If you buildworld on Net (even tracking current), you will never fail. You can say Net doesn't make significant changes to its src as much as Free.
Free often tries to reinvent the wheel by creating new way of doing something -> 19.4.7, just to be more userfriendly to newbies. Recompile a custom kernel or buildworld for instance, the standard and traditional way to buildworld is very straight forward in Net and Open by cd'ing to your /usr/src directory and run make build, that's all.

>> I am hesitant to introduce NetBSD to my nets

Net is not targeted for people with Linux experience or no UNIX experience at all (Linux experience counts nothing). I'd say you need at least 6 months of FreeBSD experience before you should try out NetBSD. Net is less userfriendly and expects you to know the essential stuffs well enough.

Like I said all the time, people who think NetBSD is just portable probably haven't even tried it themselves.

>> to introduce it into a mission critical environment

It depends on how mission critical. I still think that Free is more optimized for running web server or the like. For a plain firewall or more lightweight services, Net outperfoms Free because of its stability and reliability.

Don't forget, hardware is no longer expensive these days. So people should really build another box and give both of them a try. Running all kind of services in one box (no matter how good hardware specs you have) is not a wise decision in the first place. So here's a list major of services on three of my Net boxes: (3rd box has no static IP and is behind router)

box # 1:
qmail (light), socks5, tinydns (authoritative nameserver), local dnscache, apache (light) and ntpd

box # 2:
qmail (light), ldap, master dnscache, rbldns and apache (light)

box # 3:
qmail (light), ldap (light), local dnscache, nfsd for all other boxes (including being the only box that does cvsup and keep all ports collection) and rbldns

Interesting? That's just for my NetBSD boxes. All 3 boxes have very balanced loads. BTW, box#3 has a fast SCSI disk, if yours don't, don't even try such setup.