Dangers of Tracking FreeBSD STABLE

Most of my FreeBSD systems track the SECURITY branch of FreeBSD. Wherever possible I try to apply binary updates for the kernel and userland with Colin Percival's freebsd-update tool. Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source.

One of my systems does track the STABLE branch of FreeBSD, specifically RELENG_6. This is more or less a lab system. I like to see what might appear in the next version of FreeBSD, since 6.1 will be a version of STABLE.

Although STABLE is definitely more likely to be operational than CURRENT (which is the bleeding edge and will become FreeBSD 7.0), running STABLE is not without its hazards. Recently a commit appeared that changed part of the PCI code, shown with diffs here.

I happened to try updating to the version of FreeBSD STABLE that had src/sys/dev/pci/pci.c version 1.292.2.6, dated Mon Jan 30 18:42:10 2006 UTC. While compiling, I got this error:

/usr/src/sys/dev/pci/pci.c:1611: error: `PCI_IVAR_LATTIMER' undeclared
 (first use in this function)
*** Error code 1
Stop in /usr/obj/usr/src/sys/JANNEY.
Error code 1
Stop in /usr/src.
*** Error code 1

I can see the line in pci.c the compiler doesn't like:

   1611         case PCI_IVAR_LATTIMER:
   1612                 *result = cfg->lattimer;
   1613                 break;

Shorly after version 1.292.2.6, dated Mon Jan 30 18:42:10 2006 UTC, appeared in STABLE, it was updated to 1.292.2.7, dated Tue Jan 31 14:42:43 2006 UTC. However, the diffs to the previous version don't appear to affect the PCI_IVAR_LATTIMER code. I'm not sure what happened, but I was able to update to STABLE after the new code was committed and therefore get the system compiled and running.

janney:/home/richard$ uname -a
FreeBSD janney.taosecurity.com 6.0-STABLE FreeBSD 6.0-STABLE #0: Tue Jan 31 22:17:14 EST 2006
     root@janney.taosecurity.com:/usr/obj/usr/src/sys/JANNEY  i386
janney:/home/richard$ grep FBSDID /usr/src/sys/dev/pci/pci.c
__FBSDID("$FreeBSD: src/sys/dev/pci/pci.c,v 1.292.2.7 2006/01/31 14:42:43 imp Exp $");

As you can see, the system is now running STABLE as of late 31 Jan 06.

Comments

Anonymous said…
Out of curiosity, what do you think about using FreeBSD vs. OpenBSD? I've been interested in looking at BSD as an alternative (especially to learn pf, which I understand is superior to iptables). As a longtime Linux user, I'm told that FreeBSD would be the OS to try. As a security professional, OpenBSD does seem to have a great track record. Obviously you use FreeBSD, and as you are one of my most respected mentors in InfoSec (Marcus Ranum also comes to mind), I'm just curious as to why you use that over OpenBSD.
10:08 AM
Richard Bejtlich said…
Hi Chris,

It depends on your needs. As a general-purpose server with a huge array of applications in the ports tree (14,000+), I like FreeBSD. For a single-purpose system with a high level of Internet exposure or responsibility (like a firewall), I like OpenBSD. The good news is that trying both costs zero money.
11:54 AM
Anonymous said…
Having had my 1st exposure to PF through OpenBSD, I migrated over to FreeBSD once it became a standard part of the system as of 5.x

FBSD and the ports system make it a lot easier to maintain than OBSD.

I've deployed into production use both on custom systems for clients and as part of self contained solutions using PFSense.

Regardless of platform, PF is a joy to work on and maintain compared to iptables.


greg
12:21 PM
Joao Barros said…
Richard, better not having the kernel compile than not booting or deadlocks ;)

For a generic server/router I would choose FreeBSD over OpenBSD or in Chris case where you'll find FreeBSD a more welcoming enviroment for first time users.

I agree with greg, pf is way more friendly than iptables.
One thing I miss from iptables: a p2p module where you can discard or tag packets. Imagine ALTQ on it ;)
1:35 PM
Richard Bejtlich said…
I didn't mention that at one point I couldn't get the kernel to boot... I had to recover from that as well!
1:37 PM
Anonymous said…
Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source.

Apparently you don't know the benefits of compiling from source: http://funroll-loops.org/

Pat
1:50 PM
Joao Barros said…
Pat,

I resent the use of the Type-R logo to make fun of someone. What's wrong with my CTR? ;)

http://www.civictype-r.co.uk/gallery.htm
2:28 PM
Anonymous said…
Chris,

I use both FreeBSD and OpenBSD, similar to the way Richard does. For an all round server, FreeBSD and the various ports tools are great.

I leave firewalling and VPN'ing to my OpenBSD boxes. You can also run snort on them, but you have to do a manual install of snort and any tools you want. However, setting up a bonded interface when using taps is a piece of cake on OpenBSD. FreeBSD is a little more work.

PF rocks btw. So does having a transparent squid proxy and a chrooted bind (caching dns for internal users).
4:32 PM
Anonymous said…
Joao,

I am curious as to why you'd need an external module to packet shape p2p ?

I havent had much difficulty tagging and massaging p2p traffic using ALTQ here.

Joe,

I can recommend adding

Ad blocking with Bind

to your internal dns. Speeds up surfing a lot



greg
5:22 PM
Anonymous said…
Thanks for the comments. It sounds like FreeBSD is the best way to get started, with OpenBSD something to keep as an option where necessary. Now if I just had more free time...
5:31 PM
Joao Barros said…
greg,
Yes it's doable but not dynamic and when you have such dynamic traffic like P2P you're not shaping/blocking everything.
Take for example ICQ: block the default ICQ ports,start a network capture and you'll see it try to go out through 21, 23, 80, 8080, 3128, etc. Identify it by packet pattern and you'll get it always (depending on protocol).
Of course as like snort a realtime packet parser is a cpu hog and depending on the scenario, mostly pps or bandwith this can be very dificult to apply.
6:48 PM
Anonymous said…
You guys need ipp2p from www.ipp2p.org
Sure, it's Loonix not FreeBSD, but it's an easy build, install & config on 2.6.12 or higher kernels..
(ipp2p is a kernel & iptables module that allows you to mark most P2P connections/sessions. It works "a trick" to allow you to mark, classify & ratelimit most modern P2P protocols!

I've also read of the ng_p2p netgraph module for FreeBSD, but I don't think it's anywhere near as good as ipp2p currently is..
6:50 AM
Anonymous said…
Make that the ng_tag module at http://antigreen.org/vadim/freebsd/ng_tag

ipp2p is (much) less cpu load than you'd think, even with its need for the CONNTRACK modules etal..
6:56 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more