The most exciting new feature in OpenBSD/sparc64 is SMP support. All supported systems should work, with the exception of the Enterprise 10000 (for which support was added after the 4.3 release was made). The release has still some stability issues on systems with more than 4 CPUs (most of these are already fixed in -current), but in general the sparc64 SMP kernel is remarkably stable. Snapshots have been built on a dual UltraSPARC-IIIi machine since November, less than half a year after Theo complained that his shiny new Sun Fire V215 only "half" worked.

OpenBSD is an ultra-secure, freely available, multi-platform BSD-based UNIX-like operating system. And is arguably the most secure operating system in the world.

After using OpenBSD for over 9 years I decided to place online some useful information for first time users of OpenBSD.

The information here covers the current release of OpenBSD.

If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system.

Many people responded to the call for OpenBSD and OpenSSH donations by purchasing an OpenBSD CD set. Those CDs are beginning to arrive in the mail, and when they do, how are you going to use them? If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD as a desktop or server operating system, here's a guide to get you started.

For our VPN we could use OpenBSD's excellent implementation of IPsec (included in the base system), but we'll use OpenVPN instead because it can be deployed easily on both the server and a wide range of clients, including *BSD, Linux, Windows, and Mac OS X. OpenVPN scales well and is secure. The software is already included in OpenBSD's ports and packages repositories, so go ahead and install it.

This was the first honeypot I've ever decided to run. I had long drawn out plans for implementing the perfect honeynet, but sadly some of the hardware that was donated to me at the time was given in non-working condition so I wasn't able to implement the honeynet of my dreams. It seems likely there would be other people out there interested in running a sophisticated honeynet, but who lack all the desired equipment and so they think it cannot be done. This paper has been written to show you otherwise!

I'll be covering the three main free BSD distributions — FreeBSD, NetBSD, and OpenBSD. To be consistent, I decided to install each one over FTP, which proved to be fairly easy. The hardest part of the installation process was actually having to put a floppy drive in my test machine so that I could boot from floppy for the FTP install.

The clear advantage of OpenBSD over other operating systems is the security it offers. The basic philosophy of the project is that security comes as a result of clean, correct code design. A quick search on the BUGTRAQ mailing list archive shows that bugs found on programs do not affect OpenBSD or were already fixed. Of course, given some work by users, security can also be improved on other operating systems, but OpenBSD is "secure by default"; no remote-listening daemons are enabled and features such as ProPolice and the new mmap-based malloc function (introduced in version 3.8) assure that your system is protected from yet undiscovered software bugs and zero-day exploits. The Internet is not a safe place and lots of people want to crack our systems for fun or profit, so it's better to be protected as best as we can.

In this setup we’ll have one separate disk for the OS (in this case sd0) and two disks (in our case, wd0 and wd1) for the RAID 1 array. In total we’re going to mirror the two big disks and on top of that array we’re going to build an encrypted filesystem...

...there is a large selection of security software Linux, ranging from simple items like the Openwall kernel patch to very configurable security suites like PitBull LX. These solutions are simply not available for OpenBSD, so if you have needs beyond the basic User/Group/Other filesystem restrictions for example you are basically out of luck. Restricting access to port 80 for example, while easily achieved in Linux with NSA SELinux or PitBull LX is basically impossible in OpenBSD. Protecting binary software can be done in Linux with a variety of tools, doing so in OpenBSD is very difficult (there is little you can do).

Every medium to large Linux deployment that I am aware off has switched SELinux off. Once you stray from the default configurations that the system distributors ship with the default policies no longer work an things start to break. In my admittedly limited experience, this happens very quickly.

This article goes through the steps of an OpenBSD 3.3 installation. The installer is a text-based interface and, in most cases, is quick and easy to complete.

With trunk(4), you can combine one or more ports as into one virtual network interface. A port could be any physical Ethernet or wireless interface, and it's even possible to add other trunks as ports. The trunk driver will send outgoing traffic with a specific algorithm over the attached ports, which depends on the actual trunk protocol. The first release in OpenBSD 3.8 supports a simple round-robin protocol; outgoing packets are distributed over the ports in a circular way. Furthermore, incoming packets from any attached port are forwarded into the receive queue of the virtual trunk interface. trunk(4) is supported by most of the actual intelligent network switches and some other operating systems, but everyone uses a different name; i.e., HP calls a trunk a Trunk and Cisco calls it Ether Channel, while Linux is using bonding as its name.

Most networks share a few common traits:

• They are made up of heterogeneous pieces (i.e. some Linux, some Windows, Solaris, etc.)
  
• They evolve over time, and this growth may or may not be entirely planned and mapped out
  
• There is usually more then one system/network administrator, and they don't always communicate fully.

So how can OpenBSD help with these problems? Well, first off: if you plan to track, probe and monitor your network from a central machine, it had better be secure. If someone breaks into these boxes, chances are you won't notice their activity on the network since it looks like normal internal scans/etc. The data collected by these machines will tend to be sensitive (i.e. a list of all your mail servers and what versions of Sendmail they are running). OpenBSD is the perfect candidate for this type of work; it's got solid security and an extremely capable network stack (important if you processing and generating a lot of network traffic.

The OpenBSD install is overall the simplest compared to FreeBSD and Linux but the fdisk and disklabel programs are the most difficult. I've done many OpenBSD installs over the past two years and never had any difficulty with OpenBSD's disk setup software. Previously all installs used the entire hard disk. The past ten or so days have made it abundantly clear that OpenBSD's disk setup software was built for full disk installs, and little consideration was given to multi boot issues in its design...

The OpenBSD project cannot guarantee the security of programs in the Ports tree, but they do make an effort to ensure that obviously insecure programs don't make it into Ports. If a security bulletin is sent out about programs in either the base system or Ports, OpenBSD provides patches individually or as a separate branch of the entire project. The process for applying a single patch is detailed at the top of each patch file, making installation as easy as following a couple of lines of instructions.

OpenBSD also incorporates encryption in the operating system. Other systems, like Windows XP, with its Encrypted File System (EFS), layer encryption on top of the operating system rather than build it into the foundation. In OpenBSD, KDS' Heimdal implementation of Kerberos IV and V authentication protocols are a core part of the windowing and log-in systems. And the TCP/IP stack has had the Internet Security Protocol (IPSec) built in since 1997.