
FreeBSD – A lesson in poor defaults - hampky
https://vez.mrsk.me/freebsd-defaults.html
======
amarshall
Previously:

\-
[https://news.ycombinator.com/item?id=11318508](https://news.ycombinator.com/item?id=11318508)

\-
[https://news.ycombinator.com/item?id=12484248](https://news.ycombinator.com/item?id=12484248)

\-
[https://news.ycombinator.com/item?id=16008688](https://news.ycombinator.com/item?id=16008688)

Note that updates to this post are listed as addendums at the bottom, rather
than removing sections that are no longer true in current versions of FreeBSD.

~~~
PappaPatat
Why is liking these a thing: everyone has the "past" button, right?

------
kev009
There are kernels of truth in this document that circle around a
politics/bureaucracy issue in FreeBSD that has existed forever. But the
overall motif about security is laughable diatribes of a typical OpenBSD fan
that understands little about kernel work while flailing around about how
secure their pet uniprocessor operating system is.. yes, uniprocessor. It is
trivial to DoS an OpenBSD machine accidentally on any kind of modern hardware
because the locking model is state of the art circa 1980. Security! The only
real facepalm this document describes accurately is that FreeBSD still bundles
sendmail. The rest of this is basically a slanted view of things that don't
matter when running a high scale internet service with FreeBSD -- I know
because I did so.

~~~
uponcoffee
Can you detail how the views presented provided are 'slanted' and 'don't
matter'?

~~~
kev009
Sure, say you configure a Linux, OpenBSD, and FreeBSD machine to provide some
useful service. A "stack" as they call it these days. None of these OSes are
going to have a large attack surface outside that "stack", and that is the
primary liability in running an internet service. There are relatively rare
occurrences like the TCP SACK bug that affected Linux and Netflix' non-default
FreeBSD RACK TCP stack. Every UNIX-like written in C without formal
verification is subject to incidents like that from time to time. Every other
security concern is addressed in an OS-agnostic fashion with failure domains,
limits of scope/networking, access controls, monitoring, and operations
procedures.

Now what Linux, and to a lesser degree FreeBSD, can do is survive real world
usage at scale. OpenBSD cannot. It would fall over or require magnitude more
machine count to do the same workloads that people use Linux and FreeBSD to
run. So all the exploit mitigation diatribe and "great defaults" and pet
projects are cute but funny when you try and throw shade onto others with
them. As I said, there are some kernels of truth that pertain less about
security and more about overall health in FreeBSD this doc accidentally hits
on, but running some hobby software like opensmtpd on openbsd isn't going to
save the world from real cybersecurity issues.

~~~
Cyberdog
Among those "cute pet projects" are OpenSSH, LibreSSL, OpenNTPD, and PF. The
internet at large, and even FreeBSD itself, would be all the poorer for not
having these projects available.

As someone who has run web servers with both FreeBSD and OpenBSD, I think some
of your criticism in this thread is valid, but you really crossed the line
into blatant fanboyism with that one at the least.

~~~
pushpop
Only really OpenSSH from your list applies though.

LibreSSL isn’t really in widespread usage outside of OpenBSD and has still
been vulnerable to some of recent the OpenSSL exploits.

OpenNTPD is more widely used but lots of people still go for other
alternatives and frankly I’m not convinced OpenNTPD offers anything
significant over the competition anyway.

pf is barely used outside of OpenBSD and frankly why should it be when Linux
has iptables (which does the job well) and FreeBSD has ipfw (which also does
the job well). pf is also a decent firewall but it’s also a crowded market
with lots of really decent alternatives written by their respective platform
hosts.

I do actually quite like OpenBSD though. But outside of OpenSSH, OpenBSD is
slowly becoming less relevant to the wider industry as other platforms catch
up on security and even over take in terms of enterprise features.

~~~
aquabeagle
pf is shipped on macOS and iOS as well.

------
layoutIfNeeded
Uh oh. I was planning to set up my new home server with FreeBSD next week, but
after reading this I’m a bit concerned...

It would have been interesting to have some more info on this part too:

>It does not go in depth about changing FreeBSD's more serious low-level
problems that require code changes.

Does anyone have any resources to read up on this? I’ve been reading “The
design and implementation of the FreeBSD operating system” by the way.

~~~
snazz
It seems to mostly be a philosophical issue. FreeBSD security is certainly a
lot better than it was, just expect that the defaults probably aren’t what
you’re looking for.

OpenBSD developers almost always change features for security reasons. They
aren’t afraid of writing their own utilities or maintaining entire projects to
do things in a cleaner way. This can lead to compatibility and/or performance
issues, but at the same time you get a very nicely integrated base system.

I know less about FreeBSD, but they seem to place more responsibility on the
user for building a system using their primitives. The choices they make with
regards to backwards compatibility and defaults make sense in this context.
FreeBSD is also usually the first stop for ex-Linux users who have become
disenchanted by systemd or other changes to the system.

Linux as a whole doesn’t really have to choose a side because distributions
have their own opinions and there’s enough eyes across popular packages to
have decent security while maintaining a huge number of features.

------
radikalerludwig
HardenedBSD fixes several of these issues.

~~~
tachion
No, it doesn't. HardenedBSD is one guy who became sore when FreeBSD rejected
his patches due to complete lack of design, simple and common C programming
errors and overall extremely poor code quality. Despite being provided with
the usual review and suggestions he kept submitting them like that and at some
point FreeBSD devs became bored with his attitude and moved on. And that's how
HardenedBSD came to life.

~~~
meruru
It would be nice if you provided sources when making such harsh accusations.

~~~
tachion
I'm not making any accusations, I'm merely stating facts. Those are easily
reachable on FreeBSD reviews portal, simply search for Shawn's patches.

------
asveikau
I remember this from previous rounds of hn discussions, but I didn't catch
last time that the author actually claims that having a code of conduct is
distracting FreeBSD from adopting his favorite sysctl and rc.conf defaults.
Kind of apples and oranges. Does not paint the author in a good light.

------
mrweasel
My main complaint about FreeBSD is basically an extension of the issue of poor
defaults. They import features and third party software without planing out
how it should fit into the system as a whole.

By far the worst offender i ZFS. Having ZFS as an option on FreeBSD (or Linux)
is wonderful, but it's extremely clear where ZFS has its origin. ZFS feels
like it was just bolted into FreeBSD and no one has a plan for making it feel
like it belongs.

OpenBSD has been incredible successful in building a base system that feels
like everything belongs together and working in a similar fashoin

~~~
ksec
I am not getting the part why ZFS felt bolt on? And worst offender?

I think we are missing some context here?

~~~
mrweasel
I was thinking about the command line tools. It's extremely clear that they
came from Solaris and there has been no effort made to make them feel more
like they belong in a BSD system.

------
frankharv
How exactly is having 3 Firewalls in base system "poor defaults"?

The author never explains how 3 firewalls are bad. It seems this is probably
some Linux hack trying to slander FreeBSD.

~~~
metalliqaz
The Zen of Python (PEP 20, aka "import this") comes to mind.

"There should be one-- and preferably only one --obvious way to do it."

~~~
_jal
That's a lovely sentiment, and a great one to base a language that has an
emphasis on instruction and readability on.

But unless you also wish to argue that "there should be preferably only one
programming language", it also follows that there are other sentiments upon
which to base languages.

Here's one that seems to fit the continuing analogy: TMTOWTDI.

[https://en.wikipedia.org/wiki/There's_more_than_one_way_to_d...](https://en.wikipedia.org/wiki/There's_more_than_one_way_to_do_it)

Now, you may not like that one, and that's fair. I frankly like Python less
the more I use it, but it still has its place in my toolkit.

~~~
metalliqaz
The world has room for multiple philosophies, and that's a good thing. I
happen to prefer PEP20 to TMTOWTDI, and Python to Perl, as might be expected.

I wasn't trying to say that there should only be one programming language, and
I don't think it follows from the statement I quoted. I take it more like
this: You use the correct tool for the job, and if there are inferior tools
then just get rid of them.

In the context of the discussion, I happen to think that one packet
filter/firewall in an OS is the correct number, unless each has significantly
different uses. Such is not the case in FreeBSD.

------
rvp-x
I can't connect to this website, is it geo-blocking?

------
asdf21
Out of curiosity, does OpenBSD have anywhere near this many security issues?

~~~
CameronNemo
There is no definitive way of knowing how many security issues are present in
a piece of software or a collection of software. You can only look at history
and attitudes for a project (and perhaps other factors such as language used)
and extrapolate from there.

~~~
thrwaway6318
>and perhaps other factors such as language used) and extrapolate from there.

I'm curious about this statement. Which languages do you think indicate
greater security, which ones tend to indicate the opposite?

~~~
CameronNemo
Languages with a garbage collector will be able to avoid some of the worst
memory errors.

~~~
asveikau
Usually people say it's bounds checking and preventing use after free rather
than GC. It's possible to have both without GC.

------
jshowa3
I was really interested in FreeBSD a while back. Guess I should look elsewhere
after reading this since I'm kind of a newbie and it would've taken me a while
to figure all this out on my own.

~~~
blauekapelle
Not really, this guy is kinda missing the point of FreeBSD - which is
stability not security. Many of these problems are overstated or non-issues
for desktop systems. If you do have a need for any of the changes this guy is
talking about, then you can make the change. If you just want max security,
OpenBSD is a thing. But this list of complaints probably isn't much worse than
many linux distros.

~~~
Varriount
I don't see the security concerns regarding package tools being non-issues,
nor the weirdness regarding OpenSSH patches.

------
Zardoz84
Looks that I was wrong about the all BSDs are more secure that a typical
Ubuntu or Debian GNU/Linux install.

~~~
howard941
I take issue with you treating yourself more harshly than the OP's author
treats his machine. Just to hit one point as the OP has all kinds of non-
disputable other points, I'd wager no typical linux distribution ships with
swap encryption enabled, do you know if any of them do?

~~~
ianai
Once you’re setting up a BSD, you’ve signed up for lots of post install
configuration. The installers just aren’t meant to be as “batteries included”
as a Linux installer.

I’d go so far as to say that you shouldn’t touch a FreeBSD or OpenBSD install
unless you’ve already done and maintained a gentoo, arch, or LFS install.

~~~
sverige
OpenBSD is _much_ easier to install and get working than any of the Linux
distros you mentioned. Post install configuration might take all of an hour,
and it's secure by default, unlike those mentioned.

And by "post install configuration," I mean adding XFCE or other DE or WM,
along with whatever apps you like. No tweaking needed to close security holes.

~~~
snazz
There’s a bit of silliness with resource limits (that I think should be
configured to match the user’s hardware or at least mentioned in the
installer), but overall I agree completely. The base system includes a couple
of window managers, including CWM which is quite nice. On a laptop you have to
enable APM, but after that you’re just about done.

I’d say it’s about equivalent to a simple Arch install on easy hardware,
although OpenBSD comes with quite a bit more security stuff pre-configured.

