[TriLUG] CARP license.

Magnus Hedemark chrish at trilug.org
Wed Mar 31 07:45:50 EST 2004


On 30 Mar 2004, Jon Carnes wrote:

> OpenBSD firewalls now have redundant fail-over built into them. The
> protocol used for linking the redundant fail-over firewalls is CARP
> (Common Address Redundancy Protocol).

CARP is of course one of the major highlights of the upcoming 3.5 release.  
But there are others.  3.5 has reignited by interest in OpenBSD 
(recompiling my system just to patch it and lack of PAM/nsswitch is what 
puts me off).

There were some nice changes to pf (OpenBSD's firewall... like iptables if 
you're only exposed to Linux... but arguably much more feature rich than 
its Linux counterpart).

Some great load balancing stuff was added to pf in the 3.5 release.  You 
now have a "sticky address" which lets you redirect ports on a round robin 
basis, but have a source hash to set an affinity between a source and 
destination.

pfsync lets you synchronize the state tables between a number of firewalls 
that are working in parallel so you can effectively load balance your 
firewalls without disrupting established stateful connections.

The great spamd daemon now supports greylisting (this alone is enough to 
get me to upgrade).

BGP daemon is now built in (another great reason to upgrade).

pgrep and pkill.  I take these for granted on Linux and utter explitives 
when they are on my other *NIX systems.  Now they are on OpenBSD as of 
3.5.

Huge improvements to TCP/IP stack.  I'd love to see some before & after 
performance benchmarks.

Quoting directly from the features page: "OpenSSL now directly uses the 
new AES instructions some VIA C3 processors provide, increasing AES to 
780MBytes/second (so you get to see a fan-less cpu performing AES more 
than 10x faster than the fastest cpu currently sold)."   Wow.

Firefox is now bundled.

For non x86 architectures gcc 3.3.2 is now included with ProPolice 
support.  x86 does not lend itself well to extensions like ProPolice so 
that arch is still at gcc 2.95.3.

A bunch of neat OpenSSH features are added.  sshd can now force an 
incoming client to change their expired password.  You can put host keys 
in DNS now, also.

See the full list for yourself at http://openbsd.org/35.html




More information about the TriLUG mailing list