# FreeBSD 10.3 vs OpenBSD 6.0



## beiroot (Sep 7, 2016)

Hi Experts,
I know there is a gazillion other pages, threads and articles on this topic - I've read them all. However, most (if not all) of them are outdated - meaning they don't compare FreeBSD 10.3 to OpenBSD 6.0. Could you please tell me what is the difference between those two systems - especially regarding security? E.g. about the PF implementation ... and many many other security-related topics.

I know I'm asking this question on FreeBSD forum but I'd love to hear your opinion on this. After reading tons of lines on FBSD vs OBSD, I'm a little tired of the statement - "OpenBSD is the most secure system. Period." and I would like to hear your side of the story.

Thanks for your opinions!


----------



## gpatrick (Sep 7, 2016)

Blocking of unwanted HTTP and SMTP commands; URL categorization and content blocking from inappropriate websites; SYN flood protection; cache management to protect against packet floods.

These are just a few things that are available in commercial firewalls and I doubt you'd find them in PF.

IMO, OpenBSD is a master of hype. They are great at marketing their product. Two remote holes, blah, blah, blah. Code is audited, blah, blah, blah. By whom? Price Waterhouse? If you want to run apps then you open other vectors of attack and a little to no use base install gives you nothing.

FreeBSD users like FreeBSD, OpenBSD users are fanatical about OpenBSD. I use FreeBSD for learning Inferno and for IPF.

Otherwise I use SmartOS because it gives me more options. And I'd argue it is just as secure or more secure than OpenBSD. Plus it is developed by a commercial company that has operating revenue and deeper pockets in their new owner Samsung.

My opinions and I'd guess this thread will (probably best) be closed.


----------



## rigoletto@ (Sep 7, 2016)

Investing here.


----------



## SirDice (Sep 7, 2016)

beiroot said:


> Could you please tell me what is the difference between those two systems - especially regarding security?


Well, they're both secure. That said, it's more about the different project goals. For OpenBSD it's main goal is security, they'll try and get everything as secure as possible. Even to the brink of breaking everything else. For FreeBSD security is important but not at the cost of everything. A lot of the issues and improvements usually find their way into FreeBSD eventually, LibreSSL is probably a good example of that.

The Wikipedia article is actually not that bad: https://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems


----------



## gofer_touch (Sep 7, 2016)

Security is a function of many things thus the comparison is a bit too simplistic unless you are referring to out of the box security, in which OpenBSD may have an advantage depending the specific use case. 

PF is a nobrainer, it is simply more up to date on its native platform and able to rely on home grown tools within the OpenBSD environment. PF on the other BSDs have had enhancements on their own (multi-threading for example) though, which makes it more performant than on OpenBSD.

You have to also consider usability and applicability. A secure 100 terabyte server running FreeBSD, certainly. A secure 100 terabyte server running OpenBSD? Maybe not so much.

I would say determine your use case first and then see which of the two would best suit your needs with regard to what you want to use it for and your security needs. Many people use OpenBSD boxes as gateways and firewalls while relying on FreeBSD for their fileserving needs. Both can play nicely together.


----------



## beiroot (Sep 7, 2016)

Guys, I know security is a process not a state or a platform. What I'm asking is more what makes OpenBSD "so secure" that FreeBSD doesn't have? From what I've read (I'm new to FreeBSD but I'm devouring literature on it) FBSD can be pretty secure (well hardened), right?
BTW, any good articles/papers/how-tos etc. on FBSD security?


----------



## shepper (Sep 7, 2016)

beiroot said:


> What I'm asking is more what makes OpenBSD "so secure" that FreeBSD doesn't have?



W^X is now strictly enforced by default
LibreSSL - available as a FreeBSD port.
Periodically sanitized RAM
To deter code reuse exploits, rc(8) re-links libc.so on startup, placing the objects in a random order.
RAM and File limits for runaway processes.

There is more.


----------



## a6h (Sep 7, 2016)

beiroot said:


> any good articles/papers/how-tos etc. on FBSD security


https://forums.freebsd.org/threads/4108/


----------



## tobik@ (Sep 7, 2016)

beiroot said:


> BTW, any good articles/papers/how-tos etc. on FBSD security?


https://vez.mrsk.me/freebsd-defaults.txt

Re OpenBSD there are plenty of papers here, if you haven't looked at those yet: https://www.openbsd.org/papers/


----------



## beiroot (Sep 7, 2016)

shepper said:


> W^X is now strictly enforced by default
> LibreSSL - available as a FreeBSD port.
> Periodically sanitized RAM
> To deter code reuse exploits, rc(8) re-links libc.so on startup, placing the objects in a random order.
> ...



I don't know if I understood you correctly. These are the "things" OBSD has that FBSD doesn't?


----------



## ANOKNUSA (Sep 7, 2016)

beiroot, your question will never get the answer you want, because you haven't defined what you're after. What differences are you looking for? What is it you're hoping to achieve with whichever of the two *BSDs you choose? FreeBSD and OpenBSD have different focuses, but each runs software that's almost always easily ported to the other. There are a lot of similarities and differences between FreeBSD and OpenBSD, and not only would listing all of them require a couple pages, but would be pointless, since only some of the differences and similarities between the two matter to any one person. What matters to me, for example, are that:

FreeBSD has ZFS. I use UFS on my laptop anyway, and so could run OpenBSD on my laptop, but I have other reasons for not doing that. For example:

FreeBSD has rock-solid GPT and UEFI support. OpenBSD only introduced these a few months ago, and they were only expected to work on some hardware. Support will likely be better when OpenBSD 6.0 comes out. Still...
Multi-core support is better on FreeBSD than it is on OpenBSD. I believe it's a myth that OpenBSD doesn't have multi-core support at all, but it's definitely better-developed on FreeBSD. Really not a strike against OpenBSD, but...

OpenBSD doesn't have VirtualBox in its ports tree. I need to access Windows for work from time to time, so I need VirtualBox to access the second disk in my laptop with Windows installed.
FreeBSD has better support for the things I want and need. If security is your greatest priority, and you're willing to sacrifice other things to maximize security, then go with OpenBSD. It is undoubtedly the more secure of the two. But being the "most secure" operating system on the planet does not in any sense mean that the alternatives are dangerously insecure, or even recklessly insecure. Of course, just as lowering the priority of security while focusing on other things doesn't make FreeBSD a bad choice, security isn't the only reason OpenBSD might be a good choice _for you_.

tobik: As interesting as that blog post is, it's not really going to help someone unfamiliar with either FreeBSD or OpenBSD choose between either system. It's just a very technical explanation of one OpenBSD user's reasons for preferring the OpenBSD default install settings to those of FreeBSD.


----------



## shepper (Sep 7, 2016)

beiroot said:


> These are the "things" OBSD has that FBSD doesn't?


Yes


ANOKNUSA said:


> Support will likely be better when OpenBSD 6.0 comes out.


OpenBSD 6.0 was released 7 days ago.

To add more to the differences.  Some of OpenBSD's features make it more difficult to use certain ports.  For instance webkitgtk3 leaked memory causing a W^X application crash.  There is good and bad in this.  The bad is that someone using a webkitgtk3 browser has to tolerate memory leaks.  The good is that the leaks get identified so that developers can fix them.  The OpenBSD developers see this as a contribution to Open Source Software.

I fully agree with ANOKNUSA advice to match your needs to the BSD - they have strengths and weaknesses.


----------



## ANOKNUSA (Sep 7, 2016)

shepper said:


> OpenBSD 6.0 was released 7 days ago.



Well, alright then. My attention's been focused on a different September release.


----------



## kpa (Sep 8, 2016)

OpenBSD isn't very newbie friendly so you pretty much have to know in advance why you would want to use it based on your own research on what it provides and if that matches your expectations. I used OpenBSD for while because of the improved PF, it was nice but I eventually went back to pfSense for my firewall/router because of the other goodies pfSense offers such as the great integration of all the configuration aspects under a single webgui.

I would summarise OpenBSD as more of a research and development project for various technologies such as LibreSSL rather than a real end user OS. It does work as an end user OS don't get me wrong but the bar is much higher for getting it to do what you want compared to some other similar OSes.


----------



## Remington (Sep 8, 2016)

OpenBSD is a nice OS but it lacks wide-range of support in terms of virtualization (jail & bhyve), hardware, software and community contributions.  If you don't know what your specifications are then FreeBSD is a better choice to start with.  Both FreeBSD and OpenBSD are very secured OS but they can be hacked with poor configurations or compromised software if you don't know what you're doing.


----------



## Murph (Sep 8, 2016)

In terms of security, it really depends on 1) how good you are as a sysadmin, and 2) what you will be doing with it (in detail).  I have a leased server in a hosting data center which has always been on FreeBSD, and has been there for years.  It has run a variety of releases from 7.0 to 10.3.  It has been there on the receiving end of constant, up to 100 Mbit/s attacks, often from compromised servers within the same LAN (sometimes even the same subnet) or the provider's many-gigabits of MAN/WAN.  It has never been compromised, even when I have been a bit lax and ignored it for longer than I really should.  It is pretty much the in the worst possible environment for network attacks, with local and near local high CPU+bandwidth attackers, and unfiltered 100 Mbit/s bandwidth to the Internet itself (unfiltered by the provider, other than when they mitigate specific ongoing attacks, but filtered inside the system itself).

The FreeBSD OS itself is quite secure, and has been for a long time, if you manage it in a secure fashion, only have trusted local users, and your services/applications don't provide a security hole. It is successfully used by some very high profile Internet content providers, and some very high profile network equipment vendors.

OpenBSD has a good reputation for security, but bad admin or a bad service/application can easily compromise that.  An OpenBSD server can certainly be compromised if you create the circumstances which allow that to happen.  Theo's stuff (and the rest of the OpenBSD developers) is generally pretty good, but many servers are running stuff which has not been touched by them.

In real deployments, neither is better or best.  It's all down to the sysadmin and the services/applications.


----------



## beiroot (Sep 8, 2016)

From what I've read, I can tell that OpenBSD is definitely a server OS and there are far more user-friendly systems sacrificing only little (say in security) for an easier everyday desktop tasks, no doubt about that. FreeBSD would probably be the best example. I know it's a great server OS, no doubt about that too. As Murph mentioned, many high profile companies use it with success.

What is more, again only theoretical knowledge (reading), I could risk a hypothesis that OBSD is as good as it's vanilla implementation. When you have to add stuff and later on upgrade it - it's when the problems start.
The reason why I asked my question in the first place, was to understand what OBSD has that FBSD doesn't - regarding security - and I got the answer. Thank you 

Why is OpenBSD so popular among ISP - especially in routers and firewalls?
For a home router, firewall, web server, mail server, ntpd, ftpd - why someone might choose OBSD over FBSD?
And in a corporate network routers and firewalls?

Advocatus Diaboli (nomen omen) anyone?


----------



## xasii (Sep 8, 2016)

beiroot, you're asking this question on a very FreeBSD-specific forum (literally forum) and are getting some answers that are borderline misinformation. Certainly this "once you install anything outside of the base system, all is lost" mantra is false. Neither OpenBSD nor FreeBSD is strictly a server OS. I've used both of them on laptops. Suspend and hibernation support tends to work better on Open, as the developers actually -use- it themselves, while a lot of FreeBSD devs use Macs or Windows.

All of the "every OS can be secure if you make it" answers look like cop-outs to me. FreeBSD is severely lacking in modern exploit mitigation techniques, just to name one thing. OpenBSD has a history of pioneering security technologies or being quick to adopt them. Unfortunately there's no one "easy" page that lists all of their security features collectively -- that would be nice. One (outdated) page that compares the two can be found here: http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html -- please note, however, that it's missing some of the more recent OpenBSD additions such as Pledge.

I'd recommend posing the same question(s) on an OpenBSD-specific mailing list, then again on a BSD-agnostic place such as Reddit's r/BSD. You will get more educated and detailed answers in both places.


----------



## roddierod (Sep 8, 2016)

I'd suggest going here...most users are OpenBSD but there are a number of people that all use FreeBSD (as well as NetBSD).  There isn't alot of traffice, but the responses are usually very well thought out.

Some OpenBSD devs respond there on occasion.

http://daemonforums.org/index.php


----------



## beiroot (Sep 8, 2016)

Regardless of the previous questions which are still on the wall, I'm reading a handbook on FreeBSD which is great btw. OpenBSD lacks one but I guess it's because they aim at experienced users and lack manpower to tap handbooks.
Anyway, how much of the FreeBSD Handbook is copy-able/usable in OpenBSD? I'm talking rough estimation here, just to see how much the systems are alike or different.


----------



## gpatrick (Sep 8, 2016)

> Why is OpenBSD so popular among ISP - especially in routers and firewalls?


If I had a business any bigger than a SOHO or it was dependent upon the Internet for revenue that was sizable, I wouldn't use OpenBSD as the company firewall since it lacks features commercial ones have.


----------



## xasii (Sep 8, 2016)

beiroot said:


> I'm reading a handbook on FreeBSD which is great btw. OpenBSD lacks one but I guess it's because they aim at experienced users and lack manpower to tap handbooks.


They have something similar, it's just not called a handbook. https://www.openbsd.org/faq


----------



## beiroot (Sep 8, 2016)

Naah, it's not as good and as FreeBSD


----------



## shepper (Sep 8, 2016)

beiroot said:


> Naah, it's not as good and as FreeBSD



Don't confuse quantity for quality.  OpenBSD FAQ is fully updated every 6 months and is succinct.  FreeBSD 11.0 is due to be released in days and portions of the Handbook still reference 9.0.  I just copied this from handbook section 7.2:


> Before beginning the configuration, determine the model of the sound card and the chip it uses. FreeBSD supports a wide variety of sound cards. Check the supported audio devices list of the Hardware Notes to see if the card is supported and which FreeBSD driver it uses.
> 
> kldload(8). This example loads the driver for a built-in audio chipset based on the Intel specification:
> 
> ...



snd_hda has been statically compiled in the kernel since 10.0 - no need to attempt to load it as a module.  Before wblock@ updated the HandBook on xorg, it also was out of date.

Before I get flamed, I understand that the FreeBSD Handbook is largely maintained by volunteers and I make the above point more to highlight the differences in philosophy: Large, detailed with occasional out-of-date/errors vs Succinct, up to date and error free.  Is one better than the other?


----------



## ANOKNUSA (Sep 8, 2016)

beiroot said:


> From what I've read, I can tell that OpenBSD is definitely a server OS and there are far more user-friendly systems sacrificing only little (say in security) for an easier everyday desktop tasks, no doubt about that.



While I'd agree with that in general, plenty of OpenBSD users use it on their desktops and laptops just fine. From everything I've heard, Thinkpad laptops and OpenBSD make an especially nice pair.

To add a little to what I said earlier: the different *BSDs have different focuses that lead to different approaches. A user/administrator can accomplish most of the same things with one as they can with another, but the reasons for picking one over another vary, and often come down to what the focus of that *BSD is. FreeBSD is aimed at more of a professional/enterprise audience, so the focus is more on the performance, stability, and reliability provided by long-term support and the adoption of new technologies. This means that while newer elements get merged into base more quickly, potentially problematic elements get phased out more slowly, ensuring that users/admins adjust quickly, but no more quickly than necessary. If security is paramount, this might be unacceptable.

OpenBSD prefers the Superman-proof security of either sticking with or eliminating things based more on possibility rather than probability: does something work fine, and not pose any known stability or security problem? Then leave it. Don't bother spending our precious time and manpower on new stuff when the old stuff works fine. Does something pose a real, potential risk? Get rid of it, even if that means breaking everything but the latest release. Everyone will just have to upgrade post-haste. If either stability and reliability or versatile hardware support are paramount, this might be unacceptable.

Both approaches/goals are admirable, and in a sense are just different versions of the same thing. Again, which one you pick depends on what your priorities are. Also, there are plenty of people who use both in different use cases. No need to draw lines in the sand, here.


----------



## wblock@ (Sep 9, 2016)

This apple is clearly not an orange.  I don't think it's fair to either project.  While it's correct that quantity does not equal quality, scarcity does not equal quality, either.  If OpenBSD's documentation or goals or attitude appeals to you, great!  If you find the similar goals but different scope of FreeBSD more to your liking, welcome here, too.  Some people run both.  If you like either one, help it by getting involved.  For example, we need lots of help with docs...


----------



## ShelLuser (Sep 9, 2016)

Just a wild idea for the OP: why not run both and see for yourself?

There will be differences, obviously, and it'll start with the installer. But when getting your hands on some other software you'll quickly spot certain similarities again (such as a ports collection).

The problem is that you'll always get biased comments, no matter who you speak to. So if your intent is to learn then I'd say start up a virtual machine such as VirtualBox and then simply try it out. Hands on experience is the best way to get to know something better.


----------



## a6h (Sep 9, 2016)

As always, the final outcome of the vs./or is White Noise.


----------



## Murph (Sep 9, 2016)

xasii said:


> Certainly this "once you install anything outside of the base system, all is lost" mantra is false.


If that was in reply to what I said, I was not, and would never claim "all is lost".  I stand by what I said, that a secure OS can easily be compromised through either bad admin or bad services/applications.

Theo can put all the mitigations he wants into the OS, he can make it the world's most secure OS, but that will not completely prevent a compromise if the admin (possibly unknowingly) creates a hole, or a service with dubious code quality is listening to the net.  The compromise might end up limited to less than the entire system, but any case where an attacker can get beyond normal/good/safe functionality is a compromise even when limited/mitigated.  If we're talking only about entire system compromises, then FreeBSD's jails go a long way towards preventing those.

OS design, quality, mitigations, etc only go so far.

It is great that we have Theo and the other OpenBSD developers focussing hard on security.  They are doing a good thing for the world, and the entire BSD ecosystem benefits from it.  It's just wrong to infer that you can't also deploy a secure FreeBSD system which will withstand sustained attack from the worst the net throws at it.  In specific cases, you may well appreciate some of the OpenBSD security features and benefit from them; but otherwise FreeBSD works just as well, in practical terms, for many cases.

In general, and in modern times, the external compromises don't tend to come from the OS itself, they almost always come from the services and applications.  Much of the Windows malware finds its way in through applications, often with the user actively giving it permission (or at least creating the opportunity) to take over their system!


----------



## bldavis11 (Sep 11, 2016)

beiroot said:


> ----snip----
> The reason why I asked my question in the first place, was to understand what OBSD has that FBSD doesn't - regarding security - and I got the answer. Thank you
> ----snip----



One interesting technical piece that OBSD has that, to my knowledge, is rather novel is pledge().  There are some decent talks about it on youtube for a quick introduction to the concept.


----------



## wblock@ (Sep 11, 2016)

You might be interested in capsicum(4).


----------



## xasii (Sep 12, 2016)

wblock@ said:


> You might be interested in capsicum(4).


He might be interested in it, but FreeBSD doesn't seem to be.

https://www.openbsd.org/papers/hackfest2015-pledge/mgp00010.html


----------



## wblock@ (Sep 13, 2016)

Quantity wins!  Thread closed.


----------

