Gentoo and FreeBSD: Not for Me

I dropped out of the Berkeley Unix world some years back, when I started moving systems from BSD/OS to Linux. A lot has happened since then, and it seemed like time to check back. The Internet Protocols were honed under Berkeley Unix, and its network stack has always been lauded. It seemed like FreeBSD, a Berkeley Unix variant, would be an excellent choice for my new router.

I've heard great things about FreeBSD. One notable aspect is its methodology for packaging software. FreeBSD provides a ports collection, whereby you can retrieve the sources to any one of thousands of programs, download them to your computer, and compile them.

That's all great--so long as the computer has a compiler. A computer ought needn't have compilers unless it's being used for software development. In fact, I consider it a grave breach of sound security policy to put compilers on publicly exposed systems, such as web servers. For instance, last year, my web server fell victim to the Slapper worm. The worm died, however, as soon as it landed. The Slapper worm required a compiler on the local host to activate its payload. Per my policy there were no compilers, and so the worm sputtered out.

I believe, and the Slapper worm demonstrated, it is dangerous to put compilers on publicly exposed systems. Even worse, compilers on appliances, like a network router, are insane.

Thus, the standard FreeBSD ports packaging was not appropriate for my router. Fortunately, they provide an alternative where the program is pre-compiled, called "packages." With packages, you can download and run. No compiler involved. Perfect for my application.

So, I installed FreeBSD to the new computer, and it was a snap. However, when I went to turn the firewall on, the natd process started puking, saying, "Unable to create divert socket." I did a bit of research, and I believe the problem is that the pre-compiled operating system kernel (the so-called GENERIC kernel) does not have the IPDIVERT option enabled. If so, then the distributed kernel is not appropriate for my application.

The solution? One solution, the preferred FreeBSD solution, would be to install a compiler and build a new kernel. Another solution would be to punt on FreeBSD and choose something else. That's what I did, and I'm pleased as punch with my new Debian Linux router.

Program source is great stuff. I learn more and I'm more productive when I can access the source of the programs I use. Program source should be available, but it shouldn't be required. Most times I (and most every reasonable human being on this planet) just want to download the program and run it.

The source required fad has caught on in the Linux world as well. The Gentoo distribution of Linux uses a packages management system, similar to the FreeBSD source-required ports. This seems so wrong to me in so many ways.

First, the time to load a system goes from 20 minutes to 20 hours. You aren't merely moving a bunch of bits from a CD to your hard disk. You are, instead, compiling every freaking program you plan to run. No operating system install should take longer than it does to make a loaf of bread.

Second, the sole argument I hear in favor of this methodology is, "It's optimized to your system!" I'm not sure I buy it. The evidence I've heard is anecdotal and possibly flawed.

I've heard people say how wonderful Gentoo is, because their computer got faster when they switched over from some other Linux. I wonder, were they running a kernel optimized for their system or a stock generic one? When I installed Debian Linux on my router, first thing I did was replaced the generic operating system kernel with one better suited to my computer. I had a choice of 51 different kernel image packages to choose from. Sure, Gentoo is going to be faster than the stock generic kernel, but how about the selected, optimized kernel? And even if a custom built kernel makes sense, how much is to be gained by building the entire blasted system.

Third, are you friggin' crazy? Have you ever tried to build Mozilla? My workstation doesn't even have enough disk space to do that. Even if it did, it's hard to justify the time and effort to compile an optimized version of the application that may save me 60 CPU seconds. No thanks, I'd really prefer to just install it and run it.

For the hobbyist, there is an exciting "I built it myself" aspect to these source-required distributions. I've compiled so many programs in my life, it doesn't give me a thrill anymore. I'd prefer to just download it and use it.


Comments have been closed for this entry.

re: Gentoo and FreeBSD: Not for Me

Rather than using IPFW and IPNAT, there is also IPFILTER which is already present as a KLM in the stock install.

While I agree with the no compiler sentiment on a server, the other half of me says its needed on FBSD. Maybe it's just a culture thing, but I almost always recompile the OS to the latest -STABLE release just to make sure all of the secure patches are in place.

I keep meaning to try Debian but keep running out of machines. I heards it's a comfy fit if you're already used to using FreeBSD.

re: Gentoo and FreeBSD: Not for Me

Tonight I'm doing the 'happy engineer dance' because I just pushed some packets thru a firewall/router I built myself. It's a siemens thin client box I bought off of a few years ago. Meant to work on it but left it in the closet. Well actually bought 3 of 'em, and equipped one with a disk and cd drive. They've got Centaur WinChip C6 200 MHz, 64 MB, and a 16 MB SanDisk IDE card.

It's running Bering Leaf off the SanDisk. Custom kernel I tailored for this box. No moving parts. Oh, and no compiler. (built kernel on development box)

happy happy happy ...

Oh, yeah, what I wanted to say -- Dzuy Nguyen gave a nice presentation at ALG a couple weeks ago, he's been hacking routers out of all sorts of junk boxes he bought for ~$25 from ebay. If it's got a cpu, he can make a router out of it -- well it's easer if it has room for a couple nics, or one on the mainboard and a slot.

re: Gentoo and FreeBSD: Not for Me

Well, you got bit by the keep-the-kernel-as-small-as-possible philosophy. (The alternative, kernels full of everything including the kitchen sink, isn't very attractive either). The correct solution for all this is probably loadable modules.

re: Gentoo and FreeBSD: Not for Me

Having a bit of (primarily experimental) experience with Gentoo Linux, and having talked with others about it as well, it's my impression that spead increases under Gentoo are not so much a matter of the kernel, but of the system libraries being optimized for the archetecture. On the average working Linux system, I believe, as is probably the case with most OSes, the CPU spends the most time in library routines and optimizations that can make a speed and performance difference over and above I/O limitations are those obtained by properly optimizing these libraries at compile time.

I might add that Gentoo Linux compiled Mozilla without too much difficulty on my laptop on a measly 4G hard drive. It was, as you note, a process for which I had to pick a couple of days during which I could leave the box, with it's 350 MHz PII, alone to work on the issue.

re: Gentoo and FreeBSD: Not for Me

I agree in general with Chip's comments, but in FreeBSD's defense, a compiler is not needed on EVERY system. Where I work, I have 11 systems to maintain. I have one system (the one at my desk) with the full source code so I can build patched executables and distribute them to the other systems.

The ports collection and Gentoo, on the other hand...well on that I agree with Chip entirely. The thing is that I haven't yet found a Linux distribution that didn't require me to wrestle with lots of little packages and more than 1 or 2 CDROMs.

I wish there was a good middle ground.

re: Gentoo and FreeBSD: Not for Me

i personally use OpenBSD as my router, since the new standard for packtet filtering is just that PF, setting up a super secure, stateful router with NAT, and DHCPd takes about 15 minutes, depending on knowledge of bsd and editing pf.conf, the great thing, is that its all built in, no recompiling the kernel, no need for any extra software, you just need the base bsd, etc, well anyother packages you want, but you probably wont need X so you can leave those out, all together my router runs dhcp for the internal network, i have pf doing NAT and routing to the network with no running ports except ssh which is locked to mac addresses on the internal network, and it took me about 15-20 minutes to do it, great super secure OS, if you have the time to learn i highly suggest checking it out

re: Gentoo and FreeBSD: Not for Me

Whilst i like gentoo, i use freesco for all my routers.... nice and simple and takes about 30 seconds to install