OpenBSD

Overview

OpenBSD is a free, open-source, security-hardened Unix-like operating system derived from 4.4BSD. First released in 1995 by Theo de Raadt, it is renowned for its focus on correctness, security, and proactive vulnerability prevention.

OpenBSD includes a custom kernel, base system, and a curated set of ports/packages. It ships with OpenSSH (originally created for OpenBSD), OpenSSL (originally forked from OpenSSL), OpenBGPD, and other security-focused projects.

Key Features

  • Proactive security: Systematic code audits, memory-safe defaults, and features like W^X (write-execute protection), PAC (Pointer Authentication on ARM), and W^X enforcement.
  • Chroot jails and privilege separation: Many daemons run in restricted environments.
  • PF (Packet Filter): Built-in firewall, now ported to Linux, FreeBSD, and macOS.
  • Audited codebase: Every line of code in the base system is reviewed for security issues.
  • Secure by default: Minimal default installation, no setuid binaries unless necessary, pledge() and unveil() system calls limit process capabilities.
  • Cryptographic features: Full disk encryption, DSA/Ed25519 key support, secureboot.

Licensing

BSD 3-Clause License (permissive, OSI-approved).

Notable Facts

  • OpenSSH was created by Theo de Raadt and others while working on OpenBSD.
  • The project uses a pledge/unveil system call model to confine processes, reducing the impact of exploits.
  • OpenBSD has a small, dedicated developer community (~15-20 core developers funded by donations and grants).
  • The project has a zero-trust philosophy — even its own code is audited by external developers.

Use Cases

  • Firewall/router appliances (pfSense and OPNsense are based on FreeBSD, but OpenBSD’s PF is the original)
  • Security research and penetration testing
  • Hardened servers (mail, DNS, web)
  • Educational platform for secure system design
  • Freebsd — packet filter firewall (originally from OpenBSD)

Official Resources