Skip to main content.

Episode 072: Common *Sense Approach

2015-01-14

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise servers and storage for open sourceTarsnap - online backups for the truly paranoid


Headlines

Be your own VPN provider with OpenBSD

  • We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
  • It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
  • The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
  • With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
  • It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN

FreeBSD vs Gentoo comparison

  • People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
  • This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
  • The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
  • If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more

Kernel W^X in OpenBSD

  • W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
  • It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
  • This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
  • Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
  • Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
  • More technical details can be found in some recent CVS commits

Building an IPFW-based router

  • We've covered building routers with PF many times before, but what about IPFW?
  • A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
  • In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
  • He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
  • If you're an IPFW fan and are thinking about putting together a new router, give this post a read

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense


News Roundup

On profiling HTTP

  • Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
  • Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
  • According to him, it's "not very pretty"
  • He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
  • You can check out his new code on Github right now

Using divert(4) to reduce attacks

  • We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
  • It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
  • PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
  • The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
  • Consider setting this up to reduce the attack spam in your logs if you run public services

ChaCha20 patchset for GELI

  • A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
  • There are also some benchmarks that look pretty good in terms of performance
  • Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
  • There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet

PCBSD update system enhancements

  • The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
  • You can choose what parts of your system you want to let it automatically handle (packages, security updates)
  • The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
  • There's also a new graphical frontend available for it

Feedback/Questions


Mailing List Gold


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
  • Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

Latest News

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...


Episode 147: Release all the things!

2016-06-22

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines 2016 FreeBSD Community Survey We often get comments from our listeners, “I’m not a developer, how can I help out”? Well today is your chance to do something. The FreeBSD Foundation has its...

Episode 146: Music to Beastie’s ears

2016-06-16

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines BSDCan Recap and Live Stream Videos OpenBSD BSDCan 2016 papers now available Allan’s slides and Paper Michael W Lucas presents Allan with a gift “FreeBSD Mastery: Advanced ZedFS” Highlighted Tweets: Groff Arrives at BSDCan...

Episode 145: At the Core of it all

2016-06-08

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Interview - Benno Rice - benno@freebsd.org / @jeamland Manager, OS & Networking at EMC Isilon Emily Dunham: Community Automation iXsystems 1U Rackmount Server - 4 Bay Hot-Swap SAS/SATA Drive Bays 400W Redundant Power Supply...

Episode 144: The PF life

2016-06-01

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines dotSecurity 2016 - Theo de Raadt - Privilege Separation and Pledge Video Slides Interested in Privilege Separation and security in general? If so, then you are in for a treat, we have both...