Skip to main content.

Episode 081: Puffy in a Box

2015-03-18

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid


Headlines

Using OpenBGPD to distribute pf table updates

  • For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
  • This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
  • It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
  • If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
  • OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version

Mounting removable media with autofs

  • The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
  • It's written by one of the autofs developers, and he details his work on creating and using the utility
  • "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
  • He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
  • It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
  • There's also some more advanced bonus material on GEOM classes and all the more technical details

The Tor Browser on BSD

  • The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
  • Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
  • It has, however, only been released for Windows, OS X and Linux - no BSD version
  • "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
  • Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
  • If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved)

OpenSSH 6.8 released

  • Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
  • Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
  • This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
  • Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
  • You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
  • The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
  • Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers

NetBSD at AsiaBSDCon

  • The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
  • It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
  • There was a grand total of 34 different NetBSD gadgets on display at the event

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix


News Roundup

HardenedBSD introduces Integriforce

  • A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
  • By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
  • HardenedBSD has introduced a similar mechanism into their "secadm" utility
  • You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
  • They're looking for some more extensive testing of this new feature

More s2k15 hackathon reports

  • A couple more Australian hackathon reports have poured in since the last time
  • The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
  • He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
  • Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
  • Ted Unangst also sent in a report to detail what he hacked on at the event
  • With a strong focus on improving SMP scalability, he tackled the virtual memory layer
  • His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
  • All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities

DragonFly 4.0.4 and IPFW3

  • DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
  • It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
  • There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
  • Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision)

NetBSD gets Raspberry Pi 2 support

  • NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
  • There are -current snapshots available for download, and multiprocessor support is also on the way
  • The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
  • The usual Hacker News discussion on the subject
  • If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it

OpenIKED as a VPN gateway

  • In our first discussion segment, we talked about a few different ways to tunnel your traffic
  • While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
  • This article should help fill that gap - it walks you through the complete IKED setup
  • From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all

Feedback/Questions


Mailing List Gold


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
  • If you're in or around the Troy, New York area, our listener Brian is giving a presentation about ports on OpenBSD at the Rensselaer Polytechnic Institute this Friday at 4:00PM
  • If anyone else in the audience is doing something similar or organizing any kind of BSD event, let us know and we'll be glad to mention it
  • Look forward to seeing the AsiaBSDCon interviews in upcoming episodes

Latest News

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...


Episode 194: Daemonic plans

2017-05-17

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines FreeBSD Project Status Report (January to March 2017) While a few of these projects indicate they are a "plan B" or an "attempt III", many are still hewing to their original plans, and all have produced impressive results. Please enjoy...

Episode 193: Fire up the 802.11 AC

2017-05-10

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines Bringing up 802.11ac on FreeBSD Adrian Chadd has a new blog post about his work to bring 802.11ac support to FreeBSD 802.11ac allows for speeds up to 500mbps and total bandwidth into multiple gigabits The FreeBSD net80211 stack has reasonably good 802.11n...

Episode 192: SSHv1 Be Gone

2017-05-03

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines OpenSSH Removes SSHv1 Support In a series of commits starting here and ending with this one, Damien Miller completed the removal of all support for the now-historic SSHv1 protocol from OpenSSH. The final commit message, for the commit that removes the SSHv1 related...

Episode 191: I Know 64 & A Bunch More

2017-04-26

HD VideoMP3 AudioTorrent This episode was brought to you by Headlines vBSDCon CFP closed April 29th EuroBSDCon CFP closes April 30th Developer Commentary: Philosophy, Evolution of TrueOS/Lumina, and Other Thoughts. Philosophy of Development No project is an island. Every single project needs or uses some other external utility, library, communications format, standards compliance, and more in order...