Skip to main content.

Episode 097: Big Network, SmallWall


Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid


BSDCan and pkgsrcCon videos

OPNsense 15.7 released

  • The OPNsense team has released version 15.7, almost exactly six months after their initial debut
  • In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
  • Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
  • The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
  • Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
  • Shortly afterwards, 15.7.1 was released with a few more small fixes

NetBSD at Open Source Conference 2015 Okinawa

  • If you liked last week's episode then you'll probably know what to expect with this one
  • The NetBSD users group of Japan hit another open source conference, this time in Okinawa
  • This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
  • We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con?

OpenBSD BGP and VRFs

  • "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
  • This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
  • With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
  • The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
  • Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
  • The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts

Interview - Lee Sharp -

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

  • We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
  • They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
  • Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
  • Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
  • The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
  • In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
  • With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
  • Look forward to the upcoming "Solaris Now" podcast (not really)

EuroBSDCon 2015 talks and tutorials

  • This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
  • The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
  • It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
  • There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
  • Registration for the event will be opening very soon (likely this week or next)

Using ZFS replication to improve offsite backups

  • If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
  • This article covers doing just that, but with a focus on making use of the replication capability
  • It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
  • Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
  • Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
  • One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important

Block encryption in OpenBSD

  • We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
  • This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
  • It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
  • The encrypted container method offers the advantage of being a bit more portable across installations than other ways

Docker hits FreeBSD ports

  • The inevitable has happened, and an early FreeBSD port of docker is finally here
  • Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
  • There was also some Hacker News discussion on the topic

Microsoft donates to OpenSSH

  • We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
  • With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
  • They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to
  • We're always looking for interviews - get in touch if you're doing anything cool with BSD that you'd like to talk about (or want to suggest someone else)
  • The FreeNAS community recently lost one of their most active members, Marbus90, who has been a big help to them for a long time - rest in peace and thanks for all your work

Latest News

New announcement


We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

Episode 281: EPYC Server battle


Direct Download:MP3 AudioVideo Headlines scp client multiple vulnerabilities Overview SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and...

Episode 280: FOSS clothing


Direct Download:MP3 AudioVideo Headlines A EULA in FOSS clothing? There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which...

Episode 279: Future of ZFS


Direct Download:MP3 AudioVideo Headlines The future of ZFS in FreeBSD The sources for FreeBSD's ZFS support are currently taken directly from Illumos with local ifdefs to support the peculiarities of FreeBSD where the Solaris Portability Layer (SPL) shims fall short. FreeBSD has regularly pulled changes from Illumos and tried to push...

Episode 278: The real McCoy


Direct Download:MP3 AudioVideo Interview - Kirk McKusick - 25 years of FreeBSD How Kirk got started in BSD, at the very beginning Predicting the Future How the code and community grew The leadership of the project, and how it changed over time UFS over the years (reading disks from 1982 in 2018) Conferences The rise and fall of...