This episode was brought to you by

Headlines

OpenSMTPD for the whole family

• Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts
• This article talks about configuring a home mail server too, but even for the other people you live with
• After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too
• If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through
• In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box ***

NetBSD on the Edgerouter Lite

• We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices
• The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper)
• A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post
• The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!)
• OpenBSD and FreeBSD also have some support for these devices ***

Bitrig at NYC*BUG

• The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo
• John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show
• He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms
• Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences ***

OPNsense, meet HardenedBSD

• Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces
• Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase
• Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface
• We'll cover more news on the collaboration as it comes out ***

Interview - Mike Larkin - mlarkin@openbsd.org / @mlarkin2012

Memory protections in OpenBSD: W^X, ASLR, PIE, SSP

News Roundup

A closer look at FreeBSD

• The week wouldn't be complete without at least one BSD article making it to a mainstream tech site
• This time, it's a high-level overview of FreeBSD, some of its features and where it's used
• Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing
• If you have any BSD-curious Linux friends, this might be a good one to send to them ***

Linksys NSLU2 and NetBSD

• The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004
• "About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]"
• After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box
• If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there ***

OpenBSD disklabel templates

• We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout
• With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme
• This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel
• Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily ***

FreeBSD native ARM builds

• FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base
• Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used
• This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen ***

Feedback/Questions

• Sean writes in
• Ron writes in
• Charles writes in
• Bostjan writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2015 call for papers

• The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
• According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
• If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too
• You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about
• We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two)
• Check the announcement for all the specific details and requirements
• If your talk gets accepted, the conference even pays for your travel expenses ***

Making security sausage

• Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
• "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!"
• The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
• It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
• Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions
• The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
• Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute
• It was because of this that FreeBSD actually had to release a security update to their security update
• He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." ***

Running FreeBSD on the server, a sysadmin speaks

• More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
• ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
• They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
• It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
• If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you ***

NetBSD ported to Hardkernel ODROID-C1

• In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
• This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35
• There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0
• More info can be found on their wiki page
• After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device ***

Interview - Bernard Spil - brnrd@freebsd.org / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

• If you're using pf on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy
• This article will show you how to get set up with Gource for a cinematic-like experience
• If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories"
• When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
• One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity ***

pkgng 1.5.0 alpha1 released

• The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
• This update introduces support for provides/requires, something that we've been wanting for a long time
• It will also now print which package is the reason for direct dependency change
• Another interesting addition is the "pkg -r" switch, allowing cross installation of packages
• Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems
• DragonFly will also likely pick up this update once it's marked stable ***

Welcome to OpenBSD

• We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
• The slides from that talk are now online, and they've been generating quite a bit of discussion online
• It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
• Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
• As you may know, NetBSD has almost 60 supported platforms and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms over 13 CPU architectures, "it probably runs OpenBSD"
• No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
• Try to guess which font he used... ***

BSDTalk episode 252

• And somehow Brian has snuck himself into another news item this week
• He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
• If that sounds familiar, it's probably because we did the same thing, albeit with a different member of their team
• In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
• They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself ***

Feedback/Questions

• Christian writes in
• Stefan writes in
• Possnfiffer writes in
• Ruudsch writes in
• Shane writes in ***

Mailing List Gold

• Accidental support
• Larry's tears
• The boy who sailed with BSD ***

This episode was brought to you by

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version ***

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
• It's written by one of the autofs developers, and he details his work on creating and using the utility
• "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
• There's also some more advanced bonus material on GEOM classes and all the more technical details ***

The Tor Browser on BSD

• The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux - no BSD version
• "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) ***

OpenSSH 6.8 released

• Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers ***

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
• It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
• There was a grand total of 34 different NetBSD gadgets on display at the event ***

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their "secadm" utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
• They're looking for some more extensive testing of this new feature ***

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities ***

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision) ***

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it ***

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
• This article should help fill that gap - it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all ***

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in ***

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I've seen some... ***

This episode was brought to you by

Special segment

Demystifying Boot Environments in PC-BSD

Interview - Justin Gibbs - gibbs@freebsd.org / @freebsdfndation

The FreeBSD foundation's 15th anniversary

Discussion

The story of PC-BSD