This episode was brought to you by

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version ***

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
• It's written by one of the autofs developers, and he details his work on creating and using the utility
• "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
• There's also some more advanced bonus material on GEOM classes and all the more technical details ***

The Tor Browser on BSD

• The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux - no BSD version
• "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) ***

OpenSSH 6.8 released

• Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers ***

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
• It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
• There was a grand total of 34 different NetBSD gadgets on display at the event ***

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their "secadm" utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
• They're looking for some more extensive testing of this new feature ***

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities ***

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision) ***

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it ***

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
• This article should help fill that gap - it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all ***

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in ***

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I've seen some... ***

This episode was brought to you by

Headlines

Password gropers take spamtrap bait

• Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
• He seems to have discovered another new weird phenomenon in his pop3 logs
• "yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia"
• Someone tried to log in to his service with an address that was known to be invalid
• The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose ***

Inside the Atheros wifi chipset

• Adrian Chadd - sometimes known in the FreeBSD community as "the wireless guy" - gave a talk at the Defcon Wireless Village 2014
• He covers a lot of topics on wifi, specifically on Atheros chips and why they're so popular for open source development
• There's a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
• Very technical talk; some parts might go over your head if you're not a driver developer
• The raw video file is also available to download on archive.org
• Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things ***

Trip report and hackathon mini-roundup

• A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
• Mark Linimon mentions some of the future plans for FreeBSD's release engineering and ports
• Bapt also has a BSDCan report detailing his work on ports and packages
• Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
• Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
• Christian Weisgerber talks about starting some initial improvements of OpenBSD's ports infrastructure ***

DragonFly BSD 3.8.2 released

• Although it was already branched, the release media is now available for DragonFly 3.8.2
• This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
• It also includes some various other small fixes ***

Interview - Eric Le Blan - info@xinuos.com

Xinuos' recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

• Back in episode 39, we covered a blog post about creating an OpenBSD gateway - partly based on our tutorial
• This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
• He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
• The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc. ***

Don't encrypt all the things

• Another couple of interesting blog posts from Ted Unangst about encryption
• It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
• After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
• He also talks a bit about some PGP weaknesses and a possible future replacement
• He also has another, similar post entitled "in defense of opportunistic encryption" ***

New automounter lands in FreeBSD

• The work on the new automounter has just landed in 11-CURRENT
• With help from the FreeBSD Foundation, we'll have a new "autofs" kernel option
• Check the SVN viewer online to read over the man pages if you're not running -CURRENT
• You can also read a bit about it in the recent newsletter ***

OpenSSH 6.7 CFT

• It's been a little while since the last OpenSSH release, but 6.7 is almost ready
• Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
• It includes some old code removal, some new features and some internal reworkings - we'll cover the full list in detail when it's released
• This version also officially supports being built with LibreSSL now
• Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system ***

Feedback/Questions

• David writes in
• Lachlan writes in
• Francis writes in
• Frank writes in
• Sean writes in ***