NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

It's time to say goodbye to the GPL

The trigger for this post is the reinstating of Richard Stallman, a very problematic character, to the board of the Free Software Foundation (FSF). I am appalled by this move, and join others in the call for his removal.
This occasion has caused me to reevaluate the position of the FSF in computing. It is the steward of the GNU project (a part of Linux distributions, loosely speaking), and of a family of software licenses centred around the GNU General Public License (GPL). These efforts are unfortunately tainted by Stallman’s behaviour. However, this is not what I actually want to talk about today.

---

runj: a new OCI Runtime for FreeBSD Jails

Today, I open-sourced runj, a new experimental, proof-of-concept OCI-compatible runtime for FreeBSD jails. For the past 6.5 years I’ve been working on Linux containers, but never really had much experience with FreeBSD jails. runj (pronounced “run jay”) is a vehicle for me to learn more about FreeBSD in general and jails in particular. With my position on the Technical Oversight Board of the Open Containers Initiative, I’m also interested in understanding how the OCI runtime specification can be adapted to other operating systems like FreeBSD.

---

News Roundup

A Bit of Xenix History

From 1986 to 1989, I worked in the Xenix1 group at Microsoft. It was my first job out of school, and I was the most junior person on the team. I was hopelessly naive, inexperienced, generally clueless, and borderline incompetent, but my coworkers were kind, supportive and enormously forgiving – just a lovely bunch of folks.

---

On Updating QEMU's bsd-user fork

---

FreeBSD 13 on a 12 year old laptop

My old (2009) HP laptop now runs FreeBSD 13.0-RELEASE.

---

Beastie Bits

• Registration is now open for the June 2021 #FreeBSD Developers Summit
• 6.0RC1 images available
• Lexical File Names in Plan 9 or Getting Dot-Dot Right
• The history of UTF-8 as told by Rob Pike
• Initial Support for the riscv64 Architecture *** ###Tarsnap
• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Hamza - Congrats on 400
• Renato - DTS and ContainerD
• Rob - Music

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

• We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
• It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

• W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
• It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
• More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

• We've covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it's "not very pretty"
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
• There's also a new graphical frontend available for it ***

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in ***

Mailing List Gold

• Wait, a real one?
• What's that glowing... ***

This episode was brought to you by

Headlines

Bitrig 1.0 released

• If you haven't heard of it, Bitrig is a fork of OpenBSD that started a couple years ago
• According to their FAQ, some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support
• They've finally announced their first official release, 1.0
• This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version
• It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background
• One of the developers answered some questions about it on Hacker News too ***

Is it time to try BSD?

• Here we get a little peek into the Linux world - more and more people are considering switching
• On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD
• People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side
• This article explores some pros and cons of switching, and features opinions of various users ***

Poudriere 3.1 released

• One of the first things we ever covered on the show was poudriere, a tool with a funny name that's used to build binary packages from FreeBSD ports
• It's come a long way since then, and bdrewery and bapt have just announced a new major version
• This new release features a redesigned web interface to check on the status of your packages
• There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier
• It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now
• Check the full release notes for all the additions and bug fixes ***

Firewalling with OpenBSD's pf and pfsync

• A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync
• He uses pf to manage 60 internal networks with a single firewall
• The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated
• It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more
• The second half of the presentation focuses on pfsync and carp for failover and redundancy
• With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC ***

Interview - Patrick Wildt - patrick@bitrig.org / @bitrig

The initial release of Bitrig

News Roundup

Infrastructural enhancements at NYI

• The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done
• Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things
• There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there
• This blog post goes into detail about how those servers are used and details some of the network topology ***

The long tail of MD5

• Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern
• In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace
• Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect
• Some other places require a bit more care… ***

DragonFly cheat sheet

• If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier
• A user-created "cheat sheet" on the website lists some common answers to beginner questions
• The page features a walkthrough of the installer, some shell tips and workarounds for various issues
• At the end, it also has some things that new users can get involved with to help out ***

Experiences with an OpenBSD laptop

• A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that
• The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux
• In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad
• He even gives us a mention as a good place to learn more about BSD, thanks! ***

PC-BSD Updates

• A call for testing of a new update system has gone out
• Conversion to Qt5 for utils has taken place ***

Feedback/Questions

• Chris writes in
• AJ writes in
• Dan writes in
• Jeff writes in ***

Mailing List Gold

• Over 440% faster
• The PF conundrum (edit: Allan misspoke about PF performance during this segment, apologies.)
• Violating bad standards
• apt-get rid of systemd ***

This episode was brought to you by

Headlines

ALTQ removed from PF

• Kicking off our big PF episode...
• The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current
• There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf
• As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping
• After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem
• This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. ***

FreeBSD Quarterly Status Report

• The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks
• Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added
• We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team
• LOTS of details and LOTS of topics to cover, give it a read ***

OpenBSD's OpenSSL rewrite continues with m2k14

• A mini OpenBSD hackathon begins in Morocco, Africa
• You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning
• We've got two trip reports so far, hopefully we'll have some more to show you in a future episode
• You can see some of the more interesting quotes from the tear-down or see everything
• Apparently they are going to call the fork "LibreSSL" ....
• What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy!
• We also got some mainstream news coverage and another post from Ted about the history of the fork
• Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too ***

NetBSD 6.1.4 and 6.0.5 released

• New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes
• The main update is - of course - the heartbleed vulnerability
• Also includes fixes for other security issues and even a kernel panic... on Atari
• Patch your Ataris right now, this is serious business ***

Interview - Peter Hansteen - peter@bsdly.net / @pitrh

The Book of PF: 3rd edition

Tutorial

BSD Firewalls: PF

News Roundup

New Xorg now the default in FreeBSD

• For quite a while now, FreeBSD has had two versions of X11 in ports
• The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf
• They've finally made the switch for 10-STABLE and 9-STABLE
• Check this wiki page for more info ***

GSoC-accepted BSD projects

• The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned
• OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon
• The FreeBSD list was also posted
• Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more
• Good luck to all the students participating, hopefully they become full time BSD users ***

Complexity of FreeBSD VFS using ZFS as an example

• HybridCluster posted the second part of their VFS and ZFS series
• This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy
• Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff ***

PCBSD weekly digest

• Preload has been ported over, it's a daemon that prefetches applications
• PCBSD is developing their own desktop environment, Lumina (there's also an FAQ)
• It's still in active development, but you can try it out by installing from ports
• We'll be showing a live demo of it in a few weeks (when development settles down a bit)
• Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***