This episode was brought to you by

Headlines

BSDCan and pkgsrcCon videos

• Even more BSDCan 2015 videos are slowly but surely making their way to the internet
• Nigel Williams, Multipath TCP for FreeBSD
• Stephen Bourne, Early days of Unix and design of sh
• John Criswell, Protecting FreeBSD with Secure Virtual Architecture
• Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD
• John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto
• Sevan Janiyan, Adventures in building open source software
• And finally, the BSDCan 2015 closing
• Some videos from this year's pkgsrcCon are also starting to appear online
• Sevan Janiyan, A year of pkgsrc 2014 - 2015
• Pierre Pronchery, pkgsrc meets pkg-ng
• Jonathan Perkin, pkgsrc at Joyent
• Jörg Sonnenberger, pkg_install script framework
• Benny Siegert, New Features in BulkTracker
• This is the first time we've ever seen recordings from the conference - hopefully they continue this trend ***

OPNsense 15.7 released

• The OPNsense team has released version 15.7, almost exactly six months after their initial debut
• In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
• Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
• The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
• Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
• Shortly afterwards, 15.7.1 was released with a few more small fixes ***

NetBSD at Open Source Conference 2015 Okinawa

• If you liked last week's episode then you'll probably know what to expect with this one
• The NetBSD users group of Japan hit another open source conference, this time in Okinawa
• This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
• We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? ***

OpenBSD BGP and VRFs

• "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
• This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
• With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
• The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
• Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
• The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts ***

Interview - Lee Sharp - lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

• We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
• They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
• Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
• Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
• The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
• In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
• With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
• Look forward to the upcoming "Solaris Now" podcast _{(not really)} ***

EuroBSDCon 2015 talks and tutorials

• This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
• The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
• It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
• There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
• Registration for the event will be opening very soon (likely this week or next) ***

Using ZFS replication to improve offsite backups

• If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
• This article covers doing just that, but with a focus on making use of the replication capability
• It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
• Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
• Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
• One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important ***

Block encryption in OpenBSD

• We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
• This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
• It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
• The encrypted container method offers the advantage of being a bit more portable across installations than other ways ***

Docker hits FreeBSD ports

• The inevitable has happened, and an early FreeBSD port of docker is finally here
• Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
• There was also some Hacker News discussion on the topic ***

Microsoft donates to OpenSSH

• We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
• With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
• They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this ***

Feedback/Questions

• Joe writes in
• Mike writes in
• Randy writes in
• Tony writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

Solaris' networking future is with OpenBSD

• A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
• It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
• For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
• What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
• This blog post goes through some of the backstory of the two firewalls
• PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
• "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security"
• You're welcome, Oracle ***

BAFUG discussion videos

• The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
• Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
• Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
• Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD"
• The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics
• If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime ***

More than just a makefile

• If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
• This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
• As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all
• The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
• After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community
• This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) ***

Securing your home fences

• Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
• We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now
• In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
• He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
• The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process
• Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
• If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
• We love super-detailed guides like this, so everyone should write more and send them to us immediately ***

Interview - Pascal Stumpf - pascal@openbsd.org

Static PIE in OpenBSD

News Roundup

LLVM's new libFuzzer

• We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
• It looks like LLVM is going to have their own fuzzing tool too now
• The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself
• With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future ***

HardenedBSD upgrades secadm

• The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
• We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root)
• Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now ***

RAID5 returns to OpenBSD

• OpenBSD's softraid subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while
• However, it was exactly that - experimental - and required a recompile to enable
• With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
• Now it's on by default, and there's a call for testing being put out, so grab a snapshot and put the code through its paces
• The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the "do you want to enable DUIDs?" question entirely ***

pkgng 1.5.0 released

• Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
• The "provides" and "requires" support is finally in a regular release
• A new "-r" switch will allow for direct installation to a chroot or alternate root directory
• Memory usage should be much better now, and some general code speed-ups were added
• This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that
• Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) ***

p2k15 hackathon reports

• There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work
• As usual, the developers sent in reports of some of the things they got done at the event
• Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
• Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports
• Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier ***

Feedback/Questions

• Shaun writes in
• Hrishi writes in
• Randy writes in
• Zach writes in
• Ben writes in ***

Mailing List Gold

• Gstreamer hates us
• At least he's honest
• I find myself in a situation ***

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

• We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
• It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

• W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
• It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
• More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

• We've covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it's "not very pretty"
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
• There's also a new graphical frontend available for it ***

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in ***

Mailing List Gold

• Wait, a real one?
• What's that glowing... ***

This episode was brought to you by

Headlines

More BSD presentation videos

• The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch
• Corey Vixie, Web Apps in Embedded BSD
• Allan Jude, UCL config
• Kip Macy, iflib
• While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week
• This year's ruBSD will be on December 13th in Moscow
• Also, the BSDCan call for papers is out, and the event will be in June next year
• Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." ***

BSD-powered digital library in Africa

• You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
• With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
• They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
• The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

• With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
• 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
• All these things have taken more time than previously expected
• The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

• A few threads on caught our attention this week, all about hardware recommendations for BSD setups
• In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
• Everyone gave some good recommendations for low power, Atom-based systems
• The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
• For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
• If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

• Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
• After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
• In the comments, a lot of new switchers offer some advice and reading material
• If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

• Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
• This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
• Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
• The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

• a.out is the old executable format for Unix
• The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
• FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
• A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
• However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
• HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
• Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

• Boris writes in
• Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
• Chris writes in
• Robert writes in
• Jake writes in ***

Mailing List Gold

• Real world authpf use
• The great perl event of 2014 ***