BSD Now - Episodes Tagged with “Relayd”

532: 2^18 dollars sponsorship

JT Pennington — Thu, 09 Nov 2023 10:00:00 -0500

2¹⁸ dollars to open source, EuroBSDCon 2023 Trip Report, FreeBSD vs Linux (Debian), Introduction to sysclean8, Run your own Syncthing discovery server on OpenBSD, FreeBSD years: 2000-2005, Using OpenBSD relayd(8) as an Application Layer Gateway, and more

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

2¹⁸ dollars to open source

Special Thanks to Colin for supporting BSD Now for over 10 years! *** ### EuroBSDCon 2023 Trip Report – Bojan Novković *** ### FreeBSD vs Linux (Debian) ***

News Roundup

Introduction to sysclean8

Run your own Syncthing discovery server on OpenBSD

My FreeBSD years: 2000-2005

Using OpenBSD relayd(8) as an Application Layer Gateway

Beastie Bits

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Join us and other BSD Fans in our BSD Now Telegram channel

467: Minecraft on NetBSD

JT Pennington — Thu, 11 Aug 2022 03:00:00 -0400

Installing BSDs on Cubieboard1, Self-hosting a static site with OpenBSD, httpd, and relayd, NetBSD can also run a Minecraft server, A Little Story About the yes Unix Command, Shell History: Unix, OpenBGPD 7.5 released, and more

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Installing BSDs on Cubieboard1

Self-hosting a static site with OpenBSD, httpd, and relayd

News Roundup

NetBSD can also run a Minecraft server

A Little Story About the `yes` Unix Command

Shell History: Unix

OpenBGPD 7.5 released

Beastie Bits

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

344: Grains of Salt

JT Pennington — Thu, 02 Apr 2020 08:00:00 -0400

Shell text processing, data rebalancing on ZFS mirrors, Add Security Headers with OpenBSD relayd, ZFS filesystem hierarchy in ZFS pools, speeding up ZSH, How Unix pipes work, grow ZFS pools over time, the real reason ifconfig on Linux is deprecated, clear your terminal in style, and more.

Headlines

Text processing in the shell

> This article is part of a self-published book project by Balthazar Rouberol and Etienne Brodu, ex-roommates, friends and colleagues, aiming at empowering the up and coming generation of developers. We currently are hard at work on it!

> One of the things that makes the shell an invaluable tool is the amount of available text processing commands, and the ability to easily pipe them into each other to build complex text processing workflows. These commands can make it trivial to perform text and data analysis, convert data between different formats, filter lines, etc.

> When working with text data, the philosophy is to break any complex problem you have into a set of smaller ones, and to solve each of them with a specialized tool.

Rebalancing data on ZFS mirrors

> One of the questions that comes up time and time again about ZFS is “how can I migrate my data to a pool on a few of my disks, then add the rest of the disks afterward?”

> If you just want to get the data moved and don’t care about balance, you can just copy the data over, then add the new disks and be done with it. But, it won’t be distributed evenly over the vdevs in your pool.

> Don’t fret, though, it’s actually pretty easy to rebalance mirrors. In the following example, we’ll assume you’ve got four disks in a RAID array on an old machine, and two disks available to copy the data to in the short term.

News Roundup

Using OpenBSD relayd to Add Security Headers

> I am a huge fan of OpenBSD’s built-in httpd server as it is simple, secure, and quite performant. With the modern push of the large search providers pushing secure websites, it is now important to add security headers to your website or risk having the search results for your website downgraded. Fortunately, it is very easy to do this when you combine httpd with relayd. While relayd is principally designed for layer 3 redirections and layer 7 relays, it just so happens that it makes a handy tool for adding the recommended security headers. My website automatically redirects users from http to https and this gets achieved using a simple redirection in /etc/httpd.conf So if you have a configuration similar to mine, then you will still want to have httpd listen on the egress interface on port 80. The key thing to change here is to have httpd listen on 127.0.0.1 on port 443.

How we set up our ZFS filesystem hierarchy in our ZFS pools

> Our long standing practice here, predating even the first generation of our ZFS fileservers, is that we have two main sorts of filesystems, home directories (homedir filesystems) and what we call 'work directory' (workdir) filesystems. Homedir filesystems are called /h/NNN (for some NNN) and workdir filesystems are called /w/NNN; the NNN is unique across all of the different sorts of filesystems. Users are encouraged to put as much stuff as possible in workdirs and can have as many of them as they want, which mattered a lot more in the days when we used Solaris DiskSuite and had fixed-sized filesystems.

Speeding up ZSH

https://web.archive.org/web/20200315184849/https://blog.jonlu.ca/posts/speeding-up-zsh

> I was opening multiple shells for an unrelated project today and noticed how abysmal my shell load speed was. After the initial load it was relatively fast, but the actual shell start up was noticeably slow. I timed it with time and these were the results.

> In the future I hope to actually recompile zsh with additional profiling techniques and debug information - keeping an internal timer and having a flag output current time for each command in a tree fashion would make building heat maps really easy.

How do Unix Pipes work

> Pipes are cool! We saw how handy they are in a previous blog post. Let’s look at a typical way to use the pipe operator. We have some output, and we want to look at the first lines of the output. Let’s download The Brothers Karamazov by Fyodor Dostoevsky, a fairly long novel.

What we do to enable us to grow our ZFS pools over time

> In my entry on why ZFS isn't good at growing and reshaping pools, I mentioned that we go to quite some lengths in our ZFS environment to be able to incrementally expand our pools. Today I want to put together all of the pieces of that in one place to discuss what those lengths are.
> Our big constraint is that not only do we need to add space to pools over time, but we have a fairly large number of pools and which pools will have space added to them is unpredictable. We need a solution to pool expansion that leaves us with as much flexibility as possible for as long as possible. This pretty much requires being able to expand pools in relatively small increments of space.

Linux maintains bugs: The real reason ifconfig on Linux is deprecated

> In my third installment of FreeBSD vs Linux, I will discuss underlying reasons for why Linux moved away from ifconfig(8) to ip(8).

In the past, when people said, “Linux is a kernel, not an operating system”, I knew that was true but I always thought it was a rather pedantic criticism. Of course no one runs just the Linux kernel, you run a distribution of Linux. But after reviewing userland code, I understand the significant drawbacks to developing “just a kernel” in isolation from the rest of the system.

Clear Your Terminal in Style

> if you’re someone like me who habitually clears their terminal, sometimes you want a little excitement in your life. Here is a way to do just that.

> This post revolves around the idea of giving a command a percent chance of running. While the topic at hand is not serious, this simple technique has potential in your scripts.

Feedback/Questions

Guy - AMD GPU Help
MLShroyer13 - VLANs and Jails
Master One - ZFS Suspend/resume

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Your browser does not support the HTML5 video tag.

78: From the Foundation (Part 2)

JT Pennington — Wed, 25 Feb 2015 08:00:00 -0500

This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We've also got answers to your emails and all the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2015 schedule

The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada
This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings
In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year
Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error)
Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year
If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available
We also interviewed Dan Langille about the conference and what to expect this year, so check that out too ***

SSL interception with relayd

There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
It starts off with some backstory and some of the things relayd is capable of
relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
The post is very long, with lots of details and some sample config files - the whole nine yards ***

OPNsense 15.1.6.1 released

The OPNsense team has released yet another version in rapid succession, but this one has some big changes
It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update)
It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices
Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) ***

OpenBSD on a Minnowboard Max

What would our show be without at least one story about someone installing BSD on a weird device
For once, it's actually not NetBSD…
This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage
You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article
Have a look at the spec sheet if you're interested, they make for cool little BSD boxes ***

Netmap for 40gbit NICs in FreeBSD

Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed
The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support
It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
This should make for some serious packet-pushing power
If you have any network hardware like this, he would appreciate testing for the new code ***

Interview - Ken Westerback - directors@openbsdfoundation.org

The OpenBSD foundation's activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
Ken was also busy, getting a few networking-related things fixed and improved in the base system
He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient ***

FreeBSD beginner video series

A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
So far, he's covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers
It should be an ongoing series with more topics to come ***

NetBSD tests: zero unexpected failures

The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
They've finally gotten the number of "expected" failures down to zero on a few select architectures
Results are published on a special release engineering page, so you can have a look if you're interested
The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch ***

PCBSD switches to IPFW

The PCBSD crew continues their recent series of switching between major competing features
This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall
Look forward to Kris wearing a "keep calm and use IPFW" shir- wait ***

Feedback/Questions

Mailing List Gold

VCS flamebait
Hidden agenda ***

48: Liberating SSL

JT Pennington — Wed, 30 Jul 2014 08:00:00 -0400

Coming up in this week's episode, we'll be talking with one of OpenBSD's newest developers - Brent Cook - about the portable version of LibreSSL and how it's developed. We've also got some information about the FreeBSD port of LibreSSL you might not know. The latest news and your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

FreeBSD has gotten quite a lot done this quarter
Changes in the way release branches are supported - major releases will get at least five years over their lifespan
A new automounter is in the works, hoping to replace amd (which has some issues)
The CAM target layer and RPC stack have gotten some major optimization and speed boosts
Work on ZFSGuru continues, with a large status report specifically for that
The report also mentioned some new committers, both source and ports
It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
"Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

Work has begun on a new HTTP daemon in the OpenBSD base system
A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
This has the added benefit of the usual, easy-to-understand syntax and privilege separation
There's a very brief man page online already
It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

The newest version of FreeBSD's second generation package management system has been released, with lots of new features
It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
Lots of the code has been sandboxed for extra security
You'll probably notice some new changes to the UI too, making things more user friendly
A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

A number of people have written in to ask us "how do I secure my BSD box after I install it?"
With this blog post, hopefully most of their questions will finally be answered in detail
It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
Not only does it just list things to do, but the post also does a good job of explaining why you should do them
Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

MWL's new book about the FreeBSD storage subsystems now has an early draft available
Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
You'll get access to the completed (e)book when it's done if you buy the early draft
The suggested price is $8 ***

Why BSD and not Linux?

Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
Lots of good responses from users of the various BSDs
Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

Following up from last week's huge list of hackathon reports, we have a few more
Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
The main topic of discussion is mandoc, which some users might not be familiar with
mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
We'll catch up to you soon, Will! ***

Feedback/Questions

Thomas writes in
Stephen writes in
Sha'ul writes in
Florian writes in
Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***