NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Why Self-host?

Advanced ZFS Dataset Management: Snapshots, Clones, and Bookmarks

News Roundup

Building a Simple Router with OpenBSD

Minimal pkgbase jails / chroots

WSL-For-FreeBSD

Yubico yubikey 5 nfc on FreeBSD

The Q3 2025 Issue of the FreeBSD Journal is Now Available

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

zipbomb defeated

Optimizing ZFS for High-Throughput Storage Workloads

News Roundup

Open Source is one person

Omada SDN Controller on FreeBSD

Back to the origins

Google Summer of Code 2025 Reports: Enhancing Support for NAT64 Protocol Translation in NetBSD

Undeadly Bits

• j2k25 - OpenBSD Hackathon Japan 2025
• OpenSSH will now adapt IP QoS to actual sessions and traffic
• Preliminary support for Raspberry Pi 5
• OpenBSD enters 7.8-beta
• Full BSDCan 2025 video playlist(s) available
• OpenBGPD 8.9 released

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Brad - a few things

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Choosing The Right ZFS Pool Layout

Recent and not so recent changes in OpenBSD that make life better (and may turn up elsewhere too)

News Roundup

GhostBSD 21.09.06 ISO's now available

Fair Internet bandwidth management on a network using OpenBSD

NetBSD wifi router project update

• Bonus NetBSD Recent Developments: NetBSD on the Apple M1 *** ### HardenedBSD August 2021 Status Report ### FreeBSD Journal July/August 2021: Desktop/Wireless *** ### Tarsnap
• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• James - backup question
• Jonathon - certifications
• Marty - RPG CLI ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

OpenBSD has to be a BSD Unix and you couldn't duplicate it with Linux

OpenBSD has a well deserved reputation for putting security and a clean system (for code, documentation, and so on) first, and everything else second. OpenBSD is of course based on BSD (it's right there in the name) and descends from FreeBSD NetBSD (you can read the history here). But one of the questions you could ask about it is whether it had to be that way, and in particular if you could build something like OpenBSD on top of Linux. I believe that the answer is no.

Linux and the *BSDs have a significantly different model of what they are. BSDs have a 'base system' that provides an integrated and fully operational core Unix, covering the kernel, C library and compiler, and the normal Unix user level programs, all maintained and distributed by the particular BSD. Linux is not a single unit this way, and instead all of the component parts are maintained separately and assembled in various ways by various Linux distributions. Both approaches have their advantages, but one big one for the BSD approach is that it enables global changes.

Making global changes is an important part of what makes OpenBSD's approach to improving security, code maintenance, and so on work. Because it directly maintains everything as a unit, OpenBSD is in a position to introduce new C library or kernel APIs (or change them) and then immediately update all sorts of things in user level programs to use the new API. This takes a certain amount of work, of course, but it's possible to do it at all. And because OpenBSD can do this sort of ambitious global change, it does.

This goes further than just the ability to make global changes, because in theory you can patch in global changes on top of a bunch of separate upstream projects. Because OpenBSD is in control of its entire base system, it's not forced to try to reconcile different development priorities or integrate clashing changes. OpenBSD can decide (and has) that only certain sorts of changes will be accepted into its system at all, no matter what people want. If there are features or entire programs that don't fit into what OpenBSD will accept, they just lose out.

FreeBSD Quarterly Status Report 2019Q4

Here is the last quarterly status report for 2019. As you might remember from last report, we changed our timeline: now we collect reports the last month of each quarter and we edit and publish the full document the next month. Thus, we cover here the period October 2019 - December 2019.

If you thought that the FreeBSD community was less active in the Christmas' quarter you will be glad to be proven wrong: a quick glance at the summary will be sufficient to see that much work has been done in the last months.

Have a nice read!

News Roundup

OPNsense 19.7.9 released

As 20.1 nears we will be making adjustments to the scope of the release with an announcement following shortly.

For now, this update brings you a GeoIP database configuration page for aliases which is now required due to upstream database policy changes and a number of prominent third-party software updates we are happy to see included.

Archives are important to retain and pass on knowledge

Archives are important. When they are public and available for searching, it retains and passes on knowledge. It saves vast amounts of time.

HardenedBSD Tor Onion Service v3 Nodes

I've been working today on deploying Tor Onion Service v3 nodes across our build infrastructure. I'm happy to announce that the public portion of this is now completed. Below you will find various onion service hostnames and their match to our infrastructure.

• hardenedbsd.org: lkiw4tmbudbr43hbyhm636sarn73vuow77czzohdbqdpjuq3vdzvenyd.onion
• ci-01.nyi.hardenedbsd.org: qspcqclhifj3tcpojsbwoxgwanlo2wakti2ia4wozxjcldkxmw2yj3yd.onion
• ci-03.md.hardenedbsd.org: eqvnohly4tjrkpwatdhgptftabpesofirnhz5kq7jzn4zd6ernpvnpqd.onion
• ci-04.md.hardenedbsd.org: rfqabq2w65nhdkukeqwf27r7h5xfh53h3uns6n74feeyl7s5fbjxczqd.onion
• git-01.md.hardenedbsd.org: dacxzjk3kq5mmepbdd3ai2ifynlzxsnpl2cnkfhridqfywihrfftapid.onion

Beastie Bits

• The Missing Semester of Your CS Education (MIT Course)
• An old Unix Ad
• OpenBSD syscall call-from verification
• OpenBSD/arm64 on Pinebook
• Reminder: First Southern Ontario BSD user group meeting, February 11th (this coming Tuesday!) 18:30 at Boston Pizza on Upper James st, Hamilton.
• NYCBUG: March meeting will feature Dr. Paul Vixie and his new talk “Operating Systems as Dumb Pipes”
• 8th Meetup of the Stockholm BUG: March 3 at 18:00
• Polish BSD User Group meets on Feb 11, 2020 at 18:15

Feedback/Questions

• Sean - ZFS and Creation Dates
• Christopher - Help on ZFS Disaster Recovery
• Mike - Encrypted ZFS Send

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
• It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info ***

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router ***

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel ***

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
• If you're using an older configuration file, the "without-password" option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled ***

Interview - Peter Toth - peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well ***

FreeBSD jails, the hard way

• As you learned from our interview this week, there's quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn't actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails ***

OpenSSH hardware tokens

• We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too ***

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
• SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well ***

Feedback/Questions

• James writes in
• Stuart writes in ***

This episode was brought to you by

Headlines

BSDCan and pkgsrcCon videos

• Even more BSDCan 2015 videos are slowly but surely making their way to the internet
• Nigel Williams, Multipath TCP for FreeBSD
• Stephen Bourne, Early days of Unix and design of sh
• John Criswell, Protecting FreeBSD with Secure Virtual Architecture
• Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD
• John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto
• Sevan Janiyan, Adventures in building open source software
• And finally, the BSDCan 2015 closing
• Some videos from this year's pkgsrcCon are also starting to appear online
• Sevan Janiyan, A year of pkgsrc 2014 - 2015
• Pierre Pronchery, pkgsrc meets pkg-ng
• Jonathan Perkin, pkgsrc at Joyent
• Jörg Sonnenberger, pkg_install script framework
• Benny Siegert, New Features in BulkTracker
• This is the first time we've ever seen recordings from the conference - hopefully they continue this trend ***

OPNsense 15.7 released

• The OPNsense team has released version 15.7, almost exactly six months after their initial debut
• In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
• Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
• The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
• Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
• Shortly afterwards, 15.7.1 was released with a few more small fixes ***

NetBSD at Open Source Conference 2015 Okinawa

• If you liked last week's episode then you'll probably know what to expect with this one
• The NetBSD users group of Japan hit another open source conference, this time in Okinawa
• This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
• We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? ***

OpenBSD BGP and VRFs

• "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
• This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
• With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
• The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
• Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
• The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts ***

Interview - Lee Sharp - lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

• We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
• They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
• Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
• Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
• The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
• In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
• With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
• Look forward to the upcoming "Solaris Now" podcast _{(not really)} ***

EuroBSDCon 2015 talks and tutorials

• This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
• The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
• It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
• There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
• Registration for the event will be opening very soon (likely this week or next) ***

Using ZFS replication to improve offsite backups

• If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
• This article covers doing just that, but with a focus on making use of the replication capability
• It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
• Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
• Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
• One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important ***

Block encryption in OpenBSD

• We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
• This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
• It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
• The encrypted container method offers the advantage of being a bit more portable across installations than other ways ***

Docker hits FreeBSD ports

• The inevitable has happened, and an early FreeBSD port of docker is finally here
• Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
• There was also some Hacker News discussion on the topic ***

Microsoft donates to OpenSSH

• We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
• With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
• They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this ***

Feedback/Questions

• Joe writes in
• Mike writes in
• Randy writes in
• Tony writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted a report of the activities that went on between January and March of this year
• As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
• The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
• The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
• FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
• Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
• Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter
• Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
• Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
• The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
• ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
• The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
• Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) ***

OpenBSD 5.7 released

• OpenBSD has formally released another new version, complete with the giant changelog we've come to expect
• In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
• If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities
• Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS
• The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations
• Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
• Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily
• BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
• Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so
• This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
• Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
• Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases
• There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week
• Consider picking one up to support the project (and it's the only way to get puffy stickers)
• For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... ***

Tor-BSD diversity project

• We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
• A new initiative has started to do just that, called the Tor-BSD diversity project
• "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."
• In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
• There's an additional progress report for that part specifically, and it looks like most of the work is done now
• Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
• If you've been considering running a node to help out, there's always our handy tutorial on getting set up ***

PC-BSD 10.1.2-RC1 released

• If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
• This quarterly update includes a number of new features, improvements and even some additional utilities
• PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems
• A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use
• Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network
• IPFW is now the default firewall, offering improved VIMAGE capabilities
• The life preserver backup tool now allows for bare-metal restores via the install CD
• ISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
• It also includes the latest Lumina desktop, and there's another post dedicated to that
• Binary packages have also been updated to fresh versions from the ports tree
• More details, including upgrade instructions, can be found in the linked blog post ***

Interview - Ed Schouten - ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

• This article introduces OpenHRC, the "Open Household Router Contraption"
• In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
• It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup
• Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation
• All the code is open source and on Github, so you can read through what's actually being changed and put in place
• There's also a video guide to the entire process, if you're more of a visual person ***

OPNsense 15.1.10 released

• Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version
• 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
• Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree
• Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
• NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
• Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs ***

IBM Workpad Z50 and NetBSD

• Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
• Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display
• You can probably tell where this is going... the article is about installing NetBSD it
• "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"
• The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
• He's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) ***

FreeBSD from the trenches

• The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases
• In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
• While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually
• Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool ***

Broadwell in DragonFly

• DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
• Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too
• It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being ***

Feedback/Questions

• Bostjan writes in
• Hunter writes in
• Hrishi writes in
• Clint writes in
• Sergei writes in ***

Mailing List Gold

• How did you guess ***

This episode was brought to you by

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version ***

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
• It's written by one of the autofs developers, and he details his work on creating and using the utility
• "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
• There's also some more advanced bonus material on GEOM classes and all the more technical details ***

The Tor Browser on BSD

• The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux - no BSD version
• "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) ***

OpenSSH 6.8 released

• Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers ***

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
• It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
• There was a grand total of 34 different NetBSD gadgets on display at the event ***

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their "secadm" utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
• They're looking for some more extensive testing of this new feature ***

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities ***

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision) ***

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it ***

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
• This article should help fill that gap - it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all ***

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in ***

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I've seen some... ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted an updated on some of their activities between October and December of 2014
• They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
• As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
• The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
• FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
• Git was promoted from beta to an officially-supported version control system (Kris is happy)
• The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
• Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
• Check out the full report for all the details that we didn't cover ***

OpenBSD package signature audit

• "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
• They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
• The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
• Package signature formats and public key distribution methods are also touched on
• After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
• If you haven't seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this ***

Replacing a Linux router with BSD

• There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
• The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs."
• A lot of people were quick to recommend OPNsense and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all)
• Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
• If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
• Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information ***

LibreSSL in FreeBSD and OPNsense

• A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
• The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
• OPNsense developers are looking into switching away from OpenSSL to LibreSSL's portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
• Some ports still need fixing to be compatible though, particularly a few python-related ones
• If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs
• A lot of the work has already been done in OpenBSD's ports tree - some patches just need to be adopted
• More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it ***

Interview - David Maxwell - david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

• A new project was launched to adapt FreeBSD jails to the "app container specification"
• While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
• It's a similar project to iocage or bsdploy, which we haven't talked a whole lot about
• There was also some discussion about it on Hacker News ***

Separating base and package binaries

• All of the main BSDs make a strong separation between the base system and third party software
• This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory
• A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
• Read the comments for the full explanation, but having things separated really helps keep things organized ***

Updated i915kms driver for FreeBSD

• This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
• It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added ***

Year of the OpenBSD desktop

• Here we have an article about using OpenBSD as a daily driver for regular desktop usage
• The author says he "ran fifty thousand different distributions, never being satisfied"
• After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
• He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again
• Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201
• The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
• He apparently used our desktop tutorial - thanks for watching! ***

Unattended FreeBSD installation

• A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
• His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall
• The article shows you how to set up DHCP and TFTP, with no NFS share setup required
• He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you ***

Feedback/Questions

• Robert writes in
• Sean writes in
• l33tname writes in
• Charlie writes in
• Eric writes in ***

Mailing List Gold

• Clowning around
• Better than succeeding in this case ***

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

• We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
• It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

• W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
• It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
• More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

• We've covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it's "not very pretty"
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
• There's also a new graphical frontend available for it ***

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in ***

Mailing List Gold

• Wait, a real one?
• What's that glowing... ***

This episode was brought to you by

Headlines

More BSD presentation videos

• The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch
• Corey Vixie, Web Apps in Embedded BSD
• Allan Jude, UCL config
• Kip Macy, iflib
• While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week
• This year's ruBSD will be on December 13th in Moscow
• Also, the BSDCan call for papers is out, and the event will be in June next year
• Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." ***

BSD-powered digital library in Africa

• You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
• With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
• They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
• The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

• With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
• 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
• All these things have taken more time than previously expected
• The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

• A few threads on caught our attention this week, all about hardware recommendations for BSD setups
• In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
• Everyone gave some good recommendations for low power, Atom-based systems
• The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
• For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
• If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

• Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
• After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
• In the comments, a lot of new switchers offer some advice and reading material
• If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

• Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
• This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
• Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
• The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

• a.out is the old executable format for Unix
• The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
• FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
• A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
• However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
• HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
• Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

• Boris writes in
• Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
• Chris writes in
• Robert writes in
• Jake writes in ***

Mailing List Gold

• Real world authpf use
• The great perl event of 2014 ***

This episode was brought to you by

Headlines

BSD Devroom CFP

• This year's FOSDEM conference (Belgium, Jan 31st - Feb 1st) is having a dedicated BSD devroom
• They've issued a call for papers on anything BSD-related, and we always love more presentations
• If you're in the Belgium area or plan on going, submit a talk about something cool you're doing
• There's also a mailing list and some more information in the original post ***

Bhyve SVM code merge

• The bhyve_svm code has been in the "projects" tree of FreeBSD, but is now ready for -CURRENT
• This changeset will finally allow bhyve to run on AMD CPUs, where it was previously limited to Intel only
• All the supported operating systems and utilities should work on both now
• One thing to note: bhyve doesn't support PCI passthrough on AMD just yet
• There may still be some issues though ***

NetBSD at Open Source Conference Tokyo

• The Japanese NetBSD users group held a booth at another recent open source conference
• As always, they were running NetBSD on everything you can imagine
• One of the users reports back to the mailing list on their experience, providing lots of pictures and links
• Here's an interesting screenshot of NetBSD running various other BSDs in Xen ***

More BSD switchers every day

• A decade-long Linux user is considering making the switch, and asks Reddit about the BSD community
• Tired of the pointless bickering he sees in his current community, he asks if the same problems exist over here and what he should expect
• So far, he's found that BSD people seem to act more level-headed about things, and are much more practical, whereas some FSF/GNU/GPL people make open source a religion
• There's also another semi-related thread about another Linux user wanting to switch to BSD because of systemd and GNU people
• There are some extremely well written and thought-out comments in the replies (in both threads), be sure to give them all a read
• Maybe the OPs should've just watched this show ***

Interview - Olivier Cochard-Labbé - olivier@cochard.me / @ocochardlabbe

The BSD Router Project

News Roundup

FreeBSD -CURRENT on a T420

• Thinkpads are quite popular with BSD developers and users
• Most of the hardware seems to be supported across the BSDs (especially wifi)
• This article walks through installing FreeBSD -CURRENT on a Thinkpad T420 with UEFI
• If you've got a Thinkpad, or especially this specific one, have a look at some of the steps involved ***

FreeNAS on a Supermicro 5018A-MHN4

• More and more people are migrating their NAS devices to BSD-based solutions
• In this post, the author goes through setting up FreeNAS on some of his new hardware
• His new rack-mounted FreeNAS machine has a low power Atom with eight cores and 64GB of RAM - quite a lot for its small form factor
• The rest of the post details all of the hardware he chose and goes through the build process (with lots of cool pictures) ***

Hardening procfs and linprocfs

• There was an exploit published recently for SFTP in OpenSSH, but it mostly just affected Linux
• There exists a native procfs in FreeBSD, which was the target point of that exploit, but it's not used very often
• The Linux emulation layer also supports its own linprocfs, which was affected as well
• The HardenedBSD guys weigh in on how to best solve the problem, and now support an additional protection layer from writing to memory with procfs
• If you want to learn more about ASLR and HardenedBSD, be sure to check out our interview with Shawn too ***

pfSense monitoring with bandwidthd

• A lot of people run pfSense on their home network, and it's really useful to monitor the bandwidth usage
• This article will walk you through setting up bandwidthd to do exactly that
• bandwidthd monitors based on the IP address, rather than per-interface
• It can also build some cool HTML graphs, and we love those pfSense graphs
• Have a look at our bandwidth monitoring and testing tutorial for some more ideas ***

Feedback/Questions

• Dave writes in
• Chris writes in
• Zeke writes in
• Bostjan writes in
• Patrick writes in ***

Mailing List Gold

• More old bugs
• The Right Font™ (see also) ***

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb's ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• "FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
• If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
• To make that process faster, they're building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch ***

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• "The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about... the food ***

FreeBSD disk partitioning

• For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in ***

This episode was brought to you by

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you've probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes... and a lot more
• The full list of changes is HUGE, be sure to read through it all if you're interested in the details
• If you're doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations... especially those OpenSSL ones (some of which still aren't fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release - 5.6 is going to be even more awesome with "Libre"SSL and lots of other stuff that's currently in development ***

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they're spending the money that everyone donates
• "As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we've done to help FreeBSD become the most innovative, reliable, and high-performance operation system"
• During this spring, they want to highlight the new UEFI boot support and newcons
• There's a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we'll get to see what other work is being sponsored ***

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won't have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES in counter mode and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys - only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we'll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc, would be really neat ***

BSDMag's April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around, good ***

Interview - David Chisnall - theraven@freebsd.org

The LLVM/Clang switch, FreeBSD's core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• Our buddy Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest - mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and... much more
• GNN also talks a little about the Precision Time Protocol and how it's different than NTP
• Two people we've interviewed talking to each other, awesome
• If you're interested in NTP, be sure to see our tutorial too ***

m2k14 trip reports

• We've got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter and gave us the screenshots for the OpenBSD desktop tutorial)
• "Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do"
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports' compatibility with LibreSSL
• Speaking of LibreSSL, there's an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD ***

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• The 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS ***

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more ***

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in ***

This episode was brought to you by

Headlines

ALTQ removed from PF

• Kicking off our big PF episode...
• The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current
• There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf
• As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping
• After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem
• This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. ***

FreeBSD Quarterly Status Report

• The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks
• Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added
• We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team
• LOTS of details and LOTS of topics to cover, give it a read ***

OpenBSD's OpenSSL rewrite continues with m2k14

• A mini OpenBSD hackathon begins in Morocco, Africa
• You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning
• We've got two trip reports so far, hopefully we'll have some more to show you in a future episode
• You can see some of the more interesting quotes from the tear-down or see everything
• Apparently they are going to call the fork "LibreSSL" ....
• What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy!
• We also got some mainstream news coverage and another post from Ted about the history of the fork
• Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too ***

NetBSD 6.1.4 and 6.0.5 released

• New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes
• The main update is - of course - the heartbleed vulnerability
• Also includes fixes for other security issues and even a kernel panic... on Atari
• Patch your Ataris right now, this is serious business ***

Interview - Peter Hansteen - peter@bsdly.net / @pitrh

The Book of PF: 3rd edition

Tutorial

BSD Firewalls: PF

News Roundup

New Xorg now the default in FreeBSD

• For quite a while now, FreeBSD has had two versions of X11 in ports
• The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf
• They've finally made the switch for 10-STABLE and 9-STABLE
• Check this wiki page for more info ***

GSoC-accepted BSD projects

• The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned
• OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon
• The FreeBSD list was also posted
• Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more
• Good luck to all the students participating, hopefully they become full time BSD users ***

Complexity of FreeBSD VFS using ZFS as an example

• HybridCluster posted the second part of their VFS and ZFS series
• This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy
• Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff ***

PCBSD weekly digest

• Preload has been ported over, it's a daemon that prefetches applications
• PCBSD is developing their own desktop environment, Lumina (there's also an FAQ)
• It's still in active development, but you can try it out by installing from ports
• We'll be showing a live demo of it in a few weeks (when development settles down a bit)
• Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***

This episode was brought to you by

Headlines

OpenBSD on a Sun T5120

• Our buddy Ted Unangst got himself a cool Sun box
• Of course he had to write a post about installing and running OpenBSD on it
• The post goes through some of the quirks and steps to go through in case you're interested in one of these fine SPARC machines
• He's also got another post about OpenBSD on a Dell CS24-SC server ***

Bhyvecon 2014 videos are up

• Like we mentioned last week, Bhyvecon was an almost-impromptu conference before AsiaBSDCon
• The talks have apparently already been uploaded!
• Subjects include Bhyve's past, present and future, OSv on Bhyve, a general introduction to the tool, migrating those last few pesky Linux boxes to virtualization
• Lots more detail in the videos, so check 'em all out ***

Building a FreeBSD wireless access point

• We've got a new blog post about creating a wireless access point with FreeBSD
• After all the recent news of consumer routers being pwned like candy, it's time for people to start building BSD routers
• The author goes through a lot of the process of getting one set up using good ol' FreeBSD
• Using hostapd, he's able to share his wireless card in hostap mode and offer DHCP to all the clients
• Plenty of config files and more messy details in the post ***

Switching from Synology to FreeNAS

• The author has been considering getting a NAS for quite a while and documents his research
• He was faced with the compromise of convenience vs. flexibility - prebuilt or DIY
• After seeing the potential security issues with proprietary NAS devices, and dealing with frustration with trying to get bugs fixed, he makes the right choice
• The post also goes into some detail about his setup, all the things he needed a NAS to do as well as all the advantages an open source solution would give ***

Interview - Warren Block - wblock@freebsd.org

FreeBSD's documentation project, igor, doceng

Tutorial

The world of BSD mailing lists

News Roundup

HAMMER2 work and notes

• Matthew Dillon has posted some updated notes about the development of the new HAMMER version
• The start of a cluster API was committed to the tree
• There are also links to design document, a freemap design document, a changes list and a todo list ***

BSD Breaking Barriers

• Our friend MWL gave a talk at NYCBSDCon about BSD "breaking barriers"
• "What makes the BSD operating systems special? Why should you deploy your applications on BSD? Why does the BSD community keep growing, and why do Linux sites like DistroWatch say that BSD is where the interesting development work is happening? We'll cover the not-so-obvious reasons why BSD still stands tall after almost 40 years."
• He also has another upcoming talk, (or "webcast") called "Beyond Security: Getting to Know OpenBSD's Real Purpose"
• "OpenBSD is frequently billed as a high-security operating system. That's true, but security isn't the OpenBSD Project's main goal. This webcast will introduce systems administrators to OpenBSD, explain the project's mission, and discuss the features and benefits."
• It's on May 27th and will hopefully be recorded ***

FreeBSD in a chroot

• Finch, "FreeBSD running IN a CHroot," is a new project
• It's a way to extend the functionality of restricted USB-based FreeBSD systems (FreeNAS, etc.)
• All the details and some interesting use cases are on the github page
• He really needs to change the project name though ***

PCBSD weekly digest

• Lots of bugfixes for PCBSD coming down the tubes
• LZ4 compression is now enabled by default on the whole pool
• The latest 10-STABLE has been imported and builds are going
• Also the latest GNOME and Cinnamon builds have been imported and much more ***

Feedback/Questions

• Bostjan writes in (IRC suggests md5deep)
• Don writes in
• kaltheat writes in (We use R0DE Podcast microphones and Logitech C920 HD webcams)
• Harri writes in ***

This episode was brought to you by

Headlines

EuroBSDCon and AsiaBSDCon

• This year, EuroBSDCon will be in September in Sofia, Bulgaria
• They've got a call for papers up now, so everyone can submit the talks they want to present
• There will also be a tutorial section of the conference
• AsiaBSDCon will be next month, in March!
• All the info about the registration, tutorials, hotels, timetable and location have been posted
• Check the link for all the details on the talks - if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers! ***

FreeBSD 10 on Ubiquiti EdgeRouter Lite

• The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU
• This article goes through the process of installing and configuring FreeBSD on it to use as a home router
• Lots of good pictures of the hardware and specific details needed to get you set up
• It also includes the scripts to create your own images if you don't want to use the ones rolled by someone else
• For such a cheap price, might be a really fun weekend project to replace your shitty consumer router
• Of course if you're more of an OpenBSD guy, you can always see our tutorial for that too ***

Signed pkgsrc package guide

• We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up
• It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD)
• He goes through the process of signing packages with a public key and how to verify the packages when you install them
• The author also happens to be an EdgeBSD developer ***

Big batch of OpenBSD hackathon reports

• Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI
• In the second, ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things
• In the third, jsg updated libdrm and mesa and did various work on xenocara
• In the fourth, dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead - but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he's done
• In the fifth, claudio talks about some stuff he did for routing tables and misc. other things ***

Interview - Chris Buechler - cmb@pfsense.com / @cbuechler

pfSense

Tutorial

pfSense walkthrough

News Roundup

FreeBSD challenge continues

• Our buddy from the Linux foundation continues his switching to BSD journey
• In day 13, he covers some tips for new users, mentions trying things out in a VM first
• In day 14, he starts setting up XFCE and X11, feels like he's starting over as a new Linux user learning the ropes again - concludes that ports are the way to go
• In day 15, he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch
• In day 16, he dives into the world of FreeBSD jails! ***

BSD books in 2014

• BSD books are some of the highest quality technical writings available, and MWL has written a good number of them
• In this post, he details some of his plans for 2014
• In includes at least one OpenBSD book, at least one FreeBSD book and...
• Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him)
• Check the link for all the details ***

How to build FreeBSD/EC2 images

• Our friend Colin Percival details how to build EC2 images in a new blog post
• Most people just use the images he makes on their instances, but some people will want to make their own from scratch
• You build a regular disk image and then turn it into an AMI
• It requires a couple ports be installed on your system, but the whole process is pretty straightforward ***

PCBSD weekly digest

• This time around we discuss how you can become a developer
• Kris also details the length of supported releases
• Expect lots of new features in 10.1 ***

Feedback/Questions

• Sean writes in
• Jake writes in
• Niclas writes in
• Steffan writes in
• Antonio writes in
• Chris writes in ***

This episode was brought to you by

Headlines

FreeBSD's new testing infrastructure

• A new test suite was added to FreeBSD, with 3 powerful machines available
• Both -CURRENT and stable/10 have got the test suite build infrastructure in place
• Designed to help developers test and improve major scalability across huge amounts of CPUs and RAM
• More details available here
• Could the iXsystems monster server be involved...? ***

OpenBSD gets signify

• At long last, OpenBSD gets support for signed releases!
• For "the world's most secure OS" it was very easy to MITM kernel patches, updates, installer isos, everything
• A commit to the -current tree reveals a new "signify" tool is currently being kicked around
• More details in a blog post from the guy who committed it
• Quote: "yeah, briefly, the plan is to sign sets and packages. that's still work in progress." ***

Faces of FreeBSD

• This time they interview Isabell Long
• She's a volunteer staff member on the freenode IRC network
• In 2011, she participated in the Google Code-In contest and became involved with documentation
• "The new committer mentoring process proved very useful and that, plus the accepting community of FreeBSD, are reasons why I stay involved." ***

pkgsrc-2013Q4 branched

• The quarterly pkgsrc branch from NetBSD is out
• 13472 total packages for NetBSD-current/amd64 + 13049 binary packages built with clang!
• Lots of numbers and stats in the announcement
• pkgsrc works on quite a few different OSes, not just NetBSD
• See our interview with Amitai Schlair for a bit about pkgsrc ***

OpenBSD on Google's Compute Engine

• Google Compute Engine is a "cloud computing" platform similar to EC2
• Unfortunately, they only offer poor choices for the OS (Debian and CentOS)
• Recently it's been announced that there is a custom OS option
• It's using a WIP virtio-scsi driver, lots of things still need more work
• Lots of technical and networking details about the struggles to get OpenBSD working on it ***

The Installfest

We'll be showing you the installer of each of the main BSDs. As of the date this episode airs, we're using:

• FreeBSD 10.0
• OpenBSD 5.4
• NetBSD 6.1.2
• DragonflyBSD 3.6
• PCBSD 10.0 ***

News Roundup

Building an OpenBSD wireless access point

• A neat write up we found around the internet about making an OpenBSD wifi router
• Goes through the process of PXE booting, installing base, using a serial console, setting up networking and wireless
• Even includes a puffy sticker on the Soekris box at the end, how cute ***

FreeBSD 4.X jails on 10.0

• Blog entry from our buddy Michael Lucas
• For whatever reason (an "in-house application"), he needed to run a FreeBSD 4 jail in FreeBSD 10
• Talks about the options he had: porting software, virtualizing, dealing with slow old hardware
• He goes through the whole process of making an ancient jail
• It's "an acceptable trade-off, if it means I don’t have to touch actual PHP code." ***

Unscrewed: a story about OpenBSD

• Pretty long blog post about how a network admin used OpenBSD to save the day
• To set the tone, "It was 5am, and the network was down"
• Great war story about replacing expensive routers and networking equipment with cheaper hardware and BSD
• Mentions a lot of the built in tools and how OpenBSD is great for routers and high security applications ***

PCBSD weekly digest

• 10.0-RC3 is out and ready to be tested
• New detection of ATI Hybrid Graphics, they're working on nVidia next
• Re-classifying Linux jails as unsupported / experimental ***

Feedback/Questions

• Daniel writes in
• Erik writes in
• SW writes in
• [Bostjan writes in[(http://slexy.org/view/s20N9bfkum)
• Samuel writes in ***

Headlines

Getting to know your portmgr

• In this interview they talk to one of the "Annoying Reminder Guys" - Erwin Lansing, the second longest serving member of FreeBSD's portmgr (also vice-president of the FreeBSD Foundation)
• He actually maintains the .dk ccTLD
• Describes FreeBSD as "the best well-hidden success story in operating systems, by now in the hands of more people than one can count and used by even more people, and not one of them knows it! It’s not only the best operating system currently around, but also the most supportive and inspiring community."
• In the next one they speak with Martin Wilke (miwi@)
• The usual, "what inspires you about FreeBSD" "how did you get into it" etc. ***

vBSDCon wrap-up compilation

• Lots of write-ups about vBSDCon gathered in one place
• Some from OpenBSD guys
• Some from FreeBSD guys
• Some from RootBSD
• Some from iXsystems
• Some from Verisign
• And of course our own wrap-up chat in BSD Now Episode 009 ***

Faces of FreeBSD

• This week they talk to Gábor Páli from Hungary
• Talks about his past as a game programmer and how it got involved with FreeBSD
• "I met János Háber, who admired the technical merits of FreeBSD and recommended it over the popular GNU/Linux distributions. I downloaded FreeBSD 4.3-RELEASE, found it reliable, consistent, easy to install, update and use."
• He's been contributing since 2008 and does lots of work with Haskell in ports
• He also organizes EuroBSDCon and is secretary of the FreeBSD Core Team ***

Dragonfly 3.6 released

• dports now default instead of pkgsrc
• Big SMP scaling improvements
• Experimental i915 and KMS support
• See our interview with Justin Sherrill if you want to hear (a lot) more about it - nearly an hour long ***

Interview - Jordan Hubbard - jkh@freebsd.org / @omgjkh

FreeBSD's founding and future

Tutorial

Building an OpenBSD router, part 2

• Note: there was a mistake in the video version of the tutorial, please consult the written version for the proper instructions. ***

News Roundup

pfSense 2.1 on AWS EC2

• We now have pfSense 2.1 available on Amazon’s Elastic Compute Cloud (EC2)
• In keeping with the community spirit, they’re also offering a free "public" AMI
• Check the FAQ and User Guide on their site for additional details
• Interesting possibilities with pfSense in the cloud ***

Puffy on the desktop

• Distrowatch, a primarily Linux-focused site, features an OpenBSD 5.4 review
• They talk about using it on the desktop, how to set it up
• Very long write-up, curious Linux users should give it a read
• Ends with "Most people will still see OpenBSD as an operating system for servers and firewalls, but OpenBSD can also be used in desktop environments if the user doesn't mind a little manual work. The payoff is a very light, responsive system that is unlikely to ever misbehave" ***

Two-factor authentication with SSH

• Blog post about using a yubikey with SSH public keys
• Uses a combination of a OTP, BSDAuth and OpenBSD's login.conf, but it can be used with PAM on other systems as well
• Allows for two-factor authentication (a la gmail) in case your private key is compromised
• Anyone interested in an extra-hardened SSH server should give it a read ***

PCBSD weekly digest

• 10.0 has approximately 400 PBIs for public consumption
• They will be merging the GNOME3, MATE and Cinnamon desktops into the 10.0 ports tree - please help test them, this is pretty big news in and of itself!
• PCDM is coming along nicely, more bugs are getting fixed
• Added ZFS dataset options to PCBSD’s new text installer front-end ***

Feedback/Questions

• Ben writes in
• Florian writes in
• Zach writes in
• Addison writes in
• Adam writes in
• Adam's BSD Router Project tutorial can be downloaded here. ***

Headlines

OpenSSH 6.4 released

• Security fixes in OpenSSH don't happen very often
• 6.4 fixes a memory corruption problem, no new features
• If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.
• Disabling AES-GCM in the server configuration is a workaround
• Only affects 6.2 and 6.3 if compiled against a newer OpenSSL (so FreeBSD 9's base OpenSSL is unaffected, for example)
• Full details here ***

Getting to know your portmgr-lurkers

• Next entry in portmgr interview series
• This time they chat with Mathieu Arnold, one of the portmgr-lurkers we mentioned previously
• Lots of questions ranging from why he uses BSD to what he had for breakfast
• Another one was since released, with Antoine Brodin aka antoine@ ***

FUSE in OpenBSD

• As we glossed over last week, FUSE was recently added to OpenBSD
• Now the guys from the OpenBSD Journal have tracked down more information
• This version is released under an ISC license
• Should be in OpenBSD 5.5, released a little less than 6 months from now
• Will finally enable things like SSHFS to work in OpenBSD ***

Automated submission of kernel panic reports

• New tool from Colin Percival
• Saves information about kernel panics and emails it to FreeBSD
• Lets you review before sending so you can edit out any private info
• Automatically encrypted before being sent
• FreeBSD never kernel panics so this won't get much use ***

Interview - Justin Sherrill - justin@dragonflybsd.org / @dragonflybsd

DragonflyBSD 3.6 and the Dragonfly Digest

Tutorial

Building an OpenBSD Router

News Roundup

BSD router project 1.5 released

• Nice timing for our router tutorial; TBRP is a FreeBSD distribution for installing on a router
• It's an alternative to pfSense, but not nearly as well known or popular
• New version is based on 9.2-RELEASE, includes lots of general updates and bugfixes
• Fits on a 256MB Compact Flash/USB drive ***

Curve25519 now default key exchange

• We mentioned in an earlier episode about a patch for curve25519
• Now it's become the default for key exchange
• Will probably make its way into OpenSSH 6.5, would've been in 6.4 if we didn't have that security vulnerability
• It's interesting to see all these big changes in cryptography in OpenBSD lately ***

FreeBSD kernel selection in boot menu

• Adds a kernel selection menu to the beastie menu
• List of kernels is taken from 'kernels' in loader.conf as a space or comma separated list of names to display (up to 9)
• From our good buddy Devin Teske ***

PCBSD weekly digest

• PCDM has officially replaced GDM as the default login manager
• New ISO build scripts (we got a sneak preview last week)
• Lots of bug fixes
• Second set of 10-STABLE ISOs available with new artwork and much more ***

Theo de Raadt speaking at MUUG

• Theo will be speaking at Manitoba UNIX User Group in Winnipeg
• On Friday, Nov 15, 2013 at 5:30PM (see show notes for the address)
• If you're watching the show live you have time to make plans, if you're watching the downloaded version it might be happening right now!
• No agenda, but expect some OpenBSD discussion ***

Feedback/Questions

• Dave writes in
• James writes in
• Allen writes in
• Chess writes in
• Frank writes in ***