This episode was brought to you by

Headlines

BSDCan and pkgsrcCon videos

• Even more BSDCan 2015 videos are slowly but surely making their way to the internet
• Nigel Williams, Multipath TCP for FreeBSD
• Stephen Bourne, Early days of Unix and design of sh
• John Criswell, Protecting FreeBSD with Secure Virtual Architecture
• Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD
• John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto
• Sevan Janiyan, Adventures in building open source software
• And finally, the BSDCan 2015 closing
• Some videos from this year's pkgsrcCon are also starting to appear online
• Sevan Janiyan, A year of pkgsrc 2014 - 2015
• Pierre Pronchery, pkgsrc meets pkg-ng
• Jonathan Perkin, pkgsrc at Joyent
• Jörg Sonnenberger, pkg_install script framework
• Benny Siegert, New Features in BulkTracker
• This is the first time we've ever seen recordings from the conference - hopefully they continue this trend ***

OPNsense 15.7 released

• The OPNsense team has released version 15.7, almost exactly six months after their initial debut
• In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
• Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
• The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
• Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
• Shortly afterwards, 15.7.1 was released with a few more small fixes ***

NetBSD at Open Source Conference 2015 Okinawa

• If you liked last week's episode then you'll probably know what to expect with this one
• The NetBSD users group of Japan hit another open source conference, this time in Okinawa
• This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
• We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? ***

OpenBSD BGP and VRFs

• "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
• This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
• With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
• The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
• Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
• The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts ***

Interview - Lee Sharp - lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

• We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
• They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
• Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
• Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
• The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
• In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
• With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
• Look forward to the upcoming "Solaris Now" podcast _{(not really)} ***

EuroBSDCon 2015 talks and tutorials

• This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
• The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
• It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
• There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
• Registration for the event will be opening very soon (likely this week or next) ***

Using ZFS replication to improve offsite backups

• If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
• This article covers doing just that, but with a focus on making use of the replication capability
• It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
• Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
• Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
• One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important ***

Block encryption in OpenBSD

• We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
• This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
• It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
• The encrypted container method offers the advantage of being a bit more portable across installations than other ways ***

Docker hits FreeBSD ports

• The inevitable has happened, and an early FreeBSD port of docker is finally here
• Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
• There was also some Hacker News discussion on the topic ***

Microsoft donates to OpenSSH

• We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
• With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
• They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this ***

Feedback/Questions

• Joe writes in
• Mike writes in
• Randy writes in
• Tony writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

BSDCan 2015 schedule

• The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
• Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada
• This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
• Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings
• In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
• That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year
• Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error)
• Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year
• If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available
• We also interviewed Dan Langille about the conference and what to expect this year, so check that out too ***

SSL interception with relayd

• There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
• If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
• Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
• It starts off with some backstory and some of the things relayd is capable of
• relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
• When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
• The post is very long, with lots of details and some sample config files - the whole nine yards ***

OPNsense 15.1.6.1 released

• The OPNsense team has released yet another version in rapid succession, but this one has some big changes
• It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
• This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update)
• It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
• The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
• With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices
• Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) ***

OpenBSD on a Minnowboard Max

• What would our show be without at least one story about someone installing BSD on a weird device
• For once, it's actually not NetBSD…
• This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
• It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
• The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage
• You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article
• Have a look at the spec sheet if you're interested, they make for cool little BSD boxes ***

Netmap for 40gbit NICs in FreeBSD

• Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed
• The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support
• It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
• This should make for some serious packet-pushing power
• If you have any network hardware like this, he would appreciate testing for the new code ***

Interview - Ken Westerback - directors@openbsdfoundation.org

The OpenBSD foundation's activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

• The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
• Ken was also busy, getting a few networking-related things fixed and improved in the base system
• He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
• The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
• There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient ***

FreeBSD beginner video series

• A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
• We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
• So far, he's covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
• Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers
• It should be an ongoing series with more topics to come ***

NetBSD tests: zero unexpected failures

• The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
• They've finally gotten the number of "expected" failures down to zero on a few select architectures
• Results are published on a special release engineering page, so you can have a look if you're interested
• The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch ***

PCBSD switches to IPFW

• The PCBSD crew continues their recent series of switching between major competing features
• This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall
• Look forward to Kris wearing a "keep calm and use IPFW" shir- wait ***

Feedback/Questions

• Sean writes in
• Dan writes in
• Florian writes in
• Sean writes in
• Chris writes in ***

Mailing List Gold

• VCS flamebait
• Hidden agenda ***

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

• We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
• It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

• W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
• It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
• More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

• We've covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it's "not very pretty"
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
• There's also a new graphical frontend available for it ***

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in ***

Mailing List Gold

• Wait, a real one?
• What's that glowing... ***

This episode was brought to you by

Headlines

More BSD presentation videos

• The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch
• Corey Vixie, Web Apps in Embedded BSD
• Allan Jude, UCL config
• Kip Macy, iflib
• While we're on the topic of conferences, AsiaBSDCon's CFP was extended by one week
• This year's ruBSD will be on December 13th in Moscow
• Also, the BSDCan call for papers is out, and the event will be in June next year
• Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." ***

BSD-powered digital library in Africa

• You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
• With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
• They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
• The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

• With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
• 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
• All these things have taken more time than previously expected
• The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

• A few threads on caught our attention this week, all about hardware recommendations for BSD setups
• In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
• Everyone gave some good recommendations for low power, Atom-based systems
• The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
• For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
• If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

• Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
• After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
• In the comments, a lot of new switchers offer some advice and reading material
• If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

• Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
• This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
• Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
• The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

• a.out is the old executable format for Unix
• The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
• FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
• A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
• However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
• HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
• Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

• Boris writes in
• Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
• Chris writes in
• Robert writes in
• Jake writes in ***

Mailing List Gold

• Real world authpf use
• The great perl event of 2014 ***

This episode was brought to you by

Headlines

Updates to FreeBSD's random(4)

• FreeBSD's random device, which presents itself as "/dev/random" to users, has gotten a fairly major overhaul in -CURRENT
• The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
• Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
• Pluggable modules can now be written to add more sources of entropy
• These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 ***

OpenBSD Tor relays and network diversity

• We've talked about getting more BSD-based Tor nodes a few times in previous episodes
• The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
• With the security features and attention to detail, it makes for an excellent dedicated Tor box
• More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
• A few users are even saying they'll convert their Linux nodes to OpenBSD to help out
• Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
• The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it ***

SSP now default for FreeBSD ports

• SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
• It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
• This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
• If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over
• NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
• Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed ***

Building an OpenBSD firewall and router

• While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
• The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
• Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community
• They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
• Through the comments, we also find out that QuakeCon runs OpenBSD on their network
• Hopefully most of our listeners are running some kind of BSD as their gateway - try it out if you haven't already ***

Interview - Kristaps Džonsons - kristaps@bsd.lv

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

• Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
• From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
• As always, you can find lots of pictures in the trip report ***

Getting to know your portmgr lurkers

• The lovable "getting to know your portmgr" series makes its triumphant return
• This time around, they interview Alex, one of the portmgr lurkers that joined just this month
• "How would you describe yourself?" "Too lazy."
• Another post includes a short interview with Emanuel, another new lurker
• We discussed the portmgr lurkers initiative with Steve Wills a while back ***

NetBSD's ARM port gets SMP

• The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
• This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
• NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released
• There are also a few nice pictures in the article ***

A high performance mid-range NAS

• This blog post is about FreeNAS and optimizing iSCSI performance
• It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
• There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings
• They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" ***

Feedback/Questions

• Heto writes in
• Brad writes in
• Tyler writes in
• Tim writes in
• Brad writes in ***

Mailing List Gold

• Suspicious contributions
• La puissance du fromage
• Nothing unusual here ***