NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

NetBSD 10 on a Pinebook Pro

OpenBSD extreme privacy setup

News Roundup

Version 256 of systemd boasts '42% less Unix philosophy'

Posix.1 2024 is out

Blocking Access From or to Specific Countries Using FreeBSD and Pf

Beastie Bits

• BSD User Group Düsseldorf Juli 2024
• Another cool UNIX workstation, that was never released

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Customizing the FreeBSD Kernel

Learn more about customizing the build of the FreeBSD kernel and its loadable modules

---

OpenBSD/loongson on the Lemote Fuloong

In my article about running OpenBSD/loongson on the Lemote Yeeloong back in 2016, I mentioned looking for a Fuloong. All hope seemed lost until the Summer of 2017, when a fellow OpenBSD developer was contacted by a generous user (Thanks again, Lars!) offering to donate two Lemote Fuloong machines, and I was lucky enough to get one of those units.

News Roundup

How ZFS on Linux brings up pools and filesystems at boot under systemd

On Solaris and Illumos, how ZFS pools and filesystems were brought up at boot was always a partial mystery to me (and it seemed to involve the kernel knowing a lot about /etc/zfs/zpool.cache). On Linux, additional software RAID arrays are brought up mostly through udev rules, which has its own complications. For a long time I had the general impression that ZFS on Linux also worked through udev rules to recognize vdev components, much like software RAID. However, this turns out to not be the case and the modern ZFS on Linux boot process is quite straightforward on systemd systems.

---

LLDB: FreeBSD Legacy Process Plugin Removed

During the past month we’ve successfully removed the legacy FreeBSD plugin and continued improving the new one. We have prepared an implementation of hardware breakpoint and watchpoint support for FreeBSD/AArch64, and iterated over all tests that currently fail on that platform. Therefore, we have concluded the second milestone.

---

FreshBSD 2021

6 weeks ago I created a branch for a significant rework of FreshBSD. Nearly 300 commits later, and just a week shy of our 15th anniversary, the result is what you’re looking at now. I hope you like it.

---

gmid is a gemini server for unixes.

---

Danschmid’s Poudriere Guide now in english

The ports system is one of FreeBSD's greatest advantages for users who want flexibility and control over their software. It enables administrators to easily create and manage source-based installations using a system that is robust and predictable.

---

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Special Guest: Tom Jones.

This episode was brought to you by

Headlines

Introducing OPNsense, a pfSense fork

• OPNsense is a new BSD-based firewall project that was recently started, forked from the pfSense codebase
• Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3)
• The core team includes a well-known DragonFlyBSD developer
• You can check out their code on Github now, or download an image and try it out - let us know if you do and what you think about it
• They also have a nice wiki and some instructions on getting started for new users
• We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned ***

Code rot and why I chose OpenBSD

• Here we have a blog post about rotting codebases - a core banking system in this example
• The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project
• He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born
• Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it
• The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds
• "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily."
• It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again"
• Look for the phrase "Getting Started" in the blog post for a nice little gem ***

ZFS vs HAMMER FS

• One of the topics we've seen come up from time to time is how FreeBSD's ZFS and DragonFly's HAMMER FS compare to each other
• They both have a lot of features that traditional filesystems lack
• A forum thread was opened for discussion about them both and what they're typically used for
• It compares resource requirements, ideal hardware and pros/cons of each
• Hopefully someone will do another new comparison when HAMMER 2 is finished
• This is not to be confused with the other "hammer" filesystem ***

Portable OpenNTPD revived

• With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon
• OpenBSD has developed OpenNTPD since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years
• The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version
• Brent Cook, who we've had on the show before to talk about LibreSSL, decided it was time to fix this
• While looking through the code, he also found some fixes for the native version as well
• You can grab it from Github now, or just wait for the updated release to hit the repos of your OS of choice ***

Interview - Ian Sutton - ian@kremlin.cc

BSD replacements for systemd dependencies

News Roundup

pkgng adds OS X support

• FreeBSD's next-gen package manager has just added support for Mac OS X
• Why would you want that? Well.. we don't really know, but it's cool
• The author of the patch may have some insight about what his goal is though
• This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc
• There's also the possibility of pkgng being used as a packaging format for MacPorts in the future
• While we're on the topic of pkgng, you can also watch bapt's latest presentation about it from ruBSD 2014 - "four years of pkg" ***

Secure secure shell

• Almost everyone watching BSD Now probably uses OpenSSH and has set up a server at one point or another
• This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear
• It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use
• There are also good explanations for all the choices, based both on history and probability
• Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled
• We've also got a handy chart to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients ***

Dissecting OpenBSD's divert(4)

• PF has a cool feature that not a lot of people seem to know about: divert
• It lets you send packets to userspace, allowing you to inspect them a lot easier
• This blog post, the first in a series, details all the cool things you can do with divert and how to use it
• A very common example is with intrusion detection systems like Snort ***

Screen recording on FreeBSD

• This is a neat article about a topic we don't cover very often: making video content on BSD
• In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg
• There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing
• It also includes lots of details and helpful screenshots throughout the process
• You should make cool screencasts and send them to us ***

Feedback/Questions

• Camio writes in
• ezpzy writes in
• Emett writes in
• Ben writes in
• Laszlo writes in ***

Mailing List Gold

• Protocol X97
• My thoughts echoed
• Vulnerability sample ***

This episode was brought to you by

Headlines

Bitrig 1.0 released

• If you haven't heard of it, Bitrig is a fork of OpenBSD that started a couple years ago
• According to their FAQ, some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support
• They've finally announced their first official release, 1.0
• This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version
• It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background
• One of the developers answered some questions about it on Hacker News too ***

Is it time to try BSD?

• Here we get a little peek into the Linux world - more and more people are considering switching
• On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD
• People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side
• This article explores some pros and cons of switching, and features opinions of various users ***

Poudriere 3.1 released

• One of the first things we ever covered on the show was poudriere, a tool with a funny name that's used to build binary packages from FreeBSD ports
• It's come a long way since then, and bdrewery and bapt have just announced a new major version
• This new release features a redesigned web interface to check on the status of your packages
• There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier
• It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now
• Check the full release notes for all the additions and bug fixes ***

Firewalling with OpenBSD's pf and pfsync

• A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync
• He uses pf to manage 60 internal networks with a single firewall
• The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated
• It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more
• The second half of the presentation focuses on pfsync and carp for failover and redundancy
• With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC ***

Interview - Patrick Wildt - patrick@bitrig.org / @bitrig

The initial release of Bitrig

News Roundup

Infrastructural enhancements at NYI

• The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done
• Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things
• There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there
• This blog post goes into detail about how those servers are used and details some of the network topology ***

The long tail of MD5

• Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern
• In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace
• Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect
• Some other places require a bit more care… ***

DragonFly cheat sheet

• If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier
• A user-created "cheat sheet" on the website lists some common answers to beginner questions
• The page features a walkthrough of the installer, some shell tips and workarounds for various issues
• At the end, it also has some things that new users can get involved with to help out ***

Experiences with an OpenBSD laptop

• A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that
• The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux
• In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad
• He even gives us a mention as a good place to learn more about BSD, thanks! ***

PC-BSD Updates

• A call for testing of a new update system has gone out
• Conversion to Qt5 for utils has taken place ***

Feedback/Questions

• Chris writes in
• AJ writes in
• Dan writes in
• Jeff writes in ***

Mailing List Gold

• Over 440% faster
• The PF conundrum (edit: Allan misspoke about PF performance during this segment, apologies.)
• Violating bad standards
• apt-get rid of systemd ***

This episode was brought to you by

Headlines

FreeBSD 10.1-BETA1 is out

• The first maintenance update in the 10.x series of FreeBSD is on its way
• Since we can't see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
• The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
• Initial UEFI support, multithreaded softupdates for UFS and many more things were added
• You can check the release schedule for the planned release dates
• Details for the various forms of release media can be found in the announcement ***

Remote headless OpenBSD installation

• A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
• Sometimes you'll get lucky and they'll offer FreeBSD, but it's much harder to find ones that natively support other BSDs
• This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
• It required a few specific steps you'll want to take note of, but is extremely useful for those pesky hosting providers ***

Building a firewall appliance with pfSense

• In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
• After the author's modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
• The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
• There's a lot of great pictures of the hardware and detailed screenshots, definitely worth a look ***

Receive Side Scaling - UDP testing

• Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
• He's using some quad core boxes with 10 gigabit ethernet for the tests
• The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
• He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
• And speaking of Adrian Chadd... ***

Interview - Adrian Chadd - adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

• Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
• With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
• If you've ever compared a "sendmail.cf" file to an "smtpd.conf" file... the different is as clear as night and day
• 5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
• If you still need it for some reason, sendmail will live in ports from now on
• Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly's mail transfer agent in base (instead of an entire mail server) ***

pfSense backups with pfmb

• We've mentioned the need for a tool to back up pfSense configs a number of times on the show
• This script, hosted on github, does pretty much exactly that
• It can connect to one (or more!) pfSense installations and back up the configuration
• You can roll back or replace failed hardware very easily with its restore function
• Everything is done over SSH, so it should be pretty secure ***

The Design and Implementation of the FreeBSD Operating System

• We mentioned when the pre orders were up, but now "The Design and Implementation of the FreeBSD Operating System, 2nd edition" seems to be shipping out
• If you're interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
• We've even had all three authors on the show before! ***

OpenBSD's systemd replacement updates

• We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
• One of the developers writes in to Undeadly, detailing what's going on and what the overall status is
• He also clears up any confusion about "porting systemd to BSD" (that's not what's going on) or his code ever ending up in base (it won't)
• The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux... poor guy ***

Feedback/Questions

• Brad writes in
• Ben writes in
• Mathieu writes in
• Steve writes in ***

This episode was brought to you by

Headlines

Portscout ported to OpenBSD

• Portscout is a popular utility used in the FreeBSD ports infrastructure
• It lets port maintainers know when there's a new version of the upstream software available by automatically checking the distfile mirror
• Now OpenBSD porters can enjoy the same convenience, as it's been ported over
• You can view the status online to see how it works and who maintains what
• The developer who ported it is working to get all the current features working on OpenBSD, and added a few new features as well
• He decided to fork and rename it a few days later ***

Sysadmins and systemd refugees flocking to BSD

• With all the drama in Linux land about the rapid changes to their init system, a lot of people are looking at BSD alternatives
• This "you got your Windows in my Linux" article (and accompanying comments) give a nice glimpse into the minds of some of those switchers
• Both server administrators and regular everyday users are switching away from Linux, as more and more distros give them no choice but to use systemd
• Fortunately, the BSD communities are usually very welcoming of switchers - it's pretty nice on this side! ***

OpenBSD's versioning schemes

• Ted Unangst explains the various versioning systems within OpenBSD, from the base to libraries to other included software
• In contrast to FreeBSD's release cycle, OpenBSD isn't as concerned with breaking backwards compatibility (but only if it's needed to make progress)
• This allows them to innovate and introduce new features a lot more easily, and get those features in a stable release that everyone uses
• He also details the difference between branches, their errata system and lack of "patch levels" for security
• Some other things in OpenBSD don't have version numbers at all, like tmux
• "Every release adds some new features, fixes some old bugs, probably adds a new bug or two, and, if I have anything to say about it, removes some old features." ***

VAXstation 4000 Model 90 booting NetBSD

• We found a video of NetBSD booting on a 22 year old VAX workstation, circa 1992
• This system has a monstrous 71 MHz CPU and 128MB of ECC RAM
• It continues in part two, where we learn that it would've cost around $25,000 when it was released!
• The uploader talks about his experiences getting NetBSD on it, what does and doesn't work, etc
• It's interesting to see that such old hardware isn't necessarily obsolete just because newer things have come out since then (but maybe don't try to build world on it...) ***

Interview - Ken Moore - ken@pcbsd.org

The Lumina desktop environment

Special segment

Lumina walkthrough

News Roundup

Suricata for IDS on pfSense

• While most people are familiar with Snort as an intrusion detection system, Suricata is another choice
• This guide goes through the steps of installing and configuring it on a public-facing pfSense box
• Part two details some of the configuration steps
• One other cool thing about Suricata - it's compatible with Snort rules, so you can use the same updates
• There's also another recent post about snort as well, if that's more your style
• If you run pfSense (or any BSD) as an edge router for a lot of users, this might be worth looking into ***

OpenBSD's systemd API emulation project

• This story was pretty popular in the mainstream news this week
• For the Google Summer of Code, a student is writing emulation wrappers for some of systemd's functions
• There was consideration from some Linux users to port over the finished emulation back to Linux, so they wouldn't have to run the full systemd
• One particularly interesting Slashdot comment snippet: "We are currently migrating a large number (much larger than planned after initial results) of systems from RHEL to BSD - a decision taken due to general unhappiness with RHEL6, but SystemD pushed us towards BSD rather than another Linux distro - and in some cases are seeing throughput gains of greater than 10% on what should be equivalent Linux and BSD server builds. The re-learning curve wasn't as steep as we expected, general system stability seems to be better too, and BSD's security reputation goes without saying."
• It will NOT be in the base system - only in ports, and only installed as a dependency for things like newer GNOME that require such APIs
• In the long run, BSD will still be safe from systemd's reign of terror, but will hopefully still be compatible with some third party packages like GNOME that insist on using it ***

GhostBSD 4 previewed

• The GhostBSD project is moving along, slowly getting closer to the 4 release
• This article shows some of the progress made, and includes lots of screenshots and interesting graphical frontends
• If you're not too familiar with GhostBSD, we interviewed the lead developer a little while back ***

NetBSD on the Banana Pi

• The Banana Pi is a tasty alternative to the Raspberry Pi, with similar hardware specs
• In this blog post, a NetBSD developer details his experiences in getting NetBSD to run on it
• After studying how the prebuilt Linux image booted, he made some notes and started hacking
• Ethernet, one of the few things not working, is being looked into and he's hoping to get it fully supported for the upcoming NetBSD 7.0
• They're only about $65 as of the time we're recording this, so it might be a fun project to try ***

Feedback/Questions

• Antonio writes in
• Garegin writes in
• Erno writes in
• Brandon writes in ***