NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Enhancing FreeBSD Stability With ZFS Pool Checkpoints

Plaintext is not a great format for (system) logs

News Roundup

Initial playlist of 28 BSDCan Videos released

Installing FreeBSD 14 on Raspberry Pi 4B with ZFS root

• The following components make up my setup:
  • Raspberry Pi 4B, 8 GB RAM
  • Official Raspberry Pi 4 Power Supply
  • Geekworm Raspberry Pi 4 11mm Embedded Heatsink (P165-B)
  • Geekworm for Raspberry Pi 4, X862 V2.0 M.2 NGFF SATA SSD Storage Expansion Board with USB 3.1 Connector Support Key-B 2280 SSD
  • WD Blue SA510 SATA SSD 2 TB M.2 2280
  • 4K 60Hz Micro HDMI to HDMI Adapter (to connect to a monitor, can also run headless with just power and network cable connected)

A practical guide to VPNs, IPv6, routing domains and IPSEC

How to mount ISO or file disk images on OpenBSD

Beastie Bits

• DeadBSD Series - There have been a few FreeBSD derived OS’s over the years, some stay, many others fade away. In this series, DeadBSD’s, we will be revisiting those long gone BSD’s and see what we missed out on.
• Fury
• CultBSD

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

569 - RobN - A Thanks

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

An RNG that runs in your brain

Going Stateless

News Roundup

SmolBSD

The Wi-Fi only works when it's raining

Wayland, where are we in 2024? Any good for being the default?

Omnios pxe booting

OpenBSD scripts to convert wg-quick VPN files

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

How To Set Up a Wireguard VPN Server with Unbound on OpenBSD

Auditing for OpenZFS Storage Performance

News Roundup

Some notes on OpenBSD 7.2 on a Thinkpad X201

fzf

• A Practical Guide to fzf: Building a File Explorer
• A Practical Guide to fzf: Shell Integration
• ***

Replacing postfix with dma

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Dennis - Thanks

• Luna - Trillian

• Lyubomir - ipfw question

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

History of FreeBSD - Part 3: Early Days of FreeBSD

In this third part of our series on the history of FreeBSD, we start tracing the early days of FreeBSD and the events that would eventually shape the project and the future of open source software.

---

A mesh VPN using OpenBSD and WireGuard

WireGuard is a new coming to OpenBSD 6.8 and it looks like a simple and efficient way to connect computers.
I own a few VPS (hello Vultr, hello OpenBSD.amsterdam) that tend to be connected through filtered public services and/or SSH tunnels. And that’s neither efficient nor easy to manage. Here comes the wg(4) era where all those peers will communicate with a bit more privacy and ease of management.

---

News Roundup

Foundation Sponsors FreeBSD LLDB Improvements

With FreeBSD Foundation grant, Moritz Systems improved LLDB support for FreeBSD
The LLDB project builds on libraries provided by LLVM and Clang to provide a great modern debugger. It uses the Clang ASTs and the expression parser, LLVM JIT, LLVM disassembler, etc so that it provides an experience that “just works”. It is also blazing fast and more permissively licensed than GDB, the GNU Debugger.
LLDB is the default debugger in Xcode on macOS and supports debugging C, Objective-C, and C++ on the desktop and iOS devices and the simulator.

---

Host your Cryptpad web office suite with OpenBSD

In this article I will explain how to deploy your own Cryptpad instance with OpenBSD. Cryptpad is a web office suite featuring easy real time collaboration on documents. Cryptpad is written in JavaScript and the daemon acts as a web server.

Beastie Bits

• OPNsense 20.7.7 Released
• Introducing OpenZFS 2.0 Webinar - Jan 20th @ noon Eastern / 17:00 UTC.
• BSD In Die Hard
• Managing jails with Ansible: a showcase for building a container infrastructure on FreeBSD
• BSD Hardware
• New WINE chapter in FreeBSD handbook ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. ***

Feedback/Questions

• scott- zfs question
• Bruce - copy paste on esxi

• Julian - an apology for Allan

  ---

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

  ---

Headlines

Fighting the Coronavirus with FreeBSD

Here is a quick HOWTO for those who want to provide some FreeBSD based compute resources to help finding vaccines.

UPDATE 2020-03-22: 0mp@ made a port out of this, it is in “biology/linux-foldingathome”.

Per default it will now pick up some SARS-CoV‑2 (COVID-19) related folding tasks. There are some more config options (e.g. how much of the system resources are used). Please refer to the official Folding@Home site for more information about that. Be also aware that there is a big rise in compute resources donated to Folding@Home, so the pool of available work units may be empty from time to time, but they are working on adding more work units. Be patient.

How to configure the Wireguard VPN in OPNsense

WireGuard is a modern designed VPN that uses the latest cryptography for stronger security, is very lightweight, and is relatively easy to set up (mostly). I say ‘mostly’ because I found setting up WireGuard in OPNsense to be more difficult than I anticipated. The basic setup of the WireGuard VPN itself was as easy as the authors claim on their website, but I came across a few gotcha's. The gotcha's occur with functionality that is beyond the scope of the WireGuard protocol so I cannot fault them for that. My greatest struggle was configuring WireGuard to function similarly to my OpenVPN server. I want the ability to connect remotely to my home network from my iPhone or iPad, tunnel all traffic through the VPN, have access to certain devices and services on my network, and have the VPN devices use my home's Internet connection.

WireGuard behaves more like a SSH server than a typical VPN server. With WireGuard, devices which have shared their cryptographic keys with each other are able to connect via an encrypted tunnel (like a SSH server configured to use keys instead of passwords). The devices that are connecting to one another are referred to as “peer” devices. When the peer device is an OPNsense router with WireGuard installed, for instance, it can be configured to allow access to various resources on your network. It becomes a tunnel into your network similar to OpenVPN (with the appropriate firewall rules enabled). I will refer to the WireGuard installation on OPNsense as the server rather than a “peer” to make it more clear which device I am configuring unless I am describing the user interface because that is the terminology used interchangeably by WireGuard.

The documentation I found on WireGuard in OPNsense is straightforward and relatively easy to understand, but I had to wrestle with it for a little while to gain a better understanding on how it should be configured. I believe it was partially due to differing end goals – I was trying to achieve something a little different than the authors of other wiki/blog/forum posts. Piecing together various sources of information, I finally ended up with a configuration that met the goals stated above.

News Roundup

NomadBSD 1.3.1

NomadBSD 1.3.1 has recently been made available. NomadBSD is a lightweight and portable FreeBSD distribution, designed to run on live on a USB flash drive, allowing you to plug, test, and play on different hardware. They have also started a forum as of yesterday, where you can ask questions and mingle with the NomadBSD community. Notable changes in 1.3.1 are base system upgraded to FreeBSD 12.1-p2. automatic network interface setup improved, image size increased to over 4GB, Thunderbird, Zeroconf, and some more listed below.

GhostBSD 20.02

Eric Turgeon, main developer of GhostBSD, has announced version 20.02 of the FreeBSD based operating system. Notable changes are ZFS partition into the custom partition editor installer, allowing you to install alongside with Windows, Linux, or macOS. Other changes are force upgrade all packages on system upgrade, improved update station, and powerd by default for laptop battery performance.

New FuryBSD XFCE and KDE images

This new release is now based on FreeBSD 12.1 with the latest FreeBSD quarterly packages. This brings XFCE up to 4.14, and KDE up to 5.17. In addition to updates this new ISO mostly addresses community bugs, community enhancement requests, and community pull requests. Due to the overwhelming amount of reports with GitHub hosting all new releases are now being pushed to SourceForge only for the time being. Previous releases will still be kept for archive purposes.

pf-badhost 0.3 Released

pf-badhost is a simple, easy to use badhost blocker that uses the power of the pf firewall to block many of the internet's biggest irritants. Annoyances such as SSH and SMTP bruteforcers are largely eliminated. Shodan scans and bots looking for webservers to abuse are stopped dead in their tracks. When used to filter outbound traffic, pf-badhost blocks many seedy, spooky malware containing and/or compromised webhosts.

Beastie Bits

• DragonFly i915 drm update
• CShell is punk rock
• The most surprising Unix programs

Feedback/Questions

• Master One - Torn between OpenBSD and FreeBSD
• Brad - Follow up to Linus ZFS story
• Filipe Carvalho - Call for Portuguese BSD User Groups

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

LLDB Threading support now ready for mainline

Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages.

In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report.

So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report.

Multiple IPSec VPN tunnels with FreeBSD

The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)

But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host. How to implement and configure this is described below.

The requirements is to have 3 locations (A, B and C) connected with IPSec VPN tunnels using FreeBSD (11.3-RELEASE).

Each location has 1 IPSec VPN host running FreeBSD (VPN host A, B and C).

VPN host A has 2 IPSec VPN tunnels: 1 to location B (VPN host B) and 1 to location C (VPN host C).

News Roundup

Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance

Drew Gallatin of Netflix presented at the recent EuroBSDcon 2019 conference in Norway on the company's network stack optimizations to FreeBSD. Netflix was working on being able to deliver 200Gb/s network performance for video streaming out of Intel Xeon and AMD EPYC servers, to which they are now at 190Gb/s+ and in the process that doubled the potential of EPYC Naples/Rome servers and also very hefty upgrades too for Intel.

Netflix has long been known to be using FreeBSD in their data centers particularly where network performance is concerned. But in wanting to deliver 200Gb/s throughput from individual servers led them to making NUMA optimizations to the FreeBSD network stack. Allocating NUMA local memory for kernel TLS crypto buffers and for backing files sent via sentfile were among their optimizations. Changes to network connection handling and dealing with incoming connections to Nginx were also made.

For those just wanting the end result, Netflix's NUMA optimizations to FreeBSD resulted in their Intel Xeon servers going from 105Gb/s to 191Gb/s while the NUMA fabric utilization dropped from 40% to 13%.

unwind(8); "happy eyeballs"

In case you are wondering why happy eyeballs: It's a variation on this:
https://en.wikipedia.org/wiki/Happy_Eyeballs

unwind has a concept of a best nameserver type. It considers a configured DoT nameserver to be better than doing it's own recursive resolving. Recursive resolving is considered to be better than asking the dhcp provided nameservers.

This diff sorts the nameserver types by quality, as above (validation, resolving, dead...), and as a tie breaker it adds the median of the round trip time of previous queries into the mix.

One other interesting thing about this is that it gets us past captive portals without a check URL, that's why this diff is so huge, it rips out all the captive portal stuff (please apply with patch -E):
17 files changed, 385 insertions(+), 1683 deletions(-)

Please test this. I'm particularly interested in reports from people who move between networks and need to get past captive portals.

Amazon now has FreeBSD ARM 12

Product Overview

FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years.

FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS filesystem, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage systems.

OpenSSH U2F/FIDO support in base

I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.

Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step.

You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time.

So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything.

Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too.

Please test this thoroughly - it's a big change that we want to have stable before the next release.

Beastie Bits

• DragonFly - git: virtio - Fix LUN scan issue w/ Google Cloud
• Really fast Markov chains in ~20 lines of sh, grep, cut and awk
• FreeBSD Journal Sept/Oct 2019
• Michael Dexter is raising money for Bhyve development
• syscall call-from verification
• FreeBSD Forums Howto Section

Feedback/Questions

• Jeroen - Feedback
• Savo - pfsense ports
• Tin - I want to learn C

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

Unix is 50

In the summer of 1969 computer scientists Ken Thompson and Dennis Ritchie created the first implementation of Unix with the goal of designing an elegant and economical operating system for a little-used PDP-7 minicomputer at Bell Labs. That modest project, however, would have a far-reaching legacy. Unix made large-scale networking of diverse computing systems — and the Internet — practical. The Unix team went on to develop the C language, which brought an unprecedented combination of efficiency and expressiveness to programming. Both made computing more "portable". Today, Linux, the most popular descendent of Unix, powers the vast majority of servers, and elements of Unix and Linux are found in most mobile devices. Meanwhile C++ remains one of the most widely used programming languages today. Unix may be a half-century old but its influence is only growing.

Hunting down Ken's PDP-7: video footage found

In my prior blog post, I traced Ken's scrounged PDP-7 to SN 34. In this post I'll show that we have actual video footage of that PDP-7 due to an old film from Bell Labs. this gives us almost a minute of footage of the PDP-7 Ken later used to create Unix.

News Roundup

OpenBSD 6.6 Released

• Announce: https://marc.info/?l=openbsd-tech&m=157132024225971&w=2
• Upgrade Guide: https://openbsd.org/faq/upgrade66.html
• Changelog: https://openbsd.org/plus66.html

OPNsense 19.7.5 released

Hello friends and followers, Lots of plugin and ports updates this time with a few minor improvements in all core areas. Behind the scenes we are starting to migrate the base system to version

12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.

Here are the full patch notes:

• system: show all swap partitions in system information widget
• system: flatten services_get() in preparation for removal
• system: pin Syslog-ng version to specific package name
• system: fix LDAP/StartTLS with user import page
• system: fix a PHP warning on authentication server page
• system: replace most subprocess.call use
• interfaces: fix devd handling of carp devices (contributed by stumbaumr)
• firewall: improve firewall rules inline toggles
• firewall: only allow TCP flags on TCP protocol
• firewall: simplify help text for direction setting
• firewall: make protocol log summary case insensitive
• reporting: ignore malformed flow records
• captive portal: fix type mismatch for timeout read
• dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
• ipsec: add margintime and rekeyfuzz options
• ipsec: clear $dpdline correctly if not set
• ui: fix tokenizer reorder on multiple saves
• plugins: os-acme-client 1.26[1]
• plugins: os-bind will reload bind on record change (contributed by blablup)
• plugins: os-etpro-telemetry minor subprocess.call replacement
• plugins: os-freeradius 1.9.4[2]
• plugins: os-frr 1.12[3]
• plugins: os-haproxy 2.19[4]
• plugins: os-mailtrail 1.2[5]
• plugins: os-postfix 1.11[6]
• plugins: os-rspamd 1.8[7]
• plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
• plugins: os-telegraf 1.7.6[8]
• plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
• plugins: os-tinc minor subprocess.call replacement
• plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
• plugins: os-virtualbox 1.0 (contributed by andrewhotlab)

Dealing with the misunderstandings of what is GhostBSD

Since the release of 19.09, I have seen a lot of misunderstandings on what is GhostBSD and the future of GhostBSD. GhostBSD is based on TrueOS with FreeBSD 12 STABLE with our twist to it. We are still continuing to use TrueOS for OpenRC, and the new package's system for the base system that is built from ports. GhostBSD is becoming a slow-moving rolling release base on the latest TrueOS with FreeBSD 12 STABLE. When FreeBSD 13 STABLE gets released, GhostBSD will be upgraded to TrueOS with FreeBSD 13 STABLE.

Our official desktop is MATE, which means that the leading developer of GhostBSD does not officially support XFCE. Community releases are maintained by the community and for the community. GhostBSD project will provide help to build and to host the community release. If anyone wants to have a particular desktop supported, it is up to the community. Sure I will help where I can, answer questions and guide new community members that contribute to community release.

There is some effort going on for Plasma5 desktop. If anyone is interested in helping with XFCE and Plasma5 or in creating another community release, you are well come to contribute. Also, Contribution to the GhostBSD base system, to ports and new ports, and in house software are welcome. We are mostly active on Telegram https://t.me/ghostbsd, but you can also reach us on the forum.

SHUTTLE – VPN over SSH | VPN Alternative

Looking for a lightweight VPN client, but are not ready to spend a monthly recurring amount on a VPN? VPNs can be expensive depending upon the quality of service and amount of privacy you want. A good VPN plan can easily set you back by 10$ a month and even that doesn’t guarantee your privacy. There is no way to be sure whether the VPN is storing your confidential information and traffic logs or not. sshuttle is the answer to your problem it provides VPN over ssh and in this article we’re going to explore this cheap yet powerful alternative to the expensive VPNs. By using open source tools you can control your own privacy.

• VPN over SSH – sshuttle

sshuttle is an awesome program that allows you to create a VPN connection from your local machine to any remote server that you have ssh access on. The tunnel established over the ssh connection can then be used to route all your traffic from client machine through the remote machine including all the dns traffic. In the bare bones sshuttle is just a proxy server which runs on the client machine and forwards all the traffic to a ssh tunnel. Since its open source it holds quite a lot of major advantages over traditional VPN.

OpenSSH 8.1 Released

• Security

  • ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program.
  • ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB).

• This release includes a number of changes that may affect existing configurations:

  • ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ...").

• New Features

  • ssh(1): Allow %n to be expanded in ProxyCommand strings
  • ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519"
  • ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email).
  • ssh-keygen(1): print key comment when extracting public key from a private key.
  • ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too.
  • All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's.

Beastie Bits

• Say goodbye to the 32 CPU limit in NetBSD/aarch64
• vBSDcon 2019 videos
• Browse the web in the terminal - W3M
• NetBSD 9 and GSoC
• BSDCan 2019 Videos
• NYC*BUG Install Fest: Nov 6th 18:45 @ Suspenders
• FreeBSD Miniconf at linux.conf.au 2020 Call for Sessions Now Open
• FOSDEM 2020 - BSD Devroom Call for Participation
• University of Cambridge looking for Research Assistants/Associates

Feedback/Questions

• Trenton - Beeping Thinkpad
• Alex - Per user ZFS Datasets
  • Allan’s old patch from 2015
• Javier - FBSD 12.0 + ZFS + encryption

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines
###FreeBSD 12.0 is available

• After a long release cycle, the wait is over: FreeBSD 12.0 is now officially available.
• We’ve picked a few interesting things to cover in the show, make sure to read the full Release Notes

Userland:
Group permissions on /dev/acpi have been changed to allow users in the operator GID to invoke acpiconf(8) to suspend the system.
The default devfs.rules(5) configuration has been updated to allow mount_fusefs(8) with jail(8).
The default PAGER now defaults to less(1) for most commands.
The newsyslog(8) utility has been updated to reject configuration entries that specify setuid(2) or executable log files.
The WITH_REPRODUCIBLE_BUILD src.conf(5) knob has been enabled by default.
A new src.conf(5) knob, WITH_RETPOLINE, has been added to enable the retpoline mitigation for userland builds.
Userland applications:
The dtrace(1) utility has been updated to support if and else statements.
The legacy gdb(1) utility included in the base system is now installed to /usr/libexec for use with crashinfo(8). The gdbserver and gdbtui utilities are no longer installed. For interactive debugging, lldb(1) or a modern version of gdb(1) from devel/gdb should be used. A new src.conf(5) knob, WITHOUT_GDB_LIBEXEC has been added to disable building gdb(1). The gdb(1) utility is still installed in /usr/bin on sparc64.
The setfacl(1) utility has been updated to include a new flag, -R, used to operate recursively on directories.
The geli(8) utility has been updated to provide support for initializing multiple providers at once when they use the same passphrase and/or key.
The dd(1) utility has been updated to add the status=progress option, which prints the status of its operation on a single line once per second, similar to GNU dd(1).
The date(1) utility has been updated to include a new flag, -I, which prints its output in ISO 8601 formatting.
The bectl(8) utility has been added, providing an administrative interface for managing ZFS boot environments, similar to sysutils/beadm.
The bhyve(8) utility has been updated to add a new subcommand to the -l and -s flags, help, which when used, prints a list of supported LPC and PCI devices, respectively.
The tftp(1) utility has been updated to change the default transfer mode from ASCII to binary.
The chown(8) utility has been updated to prevent overflow of UID or GID arguments where the argument exceeded UID_MAX or GID_MAX, respectively.
Kernel:
The ACPI subsystem has been updated to implement Device object types for ACPI 6.0 support, required for some Dell, Inc. Poweredge™ AMD® Epyc™ systems.
The amdsmn(4) and amdtemp(4) drivers have been updated to attach to AMD® Ryzen 2™ host bridges.
The amdtemp(4) driver has been updated to fix temperature reporting for AMD® 2990WX CPUs.
Kernel Configuration:
The VIMAGE kernel configuration option has been enabled by default.
The dumpon(8) utility has been updated to add support for compressed kernel crash dumps when the kernel configuration file includes the GZIO option. See rc.conf(5) and dumpon(8) for additional information.
The NUMA option has been enabled by default in the amd64 GENERIC and MINIMAL kernel configurations.
Device Drivers:
The random(4) driver has been updated to remove the Yarrow algorithm. The Fortuna algorithm remains the default, and now only, available algorithm.
The vt(4) driver has been updated with performance improvements, drawing text at rates ranging from 2- to 6-times faster.
Deprecated Drivers:
The lmc(4) driver has been removed.
The ixgb(4) driver has been removed.
The nxge(4) driver has been removed.
The vxge(4) driver has been removed.
The jedec_ts(4) driver has been removed in 12.0-RELEASE, and its functionality replaced by jedec_dimm(4).
The DRM driver for modern graphics chipsets has been marked deprecated and marked for removal in FreeBSD 13. The DRM kernel modules are available from graphics/drm-stable-kmod or graphics/drm-legacy-kmod in the Ports Collection as well as via pkg(8). Additionally, the kernel modules have been added to the lua loader.conf(5) module_blacklist, as installation from the Ports Collection or pkg(8) is strongly recommended.
The following drivers have been deprecated in FreeBSD 12.0, and not present in FreeBSD 13.0: ae(4), de(4), ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), vx(4), wb(4), xe(4)
Storage:
The UFS/FFS filesystem has been updated to support check hashes to cylinder-group maps. Support for check hashes is available only for UFS2.
The UFS/FFS filesystem has been updated to consolidate TRIM/BIO_DELETE commands, reducing read/write requests due to fewer TRIM messages being sent simultaneously.
TRIM consolidation support has been enabled by default in the UFS/FFS filesystem. TRIM consolidation can be disabled by setting the vfs.ffs.dotrimcons sysctl(8) to 0, or adding vfs.ffs.dotrimcons=0 to sysctl.conf(5).
NFS:
The NFS version 4.1 server has been updated to include pNFS server support.
ZFS:
ZFS has been updated to include new sysctl(8)s, vfs.zfs.arc_min_prefetch_ms and vfs.zfs.arc_min_prescient_prefetch_ms, which improve performance of the zpool(8) scrub subcommand.
The new spacemap_v2 zpool feature has been added. This provides more efficient encoding of spacemaps, especially for full vdev spacemaps.
The large_dnode zpool feature been imported, allowing better compatibility with pools created under ZFS-on-Linux 0.7.x
Many bug fixes have been applied to the device removal feature. This feature allows you to remove a non-redundant or mirror vdev from a pool by relocating its data to other vdevs.
Includes the fix for PR 229614 that could cause processes to hang in zil_commit()
Boot Loader Changes:
The lua loader(8) has been updated to detect a list of installed kernels to boot.
The loader(8) has been updated to support geli(8) for all architectures and all disk-like devices.
The loader(8) has been updated to add support for loading Intel® microcode updates early during the boot process.

Networking:
The pf(4) packet filter is now usable within a jail(8) using vnet(9).
The pf(4) packet filter has been updated to use rmlock(9) instead of rwlock(9), resulting in significant performance improvements.
The SO_REUSEPORT_LB option has been added to the network stack, allowing multiple programs or threads to bind to the same port, and incoming connections load balanced using a hash function.

• Again, read the release notes for a full list, check out the errata notices. A big THANKS to the entire release engineering team and all developers involved in the release, much appreciated!

###Abandon Linux. Move to FreeBSD or Illumos

If you use GNU/Linux and you are only on opensource, you may be doing it wrong. Here’s why.
Is your company based on opensource based software only? Do you have a bunch of developers hitting some kind of server you have installed for them to “do their thing”? Being it for economical reasons (remember to donate), being it for philosophycal ones, you may have skipped good alternatives. The BSD’s and Illumos.
I bet you are running some sort of Debian, openSuSE or CentOS. It’s very discouraging having entered into the IT field recently and discover many of the people you meet do not even recognise the name BSD. Naming Solaris seems like naming the evil itself. The problem being many do not know why. They can’t point anything specific other than it’s fading out. This has recently shown strong when Oracle officials have stated development for new features has ceased and almost 90 % of developers for Solaris have been layed off. AIX seems alien to almost everybody unless you have a white beard. And all this is silly.
And here’s why. You are certainly missing two important features that FreeBSD and Illumos derivatives are enjoying. A full virtualization technology, much better and fully developed compared to the LXC containers in the Linux world, such as Jails on BSD, Zones in Solaris/Illumos, and the great ZFS file system which both share.
You have probably heard of a new Linux filesystem named Btrfs, which by the way, development has been dropped from the Red Hat side. Trying to emulate ZFS, Oracle started developing Btrfs file system before they acquired Sun (the original developer of ZFS), and SuSE joined the effort as well as Red Hat. It is not as well developed as ZFS and it hasn’t been tested in production environments as extensively as the former has. That leaves some uncertainty on using it or not. Red Hat leaving it aside does add some more. Although some organizations have used it with various grades of success.
But why is this anyhow interesting for a sysadmin or any organization? Well… FreeBSD (descendant of Berkeley UNIX) and SmartOS (based on Illumos) aglutinate some features that make administration easier, safer, faster and more reliable. The dream of any systems administrator.
To start, the ZFS filesystem combines the typical filesystem with a volume manager. It includes protection against corruption, snapshots and copy-on-write clones, as well as volume manager.
Jails is another interesting piece of technology. Linux folks usually associate this as a sort of chroot. It isn’t. It is somehow inspired by it but as you may know you can escape from a chroot environment with a blink of an eye. Jails are not called jails casually. The name has a purpose. Contain processes and programs within a defined and totally controlled environment. Jails appeared first in FreeBSD in the year 2000. Solaris Zones debuted on 2005 (now called containers) are the now proprietary version of those.
There are some other technologies on Linux such as Btrfs or Docker. But they have some caveats. Btrfs hasn’t been fully developed yet and it’s hasn’t been proved as much in production environments as ZFS has. And some problems have arisen recently although the developers are pushing the envelope. At some time they will match ZFS capabilities for sure. Docker is growing exponentially and it’s one of the cool technologies of modern times. The caveat is, as before, the development of this technology hasn’t been fully developed. Unlike other virtualization technologies this is not a kernel playing on top of another kernel. This is virtualization at the OS level, meaning differentiated environments can coexist on a single host, “hitting” the same unique kernel which controls and shares the resources. The problem comes when you put Docker on top of any other virtualization technology such as KVM or Xen. It breaks the purpose of it and has a performance penalty.
I have arrived into the IT field with very little knowledge, that is true. But what I see strikes me. Working in a bank has allowed me to see a big production environment that needs the highest of the availability and reliability. This is, sometimes, achieved by bruteforce. And it’s legitime and adequate. Redundancy has a reason and a purpose for example. But some other times it looks, it feels, like killing flies with cannons. More hardware, more virtual machines, more people, more of this, more of that. They can afford it, so they try to maintain the cost low but at the end of the day there is a chunky budget to back operations.
But here comes reality. You’re not a bank and you need to squeeze your investment as much as possible. By using FreeBSD jails you can avoid the performance penalty of KVM or Xen virtualization. Do you use VMWare or Hyper-V? You can avoid both and gain in performance. Not only that, control and manageability are equal as before, and sometimes easier to administer. There are four ways to operate them which can be divided in two categories. Hardcore and Human Being. For the Hardcore use the FreeBSD handbook and investigate as much as you can. For the Human Being way there are three options to use. Ezjail, Iocage and CBSD which are frameworks or programs as you may call to manage jails. I personally use Iocage but I have also used Ezjail.
How can you use jails on your benefit? Ever tried to configure some new software and failed miserably? You can have three different jails running at the same time with different configurations. Want to try a new configuration in a production piece of hardware without applying it on the final users? You can do that with a small jail while the production environment is on in another bigger, chunkier jail.
Want to divide the hardware as a replica of the division of the team/s you are working with? Want to sell virtual machines with bare metal performance? Do you want to isolate some piece of critical software or even data in a more controlled environment? Do you have different clients and you want to use the same hardware but you want to avoid them seeing each other at the same time you maintain performance and reliability?
Are you a developer and you have to have reliable and portable snapshots of your work? Do you want to try new options-designs without breaking your previous work, in a timeless fashion? You can work on something, clone the jail and apply the new ideas on the project in a matter of seconds. You can stop there, export the filesystem snapshot containing all the environment and all your work and place it on a thumbdrive to later import it on a big production system. Want to change that image properties such as the network stack interface and ip? This is just one command away from you.
But what properties can you assign to a jail and how can I manage them you may be wondering. Hostname, disk quota, i/o, memory, cpu limits, network isolation, network virtualization, snapshots and the manage of those, migration and root privilege isolation to name a few. You can also clone them and import and export them between different systems. Some of these things because of ZFS. Iocage is a python program to manage jails and it takes profit from ZFS advantages.
But FreeBSD is not Linux you may say. No it is not. There are no run levels. The systemd factor is out of this equation. This is so since the begginning. Ever wondered where did vi come from? The TCP/IP stack? Your beloved macOS from Apple? All this is coming from the FreeBSD project. If you are used to Linux your adaptation period with any BSD will be short, very short. You will almost feel at home. Used to packaged software using yum or apt-get? No worries. With pkgng, the package management tool used in FreeBSD has almost 27.000 compiled packages for you to use. Almost all software found on any of the important GNU/Linux distros can be found here. Java, Python, C, C++, Clang, GCC, Javascript frameworks, Ruby, PHP, MySQL and the major forks, etc. All this opensource software, and much more, is available at your fingertips.
I am a developer and… frankly my time is money and I appreciate both much more than dealing with systems configuration, etc. You can set a VM using VMWare or VirtualBox and play with barebones FreeBSD or you can use TrueOS (a derivative) which comes in a server version and a desktop oriented one. The latter will be easier for you to play with. You may be doing this already with Linux. There is a third and very sensible option. FreeNAS, developed by iXSystems. It is FreeBSD based and offers all these technologies with a GUI. VMWare, Hyper-V? Nowadays you can get your hands off the CLI and get a decent, usable, nice GUI.
You say you play on the cloud. The major players already include FreeBSD in their offerings. You can find it in Amazon AWS or Azure (with official Microsoft support contracts too!). You can also find it in DigitalOcean and other hosting providers. There is no excuse. You can use it at home, at the office, with old or new hardware and in the cloud as well. You can even pay for a support contract to use it. Joyent, the developers of SmartOS have their own cloud with different locations around the globe. Have a look on them too.
If you want the original of ZFS and zones you may think of Solaris. But it’s fading away. But it really isn’t. When Oracle bouth Sun many people ran away in an stampide fashion. Some of the good folks working at Sun founded new projects. One of these is Illumos. Joyent is a company formed by people who developed these technologies. They are a cloud operator, have been recently bought by Samsung and have a very competent team of people providing great tech solutions. They have developed an OS, called SmartOS (based on Illumos) with all these features. The source from this goes back to the early days of UNIX. Do you remember the days of OpenSolaris when Sun opensourced the crown jewels? There you have it. A modern opensource UNIX operating system with the roots in their original place and the head planted on today’s needs.
In conclusion. If you are on GNU/Linux and you only use opensource software you may be doing it wrong. And missing goodies you may need and like. Once you put your hands on them, trust me, you won’t look back. And if you have some “old fashioned” admins who know Solaris, you can bring them to a new profitable and exciting life with both systems.
Still not convinced? Would you have ever imagined Microsoft supporting Linux? Even loving it? They do love now FreeBSD. And not only that, they provide their own image in the Azure Cloud and you can get Microsoft support, payed support if you want to use the platform on Azure. Ain’t it… surprising? Convincing at all?
PS: I haven’t mentioned both softwares, FreeBSD and SmartOS do have a Linux translation layer. This means you can run Linux binaries on them and the program won’t cough at all. Since the ABI stays stable the only thing you need to run a Linux binary is a translation between the different system calls and the libraries. Remember POSIX? Choose your poison and enjoy it.

###A partly-cloudy IPsec VPN

• Audience

I’m assuming that readers have at least a basic knowledge of TCP/IP networking and some UNIX or UNIX-like systems, but not necessarily OpenBSD or FreeBSD. This post will therefore be light on details that aren’t OS specific and are likely to be encountered in normal use (e.g., how to use vi or another text editor.) For more information on these topics, read Absolute FreeBSD (3ed.) by Michael W. Lucas.

• Overview

I’m redoing my DigitalOcean virtual machines (which they call droplets). My requirements are:

• VPN
• Road-warrior access, so I can use private network resources from anywhere.
• A site-to-site VPN, extending my home network to my VPSes.
• Hosting for public and private network services.
• A proxy service to provide a public IP address to services hosted at home.

The last item is on the list because I don’t actually have a public IP address at home; my firewall’s external address is in the RFC 1918 space, and the entire apartment building shares a single public IPv4 address.1 (IPv6? Don’t I wish.) The end-state network will include one OpenBSD droplet providing firewall, router, and VPN services; and one FreeBSD droplet hosting multiple jailed services.
I’ll be providing access via these droplets to a NextCloud instance at home. A simple NAT on the DO router droplet isn’t going to work, because packets going from home to the internet would exit through the apartment building’s connection and not through the VPN. It’s possible that I could do work around this issue with packet tagging using the pf firewall, but HAProxy is simple to configure and unlikely to result in hard-to-debug problems. relayd is also an option, but doesn’t have the TLS parsing abilities of HAProxy, which I’ll be using later on.
Since this system includes jails running on a VPS, and they’ve got RFC 1918 addresses, I want them reachable from my home network. Once that’s done, I can access the private address space from anywhere through a VPN connection to the cloudy router.
The VPN itself will be of the IPsec variety. IPsec is the traditional enterprise VPN standard, and is even used for classified applications, but has a (somewhat-deserved) reputation for complexity, but recent versions of OpenBSD turn down the difficulty by quite a bit.

• The end-state network should look like: https://d33wubrfki0l68.cloudfront.net/0ccf46fb057e0d50923209bb2e2af0122637e72d/e714e/201812-cloudy/endstate.svg

This VPN both separates internal network traffic from public traffic and uses encryption to prevent interception or tampering.
Once traffic has been encrypted, decrypting it without the key would, as Bruce Schneier once put it, require a computer built from something other than matter that occupies something other than space. Dyson spheres and a frakton of causality violation would possibly work, as would mathemagical technology that alters the local calendar such that P=NP.2 Black-bag jobs and/or suborning cloud provider employees doesn’t quite have that guarantee of impossibility, however. If you have serious security requirements, you’ll need to do better than a random blog entry.

##News Roundup
###KLEAK: Practical Kernel Memory Disclosure Detection

Modern operating systems such as NetBSD, macOS, and Windows isolate their kernel from userspace programs to increase fault tolerance and to protect against malicious manipulations [10]. User space programs have to call into the kernel to request resources, via system calls or ioctls. This communication between user space and kernel space crosses a security boundary. Kernel memory disclosures - also known as kernel information leaks - denote the inadvertent copying of uninitialized bytes from kernel space to user space. Such disclosed memory may contain cryptographic keys, information about the kernel memory layout, or other forms of secret data. Even though kernel memory disclosures do not allow direct exploitation of a system, they lay the ground for it.
We introduce KLEAK, a simple approach to dynamically detect kernel information leaks. Simply said, KLEAK utilizes a rudimentary form of taint tracking: it taints kernel memory with marker values, lets the data travel through the kernel and scans the buffers exchanged between the kernel and the user space for these marker values. By using compiler instrumentation and rotating the markers at regular intervals, KLEAK significantly reduces the number of false positives, and is able to yield relevant results with little effort.
Our approach is practically feasible as we prove with an implementation for the NetBSD kernel. A small performance penalty is introduced, but the system remains usable. In addition to implementing KLEAK in the NetBSD kernel, we applied our approach to FreeBSD 11.2. In total, we detected 21 previously unknown kernel memory disclosures in NetBSD-current and FreeBSD 11.2, which were fixed subsequently. As a follow-up, the projects’ developers manually audited related kernel areas and identified dozens of other kernel memory disclosures.
The remainder of this paper is structured as follows. Section II discusses the bug class of kernel memory disclosures. Section III presents KLEAK to dynamically detect instances of this bug class. Section IV discusses the results of applying KLEAK to NetBSD-current and FreeBSD 11.2. Section V reviews prior research. Finally, Section VI concludes this paper.

###How To Create Official Synth Repo

• System Environment

• Make sure /usr/dports is updated and that it contains no cruft (git pull; git status). Remove any cruft.

• Make sure your ‘synth’ is up-to-date ‘pkg upgrade synth’. If you already updated your system you may have to build synth from scratch, from /usr/dports/ports-mgmt/synth.

• Make sure /etc/make.conf is clean.

• Update /usr/src to the current master, make sure there is no cruft in it

• Do a full buildworld, buildkernel, installkernel and installworld

• Reboot

• After the reboot, before proceeding, run ‘uname -a’ and make sure you are now on the desired release or development kernel.

• Synth Environment

• /usr/local/etc/synth/ contains the synth configuration. It should contain a synth.ini file (you may have to rename the template), and you will have to create or edit a LiveSystem-make.conf file.

• System requirements are hefty. Just linking chromium alone eats at least 30GB, for example. Concurrent c++ compiles can eat up to 2GB per process. We recommend at least 100GB of SSD based swap space and 300GB of free space on the filesystem.

• synth.ini should contain this. Plus modify the builders and jobs to suit your system. With 128G of ram, 30/30 or 40/25 works well. If you have 32G of ram, maybe 8/8 or less.

; Take care when hand editing!

[Global Configuration]
profile_selected= LiveSystem

[LiveSystem]
Operating_system= DragonFly
Directory_packages= /build/synth/live_packages
Directory_repository= /build/synth/live_packages/All
Directory_portsdir= /build/synth/dports
Directory_options= /build/synth/options
Directory_distfiles= /usr/distfiles
Directory_buildbase= /build/synth/build
Directory_logs= /build/synth/logs
Directory_ccache= disabled
Directory_system= /
Number_of_builders= 30
Max_jobs_per_builder= 30
Tmpfs_workdir= true
Tmpfs_localbase= true
Display_with_ncurses= true
leverage_prebuilt= false

• LiveSystem-make.conf should contain one line to restrict licensing to only what is allowed to be built as a binary package:

LICENSES_ACCEPTED= NONE

• Make sure there is no other cruft in /usr/local/etc/synth/

• In the example above, the synth working dirs are in “/build/synth”. Make sure the base directories exist. Clean out any cruft for a fresh build from-scratch:

rm -rf /build/synth/live_packages/*
rm -rf /build/synth/logs
mkdir /build/synth/logs

• Run synth everything. I recommend doing this in a ‘screen’ session in case you lose your ssh session (assuming you are ssh’d into the build machine).

(optionally start a screen session)
synth everything

• A full synth build takes over 24 hours to run on a 48-core box, around 12 hours to run on a 64-core box. On a 4-core/8-thread box it will take at least 3 days. There will be times when swap space is heavily used. If you have not run synth before, monitor your memory and swap loads to make sure you have configured the jobs properly. If you are overloading the system, you may have to ^C the synth run, reduce the jobs, and start it again. It will pick up where it left off.
• When synth finishes, let it rebuild the database. You then have a working binary repo.
• It is usually a good idea to run synth several times to pick up any stuff it couldn’t build the first time. Each of these incremental runs may take a few hours, depending on what it tries to build.

###Interview with founder and maintainer of GhostBSD, Eric Turgeon

• Thanks you Eric for taking part. To start off, could you tell us a little about yourself, just a bit of background?
• How did you become interested in open source?
• When and how did you get interested in the BSD operating systems?
• On your Twitter profile, you state that you are an automation engineer at iXsystems. Can you share what you do in your day-to-day job?
• You are the founder and project lead of GhostBSD. Could you describe GhostBSD to those who have never used it or never heard of it?
• Developing an operating system is not a small thing. What made you decide to start the GhostBSD project and not join another “desktop FreeBSD” related project, such as PC-BSD and DesktopBSD at the time?
• How did you get to the name GhostBSD? Did you consider any other names?
• You recently released GhostBSD 18.10? What’s new in that version and what are the key features? What has changed since GhostBSD 11.1?
• The current version is 18.10. Will the next version be 19.04 (like Ubuntu’s version numbering), or is a new version released after the next stable TrueOS release
• Can you tell us something about the development team? Is it yourself, or are there other core team members? I think I saw two other developers on your Github project page.
• How about the relationship with the community? Is it possible for a community member to contribute, and how are those contributions handled?
• What was the biggest challenge during development?
• If you had to pick one feature readers should check out in GhostBSD, what is it and why?
• What is the relationship between iXsystems and the GhostBSD project? Or is GhostBSD a hobby project that you run separately from your work at iXsystems?
• What is the relationship between GhostBSD and TrueOS? Is GhostBSD TrueOS with the MATE desktop on top, or are there other modifications, additions, and differences?
• Where does GhostBSD go from here? What are your plans for 2019?
• Is there anything else that wasn’t asked or that you want to share?

##Beastie Bits

• dialog(1) script to select audio output on FreeBSD
• Erlang otp on OpenBSD
• Capsicum
• https://blog.grem.de/sysadmin/FreeBSD-On-rpi3-With-crochet-2018-10-27-18-00.html
• Introduction to µUBSan - a clean-room reimplementation of the Undefined Behavior Sanitizer runtime
• pkgsrcCon 2018 in Berlin - Videos
• Getting started with drm-kmod

##Feedback/Questions

• Malcolm - Show segment idea
• Fraser - Question: FreeBSD official binary package options
• Harri - BSD Magazine

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
• It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info ***

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router ***

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel ***

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
• If you're using an older configuration file, the "without-password" option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled ***

Interview - Peter Toth - peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well ***

FreeBSD jails, the hard way

• As you learned from our interview this week, there's quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn't actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails ***

OpenSSH hardware tokens

• We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too ***

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
• SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well ***

Feedback/Questions

• James writes in
• Stuart writes in ***

This episode was brought to you by

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version ***

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
• It's written by one of the autofs developers, and he details his work on creating and using the utility
• "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
• There's also some more advanced bonus material on GEOM classes and all the more technical details ***

The Tor Browser on BSD

• The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux - no BSD version
• "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) ***

OpenSSH 6.8 released

• Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers ***

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
• It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
• There was a grand total of 34 different NetBSD gadgets on display at the event ***

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their "secadm" utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
• They're looking for some more extensive testing of this new feature ***

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities ***

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision) ***

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it ***

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
• This article should help fill that gap - it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all ***

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in ***

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I've seen some... ***

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

• We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
• It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

• W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
• It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
• More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

• We've covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it's "not very pretty"
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
• There's also a new graphical frontend available for it ***

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in ***

Mailing List Gold

• Wait, a real one?
• What's that glowing... ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 registration open

• September is getting closer, and that means it's time for EuroBSDCon - held in Bulgaria this year
• Registration is finally open to the public, with prices for businesses ($287), individuals ($217) and students ($82) for the main conference until August 18th
• Tutorials, sessions, dev summits and everything else all have their own pricing as well
• Registering between August 18th - September 12th will cost more for everything
• You can register online here and check hotels in the area
• The FreeBSD foundation is also accepting applications for travel grants ***

OpenBSD SMP PF update

• A couple weeks ago we talked about how DragonflyBSD updated their PF to be multithreaded
• With them joining the SMP ranks along with FreeBSD, a lot of users have been asking about when OpenBSD is going to make the jump
• In a recent mailing list thread, Henning Brauer addresses some of the concerns
• The short version is that too many things in OpenBSD are currently single-threaded for it to matter - just reworking PF by itself would be useless
• He also says PF on OpenBSD is over four times faster than FreeBSD's old version, presumably due to those extra years of development it's gone through
• There's also been even more recent concern about the uncertain future of FreeBSD's PF, being mostly unmaintained since their SMP patches
• We reached out to four developers (over week ago) about coming on the show to talk about OpenBSD network performance and SMP, but they all ignored us ***

Introduction to NetBSD pkgsrc

• An article from one of our listeners about how to create a new pkgsrc port or fix one that you need
• The post starts off with how to get the pkgsrc tree, shows how to get the developer tools and finally goes through the Makefile format
• It also lists all the different bmake targets and their functions in relation to the porting process
• Finally, the post details the whole process of creating a new port ***

FreeBSD 9.3-RELEASE

• After three RCs, FreeBSD 9.3 was scheduled to be finalized and announced today but actually came out yesterday
• The full list of changes is available, but it's mostly a smaller maintenance release
• Lots of driver updates, ZFS issues fixed, hardware RNGs are entirely disabled by default, netmap framework updates, read-only ext4 support was added, the vt driver was merged from -CURRENT, new hardware support (including radeon KMS), various userland tools got new features, OpenSSL and OpenSSH were updated... and much more
• If you haven't jumped to the 10.x branch yet (and there are a lot of people who haven't!) this is a worthwhile upgrade - 9.2-RELEASE will reach EOL soon
• Good news, this will be the first release with PGP-signed checksums on the FTP mirrors - a very welcome change
• With that out of the way, the 10.1-RELEASE schedule was posted ***

Interview - Bryan Drewery - bdrewery@freebsd.org / @bdrewery

The FreeBSD package building cluster, pkgng, ports, various topics

Tutorial

Tunneling traffic through DNS

News Roundup

SSH two-factor authentication on FreeBSD

• We've previously mentioned stories on how to do two-factor authentication with a Yubikey or via a third party website
• This blog post tells you how to do exactly that, but with your Google account and the pam_google_authenticator port
• Using this setup, every user that logs in with a password will have an extra requirement before they can gain access - but users with public keys can login normally
• It's a really, really simple process once you have the port installed - full details on the page ***

Ditch tape backup in favor of FreeNAS

• The author of this post shares some of his horrible experiences with tape backups for a client
• Having constant, daily errors and failed backups, he needed to find another solution
• With 1TB of backups, tapes just weren't a good option anymore - so he switched to FreeNAS (after also ruling out a pre-built NAS)
• The rest of the article details his experiences with it and tells about his setup ***

NetBSD vs FreeBSD, desktop experiences

• A NetBSD and pkgsrc developer details his experiences running NetBSD on a workstation at his job
• Becoming more and more disappointed with graphics performance, he finally decides to give FreeBSD 10 a try - especially since it has a native nVidia driver
• "Running on VAX, PlayStation 2 and Amiga is fun, but I’ll tell you a little secret: nobody cares anymore about VAX, PlayStation 2 and Amiga."
• He's become pretty satisfied with FreeBSD, a modern choice for a 2014 desktop system ***

PCBSD not-so-weekly digest

• Speaking of choices for a desktop system, it's the return of the PCBSD digest!
• Warden and PBI_add have gotten some interesting new features
• You can now create jails "on the fly" when adding a new PBI to your application library
• Bulk jail creation is also possible now, and it's really easy
• New Jenkins integration, with public access to poudriere logs as well
• PkgNG 1.3.0.rc2 testing for EDGE users ***

Feedback/Questions

• Jeff writes in - Sending Encrypted Backups over SSH + Sending ZFS snapshots via user
• Bruce writes in
• Richard writes in
• Jeff writes in - NYCBUG dmesg list
• Steve writes in ***

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb's ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• "FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
• If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
• To make that process faster, they're building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch ***

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• "The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about... the food ***

FreeBSD disk partitioning

• For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer's keynote (he's on next week's episode)
• Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
• Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL - The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There's also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question "my server already works, why bother switching?"
• "Stackoverflow’s answers assume I have apt-get installed"
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
• Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It's a free PDF, go grab it ***

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
• The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

• We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in ***

This episode was brought to you by

Headlines

FreeBSD 10 as a firewall

• Back in 2012, the author of this site wrote an article stating you should avoid FreeBSD 9 for a firewall and use OpenBSD instead
• Now, with the release of 10.0, he's apparently changed his mind and switched back over
• It mentions the SMP version of pf, general performance advantages and more modern features
• The author is a regular listener of BSD Now, hi Joe! ***

Network Noise Reduction Using Free Tools

• Really long blog post, based on a BSDCan presentation, about fighting spam with OpenBSD
• Peter Hansteen, author of the book of PF, goes through how he uses OpenBSD's spamd and other security features to combat spam and malware
• He goes through his experiences with content filtering and disappointment with a certain proprietary vendor
• Not totally BSD-specific, lots of people can enjoy the article - lots of virus history as well ***

FreeBSD ASLR patches submitted

• So far, FreeBSD hasn't had Address Space Layout Randomization
• ASLR is a nice security feature, see wikipedia for more information
• With a giant patch from Shawn Webb, it might be integrated into a future version (after a vicious review from the security team of course)
• We might have Shawn on the show to talk about it, but he's also giving a presentation at BSDCan about his work with ASLR ***

Old-style pkg_ tools retired

• At last the old pkg_add tools are being retired in FreeBSD
• pkgng is a huge improvement, and now portmgr@ thinks it's time to cut the cord on the legacy toolset
• Ports aren't going away, and probably never will, but for binary package fans and new users that are used to things like apt, pkgng is the way to go
• All pkg_ tools will be considered unsupported on September 1, 2014 - even on older branches ***

Interview - Luke Marsden - luke@hybridcluster.com / @lmarsden

BSD at HybridCluster

Tutorial

Filesharing with chrooted SFTP

News Roundup

FreeBSD on OpenStack

• OpenStack is a cloud computing project
• It consists of "a series of interrelated projects that control pools of processing, storage, and networking resources throughout a datacenter, able to be managed or provisioned through a web-based dashboard, command-line tools, or a RESTful API."
• Until now, there wasn't a good way to run a full BSD instance on OpenStack
• With a project in the vein of Colin Percival's AWS startup scripts, now that's no longer the case! ***

FOSDEM BSD videos

• This year's FOSDEM had seven BSD presentations
• The videos are slowly being uploaded for your viewing pleasure
• Not all of the BSD ones are up yet, but by the time you're watching this they might be!
• Check this directory for most of 'em
• The BSD dev room was full, lots of interest in what's going on from the other communities ***

The FreeBSD challenge finally returns!

• Due to prodding from a certain guy of a certain podcast, the "FreeBSD Challenge" series has finally resumed
• Our friend from the Linux foundation picks up with day 11 and day 12 on his switching from Linux journey
• This time he outlines the upgrade process of going from 9 to 10, using freebsd-update
• There's also some notes about different options for upgrading ports and some extra tips ***

PCBSD weekly digest

• After the big 10.0 release, the PCBSD crew is focusing on bug fixes for a while
• During their "fine tuning phase" users are encouraged to submit any and all bugs via the trac system
• Warden got some fixes and the package manager got some updates as well
• Huge size reduction in PBI format ***

Feedback/Questions

• Derrick writes in
• Sean writes in
• Patrick writes in
• Peter writes in
• Sean writes in ***

This episode was brought to you by

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today's theme of encryption...
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks ***

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president's letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects ***

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)."
• Really cool little NetBSD ARM project with lots of graphs, pictures and details ***

Experimenting with zero-copy network IO

• Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD
• Discusses the different OS' implementations and options
• He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there
• Tons of details, check the full post ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Tutorial

Full disk encryption in FreeBSD & OpenBSD

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here ***

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a "pkg licenses" command to display the license of all installed packages
• Ok bapt, do it ***

The FreeBSD challenge continues

• Checking in with our buddy from the Linux foundation...
• The switching from Linux to FreeBSD blog series continues for his month-long trial
• Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding."
• Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more ***

Ports gets a stable branch

• For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch
• This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes
• All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 ***

Feedback/Questions

• John writes in
• Spencer writes in
• Campbell writes in
• Sha'ul writes in
• Clint writes in ***