Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
82: SSL in the Wild
Coming up this week, we'll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He's been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2015 call for papers (https://2015.eurobsdcon.org/call-for-papers/) The call for papers has been announced for the next EuroBSDCon (http://www.bsdnow.tv/episodes/2014_12_03-conference-connoisseur), which is set to be held in Sweden this year According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two) Check the announcement for all the specific details and requirements If your talk gets accepted, the conference even pays for your travel expenses *** Making security sausage (http://www.tedunangst.com/flak/post/making-security-sausage) Ted Unangst (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!" The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute It was because of this that FreeBSD actually had to release a security update to their security update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-March/000237.html) He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." *** Running FreeBSD on the server, a sysadmin speaks (http://www.itwire.com/business-it-news/open-source/67420-running-freebsd-on-the-server-a-sysadmin-speaks) More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage) They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you *** NetBSD ported to Hardkernel ODROID-C1 (https://blog.netbsd.org/tnf/entry/netbsd_ported_to_hardkernel_odroid) In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1 (http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433) This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35 There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0 More info can be found on their wiki page (https://wiki.netbsd.org/ports/evbarm/odroid-c1/) After this was written, basic framebuffer console support was also committed (http://mail-index.netbsd.org/source-changes/2015/03/21/msg064156.html), allowing a developer to run XFCE (https://pbs.twimg.com/media/CAqU5CnWEAAEhH2.png:large) on the device *** Interview - Bernard Spil - brnrd@freebsd.org (mailto:brnrd@freebsd.org) / @sp1l (https://twitter.com/sp1l) LibreSSL adoption in FreeBSD ports (https://wiki.freebsd.org/LibreSSL) and the wider software ecosystem News Roundup Monitoring pf logs with Gource (http://www.echothrust.com/blogs/monitoring-pf-logs-gource) If you're using pf (http://www.bsdnow.tv/tutorials/pf) on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy This article will show you how to get set up with Gource for a cinematic-like experience If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories" When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity *** pkgng 1.5.0 alpha1 released (https://svnweb.freebsd.org/ports?view=revision&revision=381573) The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1 This update introduces support for provides/requires, something that we've been wanting for a long time It will also now print which package is the reason for direct dependency change Another interesting addition is the "pkg -r" switch, allowing cross installation of packages Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems DragonFly will also likely pick up this update once it's marked stable *** Welcome to OpenBSD (http://devio.us/~bcallah/rcos2015.pdf) We mentioned last week that our listener Brian was giving a talk in the Troy, New York area The slides from that talk are now online, and they've been generating quite a bit of discussion (https://news.ycombinator.com/item?id=9240533) online (https://www.reddit.com/r/openbsd/comments/2ztokc/welcome_to_openbsd/) It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing) Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved As you may know, NetBSD has almost 60 supported platforms (https://www.netbsd.org/ports/) and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms (http://www.openbsd.org/plat.html) over 13 CPU architectures, "it probably runs OpenBSD" No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet Try to guess which font he used... *** BSDTalk episode 252 (http://bsdtalk.blogspot.com/2015/03/bsdtalk252-devious-with-brian-callahan.html) And somehow Brian has snuck himself into another news item this week He makes an appearance in the latest episode of BSD Talk (http://www.bsdnow.tv/episodes/2014_03_05-bsd_now_vs_bsdtalk), where he chats with Will about running a BSD-based shell provider If that sounds familiar, it's probably because we did the same thing (http://www.bsdnow.tv/episodes/2014_06_18-devious_methods), albeit with a different member of their team In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself *** Feedback/Questions Christian writes in (http://slexy.org/view/s2O81pixhq) Stefan writes in (http://slexy.org/view/s2dhr2WfVc) Possnfiffer writes in (http://slexy.org/view/s2Kisq2EqT) Ruudsch writes in (http://slexy.org/view/s2Xr0e5YAJ) Shane writes in (http://slexy.org/view/s2Xz7BNoJE) *** Mailing List Gold Accidental support (https://lists.freebsd.org/pipermail/svn-src-head/2015-March/069679.html) Larry's tears (https://www.marc.info/?l=openbsd-cvs&m=142686812913221&w=2) The boy who sailed with BSD (https://lists.freebsd.org/pipermail/freebsd-hardware/2015-March/007625.html) ***
81: Puffy in a Box
We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it. We also have all this week's news and answer to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Using OpenBGPD to distribute pf table updates (http://www.echothrust.com/blogs/using-openbgpd-distribute-pf-table-updates-your-servers) For those not familiar, OpenBGPD (https://en.wikipedia.org/wiki/OpenBGPD) is a daemon for the Border Gateway Protocol (https://en.wikipedia.org/wiki/Border_Gateway_Protocol) - a way for routers on the internet to discover and exchange routes to different addresses This post, inspired by a talk about using BGP to distribute spam lists (https://www.youtube.com/watch?v=Vet0eQB00X0), details how to use the protocol to distribute some other useful lists and information It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems." If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD (https://www.freshports.org/net/openbgpd/) and a "work in progress" pkgsrc version (http://pkgsrc.se/wip/openbgpd) *** Mounting removable media with autofs (http://freebsdfoundation.blogspot.com/2015/03/freebsd-from-trenches-using-autofs5-to_13.html) The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs (https://www.freebsd.org/cgi/man.cgi?query=autofs&sektion=5) tool It's written by one of the autofs developers, and he details his work on creating and using the utility "The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes." He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen There's also some more advanced bonus material on GEOM classes and all the more technical details *** The Tor Browser on BSD (http://trac.haqistan.net/blog/adventures-ports-tor-browser) The Tor Project has provided a "browser bundle (https://www.torproject.org/projects/torbrowser/design/)" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost It has, however, only been released for Windows, OS X and Linux - no BSD version "[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves." Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) *** OpenSSH 6.8 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033686.html) Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course) Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type) The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers *** NetBSD at AsiaBSDCon (https://mail-index.netbsd.org/netbsd-advocacy/2015/03/15/msg000682.html) The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session There was a grand total of 34 different NetBSD gadgets (https://docs.google.com/spreadsheets/d/14q6zJK5PjlMoSeBV5HBiEik5LkqlrcrbSxPoxVKKlec/edit#gid=0) on display at the event *** Interview - Lawrence Teo - lteo@openbsd.org (mailto:lteo@openbsd.org) / @lteo (https://twitter.com/lteo) OpenBSD at Calyptix (http://www.nycbsdcon.org/2010/presentations/lteo-nycbsdcon2010.pdf) News Roundup HardenedBSD introduces Integriforce (http://hardenedbsd.org/article/shawn-webb/2015-03-11/call-testing-secadm-integriforce) A little bit of background on this one first: NetBSD has something called veriexec (https://www.netbsd.org/docs/guide/en/chap-veriexec.html), used for checking file integrity (http://wiki.netbsd.org/guide/veriexec/) at the kernel level By doing it at the kernel level, similar to securelevels (https://en.wikipedia.org/wiki/Securelevel), it offers some level of protection even when the root account is compromised HardenedBSD has introduced a similar mechanism into their "secadm" utility You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run (http://i.imgur.com/wHp2eAN.png) at all, or if they just print a warning They're looking for some more extensive testing of this new feature *** More s2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150305100712&mode=flat) A couple more Australian hackathon reports have poured in since the last time The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) Ted Unangst also sent in a report (http://undeadly.org/cgi?action=article&sid=20150307165135&mode=flat) to detail what he hacked on at the event With a strong focus on improving SMP scalability, he tackled the virtual memory layer His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8 All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities *** DragonFly 4.0.4 and IPFW3 (https://www.dragonflydigest.com/2015/03/10/15733.html) DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4 It includes a minor list of fixes (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418098.html), some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version Shortly after it was released, their new IPFW2 firewall was added to the tree (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418133.html) and subsequently renamed to IPFW3 (http://lists.dragonflybsd.org/pipermail/commits/2015-March/418160.html) (since it's technically the third revision) *** NetBSD gets Raspberry Pi 2 support (https://blog.netbsd.org/tnf/entry/raspberry_pi_2_support_added) NetBSD has announced initial support for the second revision (http://www.raspberrypi.org/products/raspberry-pi-2-model-b/) of the ever-popular Raspberry Pi board There are -current snapshots available for download, and multiprocessor support is also on the way The NetBSD wiki page about the Raspberry Pi also has some more information (https://wiki.netbsd.org/ports/evbarm/raspberry_pi/) and an installation guide The usual Hacker News discussion (https://news.ycombinator.com/item?id=9172100) on the subject If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it *** OpenIKED as a VPN gateway (http://puffysecurity.com/wiki/openikedoffshore.html) In our first discussion segment, we talked about a few different ways to tunnel your traffic While we've done full tutorials on things like SSH tunnels (http://www.bsdnow.tv/tutorials/stunnel), OpenVPN (http://www.bsdnow.tv/tutorials/openvpn) and Tor (http://www.bsdnow.tv/tutorials/tor), we haven't talked a whole lot about OpenBSD's IPSEC suite This article should help fill that gap - it walks you through the complete IKED setup From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all *** Feedback/Questions Gary writes in (http://slexy.org/view/s21G9TWALE) Robert writes in (http://slexy.org/view/s206aZrxOi) Joris writes in (http://slexy.org/view/s28Um5R7LG) Mike writes in (http://slexy.org/view/s2yAJsl1Es) Anders writes in (http://slexy.org/view/s21dMAE55M) *** Mailing List Gold Can you hear me now (https://www.marc.info/?l=openbsd-misc&m=142577632205484&w=2) He must be GNU here (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-March/047207.html) I've seen some... (https://www.marc.info/?l=openbsd-cvs&m=142593175408756&w=2) ***
80: The PC-BSD Tour II
We're away at AsiaBSDCon this week, but we've still got a packed episode for you. First up is a sequel to the "PC-BSD tour" segment from a while back, highlighting how ZFS boot environments work. After that, Justin Gibbs joins us to talk about the FreeBSD foundation's 15th anniversary. We'll return next week with a normal episode of BSD Now - which is of course, the place to B.. SD. This episode was brought to you by Special segment Demystifying Boot Environments in PC-BSD Interview - Justin Gibbs - gibbs@freebsd.org (mailto:gibbs@freebsd.org) / @freebsdfndation (https://twitter.com/freebsdfndation) The FreeBSD foundation's 15th anniversary Discussion The story of PC-BSD
79: Just Add QEMU
Coming up this time on the show, we'll be talking to Sean Bruno. He's been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We've also got answers to viewer-submitted questions and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines AsiaBSDCon 2015 schedule (http://2015.asiabsdcon.org/timetable.html.en) Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up This year's conference will be between 12-15 March at the Tokyo University of Science in Japan The first and second days are for tutorials, as well as the developer summit and vendor summit Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again Not counting the ones that have yet to be revealed (as of the day we're recording this), there will be thirty-six different talks in all - four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD Summaries of all the presentations are on the timetable page if you scroll down a bit *** FreeBSD foundation updates and more (https://www.freebsdfoundation.org/press/2015febupdate.pdf) The FreeBSD foundation (http://www.bsdnow.tv/episodes/2015_02_04-from_the_foundation_1) has posted a number of things this week, the first of which is their February 2015 status update It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform There's a FOSDEM recap and another update of their fundraising goal for 2015 They also have two new blog posts: a trip report from SCALE13x (http://freebsdfoundation.blogspot.com/2015/02/scale-13x-trip-report-michael-dexter.html) and a featured "FreeBSD in the trenches (http://freebsdfoundation.blogspot.com/2015/02/freebsd-from-trenches-zfs-and-how-to.html)" article about how a small typo caused a lot of ZFS chaos in the cluster "Then panic ensued. The machine didn't panic -- I did." *** OpenBSD improves browser security (https://www.marc.info/?l=openbsd-misc&m=142523501726732&w=2) No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser Ted Unangst writes in to the OpenBSD misc list to introduce a new project he's working on, simply titled "improving browser security" He gives some background on the W^X memory protection (https://en.wikipedia.org/wiki/W%5EX) in the base system, but also mentions that some applications in ports don't adhere to it For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT (https://en.wikipedia.org/wiki/Just-in-time_compilation) engine) needs to be fixed to use it "A system that is 'all W^X except where it's not' is the same as a system that's not W^X. We've worked hard to provide a secure foundation for programs; we'd like to see them take advantage of it." The work is being supported by the OpenBSD foundation (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2), and we'll keep you updated on this undertaking as more news about it is released There's also some discussion on Hacker News (https://news.ycombinator.com/item?id=9128360) and Undeadly (http://undeadly.org/cgi?action=article&sid=20150303075848&mode=expanded) about it *** NetBSD at Open Source Conference 2015 Tokyo (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/28/msg000680.html) The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo There's even a spreadsheet (https://docs.google.com/spreadsheets/d/1DTJbESfnOUgOiVkFG8vsrxTq6oCGRpf8PkRcMkhWYWQ/edit#gid=0) of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around) If you just can't get enough strange devices running BSD, check the mailing list post for lots of pictures Their next target is, as you might guess, AsiaBSDCon 2015 - maybe we'll run into them *** Interview - Sean Bruno - sbruno@freebsd.org (mailto:sbruno@freebsd.org) / @franknbeans (https://twitter.com/franknbeans) Cross-compiling packages with poudriere (http://www.bsdnow.tv/tutorials/poudriere) and QEMU News Roundup The Crypto Bone (http://crypto-bone.com/what.html) The Crypto Bone is a new device (http://www.crypto-bone.com/) that's aimed at making encryption and secure communications easier (http://crypto-bone.com/cbb-usersview.html) and more accessible Under the hood, it's actually just a Beaglebone (http://beagleboard.org/bone) board, running stock OpenBSD with a few extra packages It includes a web interface (http://crypto-bone.com/release/root/var/www/apache/html/) for configuring keys and secure tunnels The source code (http://crypto-bone.com/release/root/) is freely available for anyone interested in hacking on it (or auditing the crypto), and there's a technical overview (http://crypto-bone.com/cbb-technicalview.html) of how everything works on their site If you don't want to teach your mom how to use PGP, buy her one of these(?) *** BSD in the 2015 Google Summer of Code (https://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2015/about_page) For those who don't know, GSoC is a way for students to get paid to work on a coding project for an open source organization Good news: both FreeBSD and OpenBSD were accepted (https://www.google-melange.com/gsoc/org/list/public/google/gsoc2015) for the 2015 event FreeBSD has a wiki page (https://wiki.freebsd.org/SummerOfCodeIdeas) of ideas for people to work on OpenBSD also has an ideas page (http://www.openbsdfoundation.org/gsoc2015.html) where you can see some of the initial things that might be interesting If you're a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it Who knows, you may even end up on the show (http://www.bsdnow.tv/episodes/2015_01_07-system_disaster) if you work on a cool project GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you'd like to hack on *** pfSense 2.3 roadmap (https://blog.pfsense.org/?p=1588) The pfSense team has posted a new blog entry, detailing some of their plans for future versions PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions PBIs are scheduled to be replaced with native pkgng packages Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely Their ultimate goal is for pfSense to be a package you can install atop of a regular FreeBSD install, rather than a repackaged distribution *** PCBSD 10.1.2 security features (http://blog.pcbsd.org/2015/03/a-look-at-the-upcoming-features-for-10-1-2/) PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post A new "personacrypt" utility is introduced, which allows for easy encryption and management of external drives for your home directory Going along with this, it also has a "stealth mode" that allows for one-time temporary home directories (but it doesn't self-destruct, don't worry) The LibreSSL integration also continues, and now packages will be built with it by default If you're using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update They've also been working on introducing some new options to enable tunneling your traffic through Tor There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity Look forward to Kris wearing a Tor shirt (https://www.torproject.org/getinvolved/tshirt.html) in future episodes *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2ofBPRT5n) Chris writes in (http://slexy.org/view/s26LsYcoJF) Van writes in (http://slexy.org/view/s28Rho0jvL) Stu writes in (http://slexy.org/view/s21AkGbniU) *** Mailing List Gold H (https://lists.freebsd.org/pipermail/freebsd-ports/2015-February/098183.html) Pay up, mister Free (https://lists.freebsd.org/pipermail/freebsd-chat/2015-February/007024.html) Heritage protected (https://www.mail-archive.com/tech%40openbsd.org/msg22663.html) Blind leading the blind (https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264466.html) What are the chances (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/068682.html) ***
78: From the Foundation (Part 2)
This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We've also got answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 schedule (https://www.bsdcan.org/2015/schedule/) The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time) Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks That's not the ideal balance (https://twitter.com/bsdcan/status/570394627158773760) we'd hope for, but BSDCan says (https://twitter.com/bsdcan/status/570398181864972288) they'll try to improve that next year Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error) Michael Lucas (who's on the BSDCan board) wrote up a blog post (http://blather.michaelwlucas.com/archives/2325) about the proposals and rejections this year If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available We also interviewed Dan Langille (http://www.bsdnow.tv/episodes/2014_12_31-daemons_in_the_north) about the conference and what to expect this year, so check that out too *** SSL interception with relayd (http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception) There was a lot of commotion recently about superfish (http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/), a way that Lenovo was intercepting HTTPS traffic and injecting advertisements If you're running relayd (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/relayd.8), you can mimic this evil setup on your own networks (just for testing of course…) Reyk Floeter (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time), the guy who wrote relayd, came up a blog post about how to do just that (https://gist.github.com/reyk/4b42858d1eab3825f9bc#file-relayd-superfish-conf) It starts off with some backstory and some of the things relayd is capable of relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario The post is very long, with lots of details (https://www.marc.info/?l=openbsd-tech&m=135887624714548&w=2) and some sample config files - the whole nine yards *** OPNsense 15.1.6.1 released (https://forum.opnsense.org/index.php?topic=77.0) The OPNsense team has released yet another version in rapid succession, but this one has some big changes It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches) This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update) It also includes security fixes for BIND (https://kb.isc.org/article/AA-01235) and PHP (http://php.net/ChangeLog-5.php#5.6.6), as well as some other assorted bug fixes The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports) With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL (https://forum.opnsense.org/index.php?topic=78.0) for testing (and have instructions on how to switch over without reinstalling) *** OpenBSD on a Minnowboard Max (http://www.countersiege.com/2015/02/22/minnowboard_max_openbsd.html) What would our show be without at least one story about someone installing BSD on a weird device For once, it's actually not NetBSD… This article is about the minnowboard max (http://www.minnowboard.org/meet-minnowboard-max/), a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom) The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article Have a look at the spec sheet if you're interested, they make for cool little BSD boxes *** Netmap for 40gbit NICs in FreeBSD (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054717.html) Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too This should make for some serious packet-pushing power If you have any network hardware like this, he would appreciate testing for the new code *** Interview - Ken Westerback - directors@openbsdfoundation.org (mailto:directors@openbsdfoundation.org) The OpenBSD foundation (http://www.openbsdfoundation.org/donations.html)'s activities News Roundup s2k15 hackathon report: dhclient/dhcpd/fdisk (http://undeadly.org/cgi?action=article&sid=20150221222235) The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to Ken was also busy, getting a few networking-related things fixed and improved in the base system He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient *** FreeBSD beginner video series (https://www.youtube.com/user/bsdtutorial/videos) A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand So far, he's covered how to get FreeBSD (https://www.youtube.com/watch?v=D26rOHkI-iE), an introduction to installing in VirtualBox (https://www.youtube.com/watch?v=PCyYW19bPDU), a simple installation (https://www.youtube.com/watch?v=HCE89kObutA) or a more in-depth manual installation (https://www.youtube.com/watch?v=OwqCjz9Fgao), navigating the filesystem (https://www.youtube.com/watch?v=6YJhdOGjN50), basic ssh use (https://www.youtube.com/watch?v=Yl5Bg2qz21I), managing users and groups (https://www.youtube.com/watch?v=ioB73i7QUjI) and finally some basic editing (https://www.youtube.com/watch?v=VxxbO-gt9FA) with vi (https://www.youtube.com/watch?v=16FNtCj-uS4) and a few other topics Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers It should be an ongoing series with more topics to come *** NetBSD tests: zero unexpected failures (https://blog.netbsd.org/tnf/entry/regular_test_runs_down_to) The NetBSD guys have a new blog post up about their testing suite (http://wiki.netbsd.org/tutorials/atf/) for all the CPU architectures They've finally gotten the number of "expected" failures down to zero on a few select architectures Results are published (http://releng.netbsd.org/test-results.html) on a special release engineering page, so you can have a look if you're interested The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch *** PCBSD switches to IPFW (https://github.com/pcbsd/pcbsd/commit/b80f78d8a5d002396c28ac0e5fd6f69699beaace) The PCBSD crew continues their recent series of switching between major competing features This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall Look forward to Kris wearing a "keep calm and use IPFW" shir- wait *** Feedback/Questions Sean writes in (http://slexy.org/view/s21U6Ln6wC) Dan writes in (http://slexy.org/view/s2Kp0xdfIb) Florian writes in (http://slexy.org/view/s216DcA8DP) Sean writes in (http://slexy.org/view/s271iJjqtQ) Chris writes in (http://slexy.org/view/s21zerHI9P) *** Mailing List Gold VCS flamebait (https://www.marc.info/?l=openbsd-misc&m=142454205416445&w=2) Hidden agenda (https://lists.freebsd.org/pipermail/freebsd-gnome/2015-February/031561.html) ***
77: Noah's L2ARC
This week on the show, we'll be chatting with Alex Reece and Matt Ahrens about what's new in the world of OpenZFS. After that, we're starting a new tutorial series on submitting your first patch. All the latest BSD news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Revisiting FreeBSD after 20 years (http://changelog.complete.org/archives/9317-has-linux-lost-its-way-comments-prompt-a-debian-developer-to-revisit-freebsd-after-20-years) With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time." The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things There was some decent discussion (https://news.ycombinator.com/item?id=9063216) on Hacker News about this article too, with counterpoints from both sides *** s2k15 hackathon report: network stack SMP (http://undeadly.org/cgi?action=article&sid=20150218085759) The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack If you're not familiar with him, he gave a presentation (http://www.openbsd.org/papers/tamingdragons.pdf) at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons (https://va.ludost.net/files/eurobsdcon/2014/Rodopi/03.Saturday/03.Taming%20OpenBSD%20Network%20Stack%20Dragons%20-%20Martin%20Pieuchot.mp4) Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock (https://en.wikipedia.org/wiki/Giant_lock) Hopefully more trip reports will be sent in during the coming weeks Most of the big code changes should probably appear after the 5.7-release testing period *** From BIND to NSD and Unbound (https://www.tumfatig.net/20150215/bind-nsd-unbound-openbsd-5-6/) If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... *** m0n0wall calls it quits (http://m0n0.ch/wall/end_announcement.php) The original, classic BSD firewall distribution m0n0wall (https://en.wikipedia.org/wiki/M0n0wall) has finally decided to close up shop For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan The project was probably a lot of people's first encounter with BSD in any form If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) or OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router), or going the premade route with something like pfSense (http://www.bsdnow.tv/episodes/2014_02_19-a_sixth_pfsense), OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) or the BSD Router Project (http://www.bsdnow.tv/episodes/2014_10_22-dont_buy_a_router) The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can." While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly *** Interview - Alex Reece & Matt Ahrens - alex@delphix.com (mailto:alex@delphix.com) & matt@delphix.com (mailto:matt@delphix.com) / @openzfs (https://twitter.com/openzfs) What's new in OpenZFS Tutorial Making your first patch (OpenBSD) (http://www.bsdnow.tv/tutorials/patching-obsd) News Roundup Overlaying remote LANs with OpenBSD's VXLAN (http://www.echothrust.com/blogs/using-openbsd-and-vxlan-overlay-remote-lans) Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/vxlan.4) is exactly what you need This article talks about using it to connect two virtualized infrastructures on different ESXi servers It gives a bit of networking background first, in case you're not quite up to speed on all this stuff This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party Be sure to check the AsiaBSDCon talk (https://www.youtube.com/watch?v=ufeEP_hzFN0) about VXLANs if you haven't already *** 2020, year of the PCBSD desktop (http://lukewolf.blogspot.com/2015/02/a-prediction-2020-year-of-pc-bsd-on.html) Here we have a blog post about BSD on the desktop, straight from a KDE developer He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be) With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one There was also some discussion on Slashdot (http://bsd.slashdot.org/story/15/02/16/2355236/pc-bsd-set-for-serious-growth) that might be worth reading *** OpenSSH host key rotation, redux (http://blog.djm.net.au/2015/02/hostkey-rotation-redux.html) We mentioned the new OpenSSH host key rotation and other goodies in a previous episode (http://www.bsdnow.tv/episodes/2015_02_04-from_the_foundation_1), but things have changed a little bit since then djm (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in." There were some initial complaints from developers about the new options, and a serious bug shortly thereafter After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide." None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon *** PCBSD tries out LibreSSL (https://github.com/pcbsd/pcbsd/commit/6ede13117dcee1272d7a7060b16818506874286e) PCBSD users may soon be seeing a lot less security problems because of two recent changes After switching over to OpenNTPD last week (http://www.bsdnow.tv/episodes/2015_02_11-time_for_a_change), PCBSD decides to give the portable LibreSSL (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl) a try too Note that this is only for the packages built from ports, not the base system unfortunately They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it A good number of patches (https://github.com/pcbsd/freebsd-ports/commit/2eee669f4d6ab9a641162ecda29b62ab921438eb) are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla Look forward to Kris wearing a "keep calm and abandon OpenSSL (https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_com&state=item&dept_id=01&sub_dept_id=01&product_id=TSHIRTOSSL)" shirt in the near future *** Feedback/Questions Benjamin writes in (http://slexy.org/view/s28nyJ5omV) Mike writes in (http://slexy.org/view/s2wYUmUmh0) Brad writes in (http://slexy.org/view/s2BAKAQvMt) *** Mailing List Gold Debian (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/068405.html) Dejavu (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html) Package gone missing (http://lists.dragonflybsd.org/pipermail/users/2015-February/207475.html) ***
76: Time for a Change
This week, we'll be talking to Henning Brauer about OpenNTPD and its recently revived portable version. After that, we'll be discussing different ways to securely tunnel your traffic: specifically OpenVPN, IPSEC, SSH and Tor. All that and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Strange timer bug in FreeBSD 11 (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054295.html) Peter Wemm (http://www.bsdnow.tv/episodes/2014_09_24-beastly_infrastructure) wrote in to the FreeBSD -CURRENT mailing list with an interesting observation Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap Peter disagreed and gave some background (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054320.html), offering a different patch to fix (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067827.html) the issue and detect it early (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067828.html) if it happens again Ultimately, the problem was traced back to an issue with a recent clang import It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down *** An OpenBSD mail server (http://technoquarter.blogspot.com/p/series.html) There's been a recent influx of blog posts about building a BSD mail server for some reason In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd That means this is more of a "complete solution" - right down to what the end users see The series is split up into categories so it's very easy to follow along step-by-step *** How DragonFlyBSD uses git (http://lists.dragonflybsd.org/pipermail/users/2015-January/207421.html) DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code In a series (http://lists.dragonflybsd.org/pipermail/users/2015-January/207422.html) of posts (http://lists.dragonflybsd.org/pipermail/users/2015-January/207424.html), Matthew Dillon (the project lead) details their internal setup They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access) The maintainers of the server are the only ones with shell access available He also details how a cron job syncs from the master to a public box that anyone can check out code from It would be interesting to hear about how other BSD projects manage their master source repository *** Why not try PCBSD? (http://www.itwire.com/business-it-news/open-source/66900-fed-up-with-systemd-and-linux?-why-not-try-pc-bsd) ITwire, another more mainstream tech site, published a recent article about switching to PCBSD They interview a guy named Kris that we've never heard of before In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD." If you have some friends who complain to you about systemd all the time, this might be a good article to show them *** Interview - Henning Brauer - henning@openbsd.org (mailto:henning@openbsd.org) / @henningbrauer (https://twitter.com/henningbrauer) OpenNTPD (http://openntpd.org/) and its portable variant News Roundup Authenticated time in OpenNTPD (https://www.marc.info/?l=openbsd-tech&m=142356166731390&w=2) We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already While at the hackathon, some developers came up with an alternate way (https://www.marc.info/?l=openbsd-cvs&m=142355043928397&w=2) to get authenticated NTP responses You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header It's not intended to be a direct time source, just a constraint to keep things within reason If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid Henning (https://www.marc.info/?l=openbsd-tech&m=142363215730069&w=2) and Theo (https://www.marc.info/?l=openbsd-tech&m=142363400330522&w=2) also weigh in to give some of the backstory on the idea Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) *** NetBSD at Open Source Conference 2015 Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/08/msg000678.html) It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them This time the conferences were in Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/11/msg000679.html), Japan Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices As always, they took lots of pictures from the event of NetBSD on all these weird machines *** Poudriere in a jail (http://www.tobeannounced.org/2015/02/poudriere-in-a-jail/) A common question we get about our poudriere tutorial (http://www.bsdnow.tv/tutorials/poudriere) is "how do I run it in a jail?" - this blog post is about exactly that It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic *** Bruteblock, another way to stop bruteforce (http://easyos.net/articles/bsd/freebsd/bruteblock_protection_against_bruteforce_attacks_in_ssh) We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services It can also work directly with IPFW, which is a plus if you're using that as your firewall Add a few lines to your syslog.conf and bruteblock will get executed automatically The rest of the article takes you through the different settings you can configure for blocking *** New iwm(4) driver and cross-polination (https://www.marc.info/?l=openbsd-cvs&m=142325218626853&w=2) The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads) NetBSD wasted no time in porting it over (https://mail-index.netbsd.org/source-changes/2015/02/07/msg062979.html), giving a bit of interesting backstory According to Antti Kantee (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction), "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace" Both projects would appreciate further testing if you have the hardware and can provide useful bug reports Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code *** PCBSD current images (http://blog.pcbsd.org/2015/02/pc-bsd-11-0-current-images-now-available/) The first PCBSD -CURRENT images should be available this weekend This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2E4NbJwzs) Richard writes in (http://slexy.org/view/s2FkxcSYKy) Charlie writes in (http://slexy.org/view/s217EgA1JC) Ben writes in (http://slexy.org/view/s21vlCbGDt) *** Mailing List Gold A systematic effort (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00360.html) GCC's lunch (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00457.html) Hopes and dreams (https://marc.info/?l=openbsd-cvs&m=142331891908776&w=2) *** Discussion Comparison of ways to securely tunnel your traffic OpenVPN (https://openvpn.net/index.php/open-source.html), OpenBSD IKED (http://www.openiked.org/), FreeBSD IPSEC (https://www.freebsd.org/doc/handbook/ipsec.html), OpenSSH (http://www.openssh.com/), Tor (https://www.torproject.org/) ***
75: From the Foundation (Part 1)
This week on the show, we'll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we'll talk about what all they've been up to lately. All this week's news and answers to viewer-submitted questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Key rotation in OpenSSH 6.8 (http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html) Damien Miller (http://www.bsdnow.tv/episodes/2013_12_18-cryptocrystalline) posted a new blog entry about one of the features in the upcoming OpenSSH 6.8 Times changes, key types change, problems are found with old algorithms and we switch to new ones In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange Keys that are in your known_hosts file but not on the server will get automatically removed This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released *** NetBSD Banana Pi images (https://mail-index.netbsd.org/port-arm/2015/01/30/msg002809.html) We've talked about the Banana Pi (http://www.bananapi.org/p/product.html) a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially The email includes some steps to get everything working and an overview of what comes with the image Also check the wiki page (https://wiki.netbsd.org/ports/evbarm/allwinner/) for some related boards and further instructions on getting set up On a related note, NetBSD also recently got GPU acceleration working (https://blog.netbsd.org/tnf/entry/raspberry_pi_gpu_acceleration_in) for the Raspberry Pi (which is a first for their ARM port) *** LibreSSL shirts and other BSD goodies (https://www.marc.info/?l=openbsd-misc&m=142255048510669&w=2) If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online There are two versions, either "keep calm and use LibreSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTLSSL.jpg)" or the slightly more snarky "keep calm and abandon OpenSSL (https://shop.openbsdeurope.com/images/shop_openbsdeurope_com/products/large/TSHIRTOSSL.jpg)" While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too You can get some FreeBSD, PCBSD (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=pc-bsd) and FreeNAS stuff (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=shirts) from the FreeBSD mall site (https://www.freebsdmall.com/cgi-bin/fm/scan/fi=prod_bsd/se=tshirt) OpenBSD recently launched their new store (https://www.openbsdstore.com), but the selection is still a bit limited right now NetBSD has a couple places (https://www.netbsd.org/gallery/devotionalia.html#cafepress) where you can buy shirts and other apparel with the flag logo on it We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo (http://www.dragonflybsd.org/images/small_logo.png) is pretty cool Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) *** OPNsense 15.1.4 released (https://forum.opnsense.org/index.php?topic=35.0) The OPNsense guys have been hard at work since we spoke to them (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach), fixing lots of bugs and keeping everything up to date A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs) This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change A developer has also posted an interesting write-up titled "Development Workflow in OPNsense (http://lastsummer.de/development-workflow-in-opnsense/)" If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it *** Interview - Ed Maste - board@freebsdfoundation.org (mailto:board@freebsdfoundation.org) The FreeBSD foundation (https://www.freebsdfoundation.org/donate)'s activities News Roundup Rolling with OpenBSD snapshots (http://homing-on-code.blogspot.com/2015/02/rolling-with-snapshots.html) One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think He's now helping test out patches and new ports since he's running the same code as the developers *** Signing pkgsrc packages (https://mail-index.netbsd.org/tech-pkg/2015/02/02/msg014224.html) As of the time this show airs, the official pkgsrc (http://www.bsdnow.tv/tutorials/pkgsrc) packages aren't cryptographically signed Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal Instead, they're using netpgpverify, a fork of NetBSD's netpgp (https://en.wikipedia.org/wiki/Netpgp) utility Maybe someday this will become the official way to sign packages in NetBSD? *** FreeBSD support model changes (https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html) Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime" There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read *** OpenSMTPD, Dovecot and SpamAssassin (http://guillaumevincent.com/2015/01/31/OpenSMTPD-Dovecot-SpamAssassin.html) We've been talking about setting up your own BSD-based mail server on the last couple episodes Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering A lot of people regularly ask the developers (http://permalink.gmane.org/gmane.mail.opensmtpd.general/2265) how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane… In related news, OpenSMTPD has got some interesting new features coming soon (http://article.gmane.org/gmane.mail.opensmtpd.general/2272) They're also planning to switch to LibreSSL by default (https://github.com/OpenSMTPD/OpenSMTPD/issues/534) for the portable version *** FreeBSD 10 on the Thinkpad T400 (http://lastsummer.de/freebsd-desktop-on-the-t400/) BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400 Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt *** PC-BSD 10.1.1 Released (http://blog.pcbsd.org/2015/02/1810/) Automatic background updater now in Shiny new Qt5 utils OVA files for VM’s Full disk encryption with GELI v7 *** Feedback/Questions Camio writes in (http://slexy.org/view/s2MsjllAyU) Sha'ul writes in (http://slexy.org/view/s20eYELsAg) John writes in (http://slexy.org/view/s20Y2GN1az) Sean writes in (http://slexy.org/view/s20ARVQ1T6) (TJ's lengthy reply (http://slexy.org/view/s212XezEYt)) Christopher writes in (http://slexy.org/view/s2DRgEv4j8) *** Mailing List Gold Special Instructions (https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264010.html) Pretending to be a VT220 (https://mail-index.netbsd.org/netbsd-users/2015/01/19/msg015669.html) ***
74: That Sly MINIX
Coming up this week, we've got something a little bit different for you. We'll be talking with Andrew Tanenbaum, the creator of MINIX. They've recently imported parts of NetBSD into their OS, and we'll find out how and why that came about. As always, all the latest news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines The missing EuroBSDCon videos (http://2014.eurobsdcon.org/) Some of the missing videos from EuroBSDCon 2014 we mentioned before (http://www.bsdnow.tv/episodes/2014_11_19-rump_kernels_revisited) have mysteriously appeared Jordan Hubbard (http://www.bsdnow.tv/episodes/2013_11_27-bridging_the_gap), FreeBSD, looking forward to another 10 years (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/01.Keynote%20-%20FreeBSD:%20looking%20forward%20to%20another%2010%20years%20-%20Jordan%20Hubbard.mp4) Lourival Viera Neto, NPF scripting with Lua (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/06.NFS%20scripting%20with%20Lua%20-%20Lourival%20Viera%20Neto.mp4) Kris Moore, Snapshots, replication and boot environments (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/02.Snapshots,%20replication%20and%20boot%20environments%20-%20Kris%20Moore.mp4) Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/07.A%20reimplementation%20of%20NetBSD%20based%20on%20a%20microkernel%20-%20Andy%20Tanenbaum.mp4) Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), An introduction to FreeBSD's implementation of ZFS (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/03.An%20introduction%20to%20the%20implementation%20of%20ZFS%20-%20Kirk%20McKusick.mp4) Emannuel Dreyfus, FUSE and beyond, bridging filesystems (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/05.FUSE%20and%20beyond:%20bridging%20filesystems%20-%20Emannuel%20Dreyfus.mp4) John-Mark Gurney (http://www.bsdnow.tv/episodes/2014_10_29-ipsecond_wind), Optimizing GELI performance (https://va.ludost.net/files/eurobsdcon/2014/Vitosha/03.Saturday/04.Optimizing%20GELI%20performance%20-%20John-Mark%20Gurney.mp4) Unfortunately, there are still about six talks missing… and no ETA *** FreeBSD on a MacBook Pro (or two) (https://gist.github.com/mpasternacki/974e29d1e3865e940c53) We've got a couple posts about running FreeBSD on a MacBook Pro this week In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™ Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step He's still not quite to that point yet, but documents his experiments with BSD as a desktop The second article (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-13-late.html) also documents an ex-Linux user switching over to BSD for their desktop It also covers (http://blog.foxkit.us/2015/01/freebsd-on-apple-macbook-pro-82-now.html) power management, bluetooth and trackpad setup On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down" Check out both articles if you've been considering running FreeBSD on a MacBook *** Remote logging over TLS (https://www.marc.info/?l=openbsd-tech&m=142136923124184&w=2) In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server The problem is, of course, that it's sent in cleartext (https://en.wikipedia.org/wiki/Syslog#Protocol), unless you tunnel it over SSH or use some kind of third party wrapper With a few recent commits (https://www.marc.info/?l=openbsd-cvs&m=142160989610410&w=2), OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot? That problem was also conquered (https://www.marc.info/?l=openbsd-tech&m=142188450524692&w=2), by loading the CA chain directly from memory (https://www.marc.info/?l=openbsd-cvs&m=142191799331938&w=2), so the entire process can be run in the chroot (https://www.marc.info/?l=openbsd-cvs&m=142191819131993&w=2) without issue Some of the privsep verifcation code even made its way into (https://www.marc.info/?l=openbsd-cvs&m=142191878632141&w=2) LibreSSL right afterwards If you haven't set up remote logging before, now might be an interesting time to try it out *** FreeBSD, not a Linux distro (https://www.youtube.com/watch?v=wwbO4eTieQY) George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro" It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options There's even an interesting "thirty years in three minutes" segment It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s) We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them *** Long-term support considered harmful (http://www.tedunangst.com/flak/post/long-term-support-considered-harmful) There was recently a pretty horrible bug (https://www.marc.info/?l=bugtraq&m=142237866420639&w=2) in GNU's libc (BSDs aren't affected, don't worry) Aside from the severity of the actual problem, the fix was delayed (https://code.google.com/p/chromium/issues/detail?id=364511) for quite a long time, leaving people vulnerable Ted Unangst writes a post about how this idea of long-term support (https://plus.google.com/u/0/+ArtoPekkanen/posts/88jk5ggXYts?cfem=1) could actually be harmful in the long run, and compares it to how OpenBSD does things OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early." There was also some (https://lobste.rs/s/a4iijx/long_term_support_considered_harmful) discussion (https://news.ycombinator.com/item?id=8954737) about the article you can check out *** Interview - Andrew Tanenbaum - info@minix3.org (mailto:info@minix3.org) / @minix3 (https://twitter.com/minix3) MINIX's integration of NetBSD News Roundup Using AFL on OpenBSD (http://www.undeadly.org/cgi?action=article&sid=20150121093259) We've talked about American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/) a bit on a previous episode, and how some OpenBSD devs are using it (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=afl&q=b) to catch and fix new bugs Undeadly has a cool guide on how you can get started with fuzzing It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software *** Lumina 0.8.1 released (http://blog.pcbsd.org/2015/01/lumina-desktop-0-8-1-released/) A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements" There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!) If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it (http://www.bsdnow.tv/episodes/2014_09_10-luminary_environment) *** My first OpenBSD port (http://homing-on-code.blogspot.com/2015/01/my-first-openbsd-port.html) The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports He recently made his first port and got it into the tree, so he talks about the whole process from start to finish After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser At that point he did what you're supposed to do in that situation, and started working on it himself OpenBSD has a great porter's handbook (http://www.openbsd.org/faq/ports/) that he referenced throughout the process Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course) If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen *** How to slide with DragonFly (http://www.dragonflybsd.org/docs/docs/howtos/howtoslide/) DragonFly BSD has a new HAMMER FS utility called "Slider" It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine They have a pretty comprehensive guide on how to use it on their wiki page If you're using HAMMER FS, this is a really handy tool to have, check it out *** OpenSMTPD with Dovecot and Salt (https://blog.al-shami.net/2015/01/howto-small-mail-server-with-salt-dovecot-and-opensmtpd/) We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with" Check it out if you've been thinking about configuring your first mail server on any of the BSDs *** Feedback/Questions Christopher writes in (http://slexy.org/view/s20q2fSfEO) (handbook section (https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-update-os)) Mark writes in (http://slexy.org/view/s2zGvAczeN) Kevin writes in (http://slexy.org/view/s21Dn2Tey8) Stefano writes in (http://slexy.org/view/s215nxxrtF) Matthew writes in (http://slexy.org/view/s20cwezc9l) *** Mailing List Gold Not that interested actually (https://www.marc.info/?l=openbsd-misc&m=142194821910087&w=2) This guy again (https://lists.freebsd.org/pipermail/freebsd-jail/2015-January/002742.html) Yep, this is the place (https://lists.freebsd.org/pipermail/freebsd-doc/2015-January/024888.html) ***
73: Pipe Dreams
This week on the show we'll be chatting with David Maxwell, a former NetBSD security officer. He's got an interesting project called Pipecut that takes a whole new approach to the commandline. We've also got answers to viewer-submitted questions and all this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2014-10-2014-12.html) The FreeBSD team has posted an updated on some of their activities between October and December of 2014 They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve (http://www.bsdnow.tv/tutorials/bhyve), WINE and Xen all got some nice improvements As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released) Git was promoted from beta to an officially-supported version control system (Kris is happy) The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements Check out the full report for all the details that we didn't cover *** OpenBSD package signature audit (http://linux-audit.com/vulnerabilities-and-digital-signatures-for-openbsd-software-packages/) "Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes They recently did an article about OpenBSD, specifically their ports and package system (http://www.bsdnow.tv/tutorials/ports-obsd) and signing infrastructure The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed Package signature formats and public key distribution methods are also touched on After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future If you haven't seen our episode about signify (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) with Ted Unangst, that would be a great one to check out after reading this *** Replacing a Linux router with BSD (http://ask.slashdot.org/story/15/01/15/1547209/ask-slashdot-migrating-a-router-from-linux-to-bsd) There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs." A lot of people were quick to recommend OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all) Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) or OpenBSD (http://www.bsdnow.tv/tutorials/openbsd-router) If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information *** LibreSSL in FreeBSD and OPNsense (http://bsdxbsdx.blogspot.com/2015/01/switching-to-openssl-from-ports-in.html) A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL) The reasoning being that updates in base tend to lag behind (http://www.openbsd.org/papers/eurobsdcon2014-libressl.html), whereas the port can be updated for security very quickly OPNsense developers are looking into (https://twitter.com/fitchitis/status/555625679614521345) switching away (http://forum.opnsense.org/index.php?topic=21.0) from OpenSSL to LibreSSL's portable version (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl), for both their ports and base system, which would be a pretty huge differentiator for their project Some ports still need fixing (https://bugs.freebsd.org/bugzilla/buglist.cgi?order=Importance&query_format=advanced&short_desc=libressl&short_desc_type=allwordssubstr) to be compatible though, particularly a few (https://github.com/opnsense/ports/commit/c15af648e9d5fcecf0ae666292e8f41c08979057) python-related (https://github.com/pyca/cryptography/issues/928) ones If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs A lot of the work has already been done in OpenBSD's ports tree (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/) - some patches just need to be adopted More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it *** Interview - David Maxwell - david@netbsd.org (mailto:david@netbsd.org) / @davidwmaxwell (https://twitter.com/david_w_maxwell) Pipecut (https://www.youtube.com/watch?v=CZHEZHK4jRc), text processing, commandline wizardry News Roundup Jetpack, a new jail container system (https://github.com/3ofcoins/jetpack) A new project was launched to adapt FreeBSD jails to the "app container specification" While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker It's a similar project to iocage (https://github.com/pannon/iocage) or bsdploy (https://github.com/ployground/bsdploy), which we haven't talked a whole lot about There was also some discussion (https://news.ycombinator.com/item?id=8893630) about it on Hacker News *** Separating base and package binaries (https://www.reddit.com/r/BSD/comments/2szofc) All of the main BSDs make a strong separation between the base system and third party software This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies Read the comments for the full explanation, but having things separated really helps keep things organized *** Updated i915kms driver for FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=277487) This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added *** Year of the OpenBSD desktop (http://zacbrown.org/2015/01/18/openbsd-as-a-desktop/) Here we have an article about using OpenBSD as a daily driver for regular desktop usage The author says he "ran fifty thousand different distributions, never being satisfied" After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201 The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup He apparently used our desktop tutorial (http://www.bsdnow.tv/tutorials/the-desktop-obsd) - thanks for watching! *** Unattended FreeBSD installation (http://louwrentius.com/freebsd-101-unattended-install-over-pxe-http-no-nfs.html) A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall (http://www.bsdnow.tv/tutorials/autoinstall) The article shows you how to set up DHCP and TFTP, with no NFS share setup required He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you *** Feedback/Questions Robert writes in (http://slexy.org/view/s20UsZjN4h) Sean writes in (http://slexy.org/view/s219cMQz3U) l33tname writes in (http://slexy.org/view/s2EkzMUMyb) Charlie writes in (http://slexy.org/view/s2nq6L6H1n) Eric writes in (http://slexy.org/view/s21EGqUYLd) *** Mailing List Gold Clowning around (https://www.marc.info/?l=openbsd-cvs&m=142159202606668&w=2) Better than succeeding in this case (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097734.html) ***
72: Common *Sense Approach
This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Be your own VPN provider with OpenBSD (http://networkfilter.blogspot.com/2015/01/be-your-own-vpn-provider-with-openbsd.html) We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company? It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?" The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN *** FreeBSD vs Gentoo comparison (http://www.iwillfolo.com/2015/01/comparison-gentoo-vs-freebsd-tweak-tweak-little-star/) People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more *** Kernel W^X in OpenBSD (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2) W^X, "Write XOR Execute (https://en.wikipedia.org/wiki/W%5EX)," is a security feature of OpenBSD with a rather strange-looking name It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils) Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously (http://www.openbsd.org/papers/ru13-deraadt/) Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while More technical details can be found in some recent CVS commits (https://www.marc.info/?l=openbsd-cvs&m=141917924602780&w=2) *** Building an IPFW-based router (http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/) We've covered building routers with PF (http://www.bsdnow.tv/tutorials/openbsd-router) many times before, but what about IPFW (https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)? A certain host of a certain podcast decided it was finally time to replace his disappointing (https://github.com/jduck/asus-cmd) consumer router with something BSD-based In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit If you're an IPFW fan and are thinking about putting together a new router, give this post a read *** Interview - Jos Schellevis - project@opnsense.org (mailto:project@opnsense.org) / @opnsense (https://twitter.com/opnsense) The birth of OPNsense (http://opnsense.org) News Roundup On profiling HTTP (http://adrianchadd.blogspot.com/2015/01/on-profiling-http-or-god-damnit-people.html) Adrian Chadd, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_09_17-the_promised_wlan), has been doing some more ultra-high performance testing Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools According to him, it's "not very pretty" He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process You can check out his new code on Github (https://github.com/erikarn/libevhtp-http/) right now *** Using divert(4) to reduce attacks (http://daemonforums.org/showthread.php?s=db0dd79ca26eb645eadd2d8abd267cae&t=8846) We talked about using divert(4) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/divert.4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series) It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious Consider setting this up to reduce the attack spam in your logs if you run public services *** ChaCha20 patchset for GELI (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046814.html) A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption (http://www.bsdnow.tv/tutorials/fde) system There are also some benchmarks that look pretty good in terms of performance Currently, GELI defaults to AES in XTS mode (https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_.28XTS.29) with a few tweakable options (but also supports Blowfish, Camellia and Triple DES) There's some discussion (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046824.html) going on about whether a stream cipher (https://en.wikipedia.org/wiki/Stream_cipher) is suitable or not (https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046834.html) for disk encryption though, so this might not be a match made in heaven just yet *** PCBSD update system enhancements (http://blog.pcbsd.org/2015/01/new-update-gui-for-pc-bsd-automatic-updates/) The PCBSD update utility has gotten an update itself, now supporting automatic upgrades You can choose what parts of your system you want to let it automatically handle (packages, security updates) The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality There's also a new graphical frontend available for it *** Feedback/Questions Mat writes in (http://slexy.org/view/s2XJhAsffU) Chris writes in (http://slexy.org/view/s20qnSHujZ) Andy writes in (http://slexy.org/view/s21O0MShqi) Beau writes in (http://slexy.org/view/s2LutVQOXN) Kutay writes in (http://slexy.org/view/s21Esexdrc) *** Mailing List Gold Wait, a real one? (https://www.mail-archive.com/advocacy@openbsd.org/msg02249.html) What's that glowing... (https://www.marc.info/?l=openbsd-misc&m=142125454022458&w=2) ***
71: System Disaster
This time on the show, we'll be talking to Ian Sutton about his new BSD compatibility wrappers for various systemd dependencies. Don't worry, systemd is not being ported to BSD! We're still safe! We've also got all the week's news and answers to your emails, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Introducing OPNsense, a pfSense fork (http://opnsense.org/) OPNsense is a new BSD-based firewall project that was recently started (http://www.prnewswire.com/news-releases/deciso-launches-opnsense-a-new-open-source-firewall-initiative-287334371.html), forked from the pfSense codebase Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3) The core team (http://opnsense.org/about/about-opnsense/#opnsense-core-team) includes a well-known DragonFlyBSD developer You can check out their code on Github (https://github.com/opnsense) now, or download an image and try it out - let us know (mailto:feedback@bsdnow.tv) if you do and what you think about it They also have a nice wiki and some instructions on getting started (http://wiki.opnsense.org/index.php/Manual:Installation_and_Initial_Configuration) for new users We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned *** Code rot and why I chose OpenBSD (http://homing-on-code.blogspot.com/2015/01/code-rot-openbsd.html) Here we have a blog post about rotting codebases - a core banking system in this example The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds "In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily." It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again" Look for the phrase "Getting Started" in the blog post for a nice little gem *** ZFS vs HAMMER FS (https://forums.freebsd.org/threads/zfs-vs-hammer.49789/) One of the topics we've seen come up from time to time is how FreeBSD's ZFS (http://www.bsdnow.tv/tutorials/zfs) and DragonFly's HAMMER FS (http://www.bsdnow.tv/tutorials/hammer) compare to each other They both have a lot of features that traditional filesystems lack A forum thread was opened for discussion about them both and what they're typically used for It compares resource requirements, ideal hardware and pros/cons of each Hopefully someone will do another new comparison when HAMMER 2 is finished This is not to be confused with the other "hammer" filesystem (https://www.youtube.com/watch?v=HBXlVl5Ll6k) *** Portable OpenNTPD revived (https://www.mail-archive.com/tech@openbsd.org/msg21886.html) With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon (http://www.bsdnow.tv/tutorials/ntpd) OpenBSD has developed OpenNTPD (http://openntpd.org/) since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version Brent Cook, who we've had on the show before (http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl) to talk about LibreSSL, decided it was time to fix this While looking through the code, he also found some fixes (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/?sortby=date#dirlist) for the native version as well You can grab it from Github (https://github.com/openntpd-portable/openntpd-portable) now, or just wait for the updated release (https://lists.freebsd.org/pipermail/freebsd-ports/2015-January/097400.html) to hit the repos of your OS of choice *** Interview - Ian Sutton - ian@kremlin.cc (mailto:ian@kremlin.cc) BSD replacements (https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systembsd.git;a=summary) for systemd dependencies (http://undeadly.org/cgi?action=article&sid=20140915064856) News Roundup pkgng adds OS X support (https://github.com/freebsd/pkg/pull/1113) FreeBSD's next-gen package manager (http://www.bsdnow.tv/tutorials/pkgng) has just added support for Mac OS X Why would you want that? Well.. we don't really know, but it's cool The author of the patch may have some insight (https://github.com/freebsd/pkg/pull/1113#issuecomment-68063964) about what his goal is though This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc There's also the possibility of pkgng being used as a packaging format for MacPorts in the future While we're on the topic of pkgng, you can also watch bapt (http://www.bsdnow.tv/episodes/2014_01_01-eclipsing_binaries)'s latest presentation about it from ruBSD 2014 - "four years of pkg (http://is.gd/4AvUwt)" *** Secure secure shell (https://stribika.github.io/2015/01/04/secure-secure-shell.html) Almost everyone watching BSD Now probably uses OpenSSH (http://www.bsdnow.tv/tutorials/ssh-tmux) and has set up a server at one point or another This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use There are also good explanations for all the choices, based both on history and probability Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled We've also got a handy chart (http://ssh-comparison.quendi.de/comparison.html) to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients *** Dissecting OpenBSD's divert(4) (http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/) PF has a cool feature that not a lot of people seem to know about: divert It lets you send packets to userspace, allowing you to inspect them a lot easier This blog post, the first in a series, details all the cool things you can do with divert and how to use it A very common example is with intrusion detection systems like Snort *** Screen recording on FreeBSD (https://www.banym.de/freebsd/create-a-screen-recording-on-freebsd-with-kdenlive-and-external-usb-mic) This is a neat article about a topic we don't cover very often: making video content on BSD In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing It also includes lots of details and helpful screenshots throughout the process You should make cool screencasts and send them to us *** Feedback/Questions Camio writes in (http://slexy.org/view/s21Zx0ktmb) ezpzy writes in (http://slexy.org/view/s2vVR5Orhh) Emett writes in (http://slexy.org/view/s21Ahb5Lxa) Ben writes in (http://slexy.org/view/s20oJmveN6) Laszlo writes in (http://slexy.org/view/s2cTayMxPk) *** Mailing List Gold Protocol X97 (https://lists.freebsd.org/pipermail/freebsd-questions/2015-January/263441.html) My thoughts echoed (https://www.marc.info/?l=openbsd-tech&m=141159429123859&w=2) Vulnerability sample (http://www.openwall.com/lists/oss-security/2015/01/04/10) ***
70: Daemons in the North
It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More conference presentation videos (http://2014.asiabsdcon.org/timetable.html.en) Some more of the presentation videos from AsiaBSDCon are appearing online Masanobu Saitoh, Developing CPE Routers Based on NetBSD (https://www.youtube.com/watch?v=ApruZrU5fVs) Reyk Floeter (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time), VXLAN and Cloud-based Networking with OpenBSD (https://www.youtube.com/watch?v=ufeEP_hzFN0) Jos Jansen, Adapting OS X to the enterprise (https://www.youtube.com/watch?v=gOPfRQgTjNo) Pierre Pronchery (http://www.bsdnow.tv/episodes/2014_04_01-edgy_bsd_users) & Guillaume Lasmayous, Carve your NetBSD (https://www.youtube.com/watch?v=vh-TjLUj6os) Colin Percival (http://www.bsdnow.tv/episodes/2014_01_22-tendresse_for_ten), Everything you need to know about cryptography in 1 hour (https://www.youtube.com/watch?v=jzY3m5Kv7Y8) (not from AsiaBSDCon) The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks (https://www.youtube.com/user/bsdconferences/videos?sort=da&view=0&flow=grid) too - you may want to go back and watch them if you haven't already *** OpenBSD PIE enhancements (https://www.marc.info/?l=openbsd-cvs&m=141922027318727&w=2) ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization) and PIE (https://en.wikipedia.org/wiki/Position-independent_executable) are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment For example, the default shells (and many other things in /bin and /sbin) are statically linked In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose (https://en.wikipedia.org/wiki/Return-oriented_programming) With this and a few related commits (https://www.marc.info/?l=openbsd-cvs&m=141927571832106&w=2), OpenBSD fixes this by introducing static self-relocation More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy It'll be available in 5.7 in May, or you can use a -current snapshot (http://www.openbsd.org/faq/faq5.html#BldBinary) if you want to get a slice of the action now *** FreeBSD foundation semi-annual newsletter (https://www.freebsdfoundation.org/press/2014dec-newsletter.html) The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already) You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too There are also sections about the FreeBSD Journal (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates)'s progress, a new staff member and a testimonial from NetApp It's a very long report, so dedicate some time to read all the way through it This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too As we go into 2015, consider donating to whichever (https://www.freebsdfoundation.org/donate) BSD (http://www.openbsdfoundation.org/donations.html) you (https://www.netbsd.org/donations/) use (http://www.dragonflybsd.org/donations/), it really can make a difference *** Modernizing OpenSSH fingerprints (https://www.marc.info/?l=openbsd-cvs&m=141920089614758&w=4) When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to Up until now, the key fingerprints have been an MD5 hash, displayed as hex This can be problematic (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033117.html), especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint You can add a "FingerprintHash" line in your ssh_config to force using only the new type There's also a new option (https://www.marc.info/?l=openbsd-cvs&m=141923470520906&w=2) to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type The new options should be in the upcoming 6.8 release *** Interview - Dan Langille - info@bsdcan.org (mailto:info@bsdcan.org) / @bsdcan (https://twitter.com/bsdcan) Plans for the BSDCan 2015 conference News Roundup Introducing ntimed, a new NTP daemon (https://github.com/bsdphk/Ntimed) As we've mentioned before in our tutorials (http://www.bsdnow.tv/tutorials/ntpd), there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD With all the recent security problems with ISC's NTPd, Poul-Henning Kamp (http://www.bsdnow.tv/episodes/2013_10_16-go_directly_to_jail) has been working on a third NTP daemon It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports (https://www.freshports.org/net/ntimed/) or on Github PHK also has a few blog entries (http://phk.freebsd.dk/time/) about the project, including status updates *** OpenBSD-maintained projects list (http://mdocml.bsd.lv/openbsd_projects.html) There was recently a read on the misc mailing list (https://www.marc.info/?t=141961588200003&r=1&w=2) asking about different projects started by OpenBSD developers The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example) A developer compiled a new list from all of the replies to that thread into a nice organized webpage Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout) *** Monitoring network traffic with FreeBSD (https://forums.freebsd.org/threads/howto-monitor-network-traffic-with-netflow-nfdump-nfsen-on-freebsd.49724/) If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage) This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike *** Trapping spammers with spamd (http://www.protoc.org/blog/2014/12/22/trapping-spammers-with-the-openbsd-spam-deferral-daemon) This is a blog post about OpenBSD's spamd (https://en.wikipedia.org/wiki/Spamd) - a spam email deferral daemon - and how to use it for your mail It gives some background on the greylisting approach to spam, rather than just a typical host blacklist "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation." The post also shows how to combine it with PF and other tools for a pretty fancy mail setup You can find spamd in the OpenBSD base system (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/spamd.8), or use it with FreeBSD (https://www.freshports.org/mail/spamd) or NetBSD (http://pkgsrc.se/mail/spamd) via ports and pkgsrc You might also want to go back and listen to BSDTalk episode 68 (https://archive.org/details/bsdtalk068), where Will talks to Bob Beck about spamd *** Feedback/Questions Sean writes in (http://slexy.org/view/s20rUK9XVJ) Brandon writes in (http://slexy.org/view/s20nfzIuT2) Anders writes in (http://slexy.org/view/s20wCBhFLO) David writes in (http://slexy.org/view/s20xGrBIyl) Kyle writes in (http://slexy.org/view/s2QHRaiZJW) *** Mailing List Gold NTP code comparison (https://www.marc.info/?l=openbsd-tech&m=141903858708123&w=2) - 192870 vs. 2898 (https://www.marc.info/?l=openbsd-tech&m=141905854411370&w=2) NICs have feelings too (https://lists.freebsd.org/pipermail/freebsd-hackers/2014-December/046741.html) Just think about it (https://www.marc.info/?l=openbsd-ports&m=141998130824977&w=2) ***
69: Under the Ports Tree
It's a special holiday episode! We asked you guys in the audience to send in the tale of how you first got into BSD, and we're going to share those with everyone today. We'll also be playing two bonus mini-interviews, so get comfy by the fire and listen to some BSD Now - the place to B.. SD. This episode was brought to you by Special segment How our viewers got into BSD Jason's story (text (http://slexy.org/view/s207hi9pTo)) bsdx's story (text (http://slexy.org/view/s20cmh0anD)) David's story (text (http://slexy.org/view/s21r4AL53g)) Brad's story (text (http://slexy.org/view/s2OqEie53V)) Reese's story (video) Bryan's story (video) Pete's story (text (http://slexy.org/view/s2ve2kfgW7)) Anders' story (text (http://slexy.org/view/s20eL5EYMv)) Guillermo's story (text (http://slexy.org/view/s20KRuIaks)) Jonathan's story (text (http://slexy.org/view/s20IFqrc7O)) Adam's story (text (http://slexy.org/view/s2FnnJH9zs)) Chris' story (text (http://slexy.org/view/s21GazXKH2)) Tigersharke's story (text (http://slexy.org/view/s2iJdLoxzZ)) Roller and Kandie's stories (text (http://slexy.org/view/s203RsddHG)) Uwe's story (text (http://slexy.org/view/s2gmB5VaS3)) Pascal's story (text (http://slexy.org/view/s2PWntJ7Tc)) and (image (https://i.imgur.com/ekXbDvb.jpg)) *** Interview - Erwin Lansing - erwin@freebsd.org (mailto:erwin@freebsd.org) BSD in Europe, getting people involved Interview - Cristina Vintila - @cristina_crow (https://twitter.com/cristina_crow) BSD conferences
68: Just the Essentials
Coming up this week, we'll be talking with Michael Lucas about his newest BSD book, "FreeBSD Mastery: Storage Essentials." It's got lots of great information about the disk subsystems, GEOM, filesystems, you name it. We've also got the usual round of news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD conference videos (https://www.youtube.com/channel/UCLy8AikPZfWEmzWxUec69PA/videos) We mentioned it a few times, but the "New Directions in Operating Systems" conference was held in November in the UK The presentations videos are now online, with a few BSD-related talks of interest Antti Kantee (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction), Rump kernels and why / how we got here (https://www.youtube.com/watch?v=GoB73cVyScI) Franco Fichtner, An introduction to userland networking (https://www.youtube.com/watch?v=WiMNuGTRgbA) Robert Watson (http://www.bsdnow.tv/episodes/2014_08_13-vpn_my_dear_watson), New ideas about old OS security (https://www.youtube.com/watch?v=60elN996rtg) Lots of other interesting, but non-BSD-related, talks were also presented, so check the full list (https://www.youtube.com/playlist?list=PLmRrx948XMnEUlzKOCYn3AzT8OAInP_5M) if you're interested in operating systems in general The 2014 AsiaBSDCon videos are also slowly being uploaded (better late than never) Kirk McKusick (http://www.bsdnow.tv/episodes/2013-10-02_stacks_of_cache), An Overview of Security in the FreeBSD Kernel (https://www.youtube.com/watch?v=E04LxKiu79I) Matthew Ahrens (http://www.bsdnow.tv/episodes/2014_05_14-bsdcanned_goods), OpenZFS ensures the continued excellence of ZFS (https://www.youtube.com/watch?v=8T9Rh-46jhI) Eric Allman, Bambi Meets Godzilla: They Elope - Open Source Meets the Commercial World (https://www.youtube.com/watch?v=o2dmreSy76Q) Scott Long (http://www.bsdnow.tv/episodes/2013_12_25-the_gift_of_giving), Modifying the FreeBSD kernel Netflix streaming servers (https://www.youtube.com/watch?v=4sZZN8Szh14) Dru Lavigne (http://www.bsdnow.tv/episodes/2014_04_09-pxe_dust), ZFS for the Masses (https://www.youtube.com/watch?v=z5apZFFvx4k) Kris Moore, Snapshots, Replication, and Boot Environments (https://www.youtube.com/watch?v=w-0PlAVSg5U) David Chisnall (http://www.bsdnow.tv/episodes/2014_05_07-lets_get_raid), The Future of LLVM in the FreeBSD Toolchain (https://www.youtube.com/watch?v=NLqDAclXMMU) Luba Tang, Bold, fast optimizing linker for BSD (https://www.youtube.com/watch?v=fWgbBUPMsVw) John Hixson (http://www.bsdnow.tv/episodes/2014_04_23-its_gonna_get_nasty), Introduction to FreeNAS development (https://www.youtube.com/watch?v=iwF82aep-l8) Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM (https://www.youtube.com/watch?v=2KLXcyLZ_RE) Michael Dexter, Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite (https://www.youtube.com/watch?v=rjNg1eQ7uAk) Peter Grehan (http://www.bsdnow.tv/episodes/2014_01_15-bhyve_mind), Nested Paging in Bhyve (https://www.youtube.com/watch?v=wptkUxJSNMY) Martin Matuška, Deploying FreeBSD systems with Foreman and mfsBSD (https://www.youtube.com/watch?v=nb8jB5x0OX4) James Brown (http://www.bsdnow.tv/episodes/2014_04_16-certified_package_delivery), Analysys of BSD Associate Exam Results (https://www.youtube.com/watch?v=6eKMLuzsTbY) Mindaugas Rasiukevicius, NPF - progress and perspective (https://www.youtube.com/watch?v=cgBh0iC9WhM) Luigi Rizzo, Netmap as a core networking technology (https://www.youtube.com/watch?v=nW8iHgOL9y4) Michael W. Lucas (http://www.bsdnow.tv/episodes/2013_11_06-year_of_the_bsd_desktop), Sudo: You're Doing it Wrong (https://www.youtube.com/watch?v=o0purspHg-o) (not from a BSD conference, but still good) They should make for some great material to watch during the holidays *** OpenBSD vs FreeBSD security features (http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html) From the author of both the OpenBSD and FreeBSD secure gateway articles we've featured in the past comes a new entry about security The article goes through a list of all the security features enabled (and disabled) by default in both FreeBSD and OpenBSD It covers a wide range of topics, including: memory protection, randomization, encryption, privilege separation, Capsicum, securelevels, MAC, Jails and chroots, network stack hardening, firewall features and much more This is definitely one of the most in-depth and complete articles we've seen in a while - the author seems to have done his homework If you're looking to secure any sort of BSD box, this post has some very detailed explanations of different exploit mitigation techniques - be sure to read the whole thing There are also some good comments (http://daemonforums.org/showthread.php?s=16fd0771d929aff294b252924b414f2c&t=8823) on DaemonForums and lobste.rs (https://lobste.rs/s/e3s9xr/security_openbsd_vs_freebsd) that you may want to read *** The password? You changed it, right? (http://bsdly.blogspot.com/2014/12/the-password-you-changed-it-right.html) Peter Hansteen (http://www.bsdnow.tv/episodes/2014_04_30-puffy_firewall) has a new blog post up, detailing some weird SSH bruteforcing he's seen recently He apparently reads his auth logs when he gets bored at an airport This new bruteforcing attempt seems to be targetting D-Link devices, as evidenced by the three usernames the bots try to use More than 700 IPs have tried to get into Peter's BSD boxes using these names in combination with weak passwords Lots more details, including the lists of passwords and IPs, can be found in the full article If you're using a BSD router (http://www.bsdnow.tv/tutorials/openbsd-router), things like this can be easily prevented with PF or fail2ban (and you probably don't have a "d-link" user anyway) *** Get started with FreeBSD, an intro for Linux users (http://www.infoworld.com/article/2858288/unix/intro-to-freebsd-for-linux-users.html) Another new BSD article on a mainstream technology news site - seems we're getting popular This article is written for Linux users who may be considering switching over to BSD and wondering what it's all about It details installing FreeBSD 9.3 and getting a basic system setup, while touching on ports and packages, and explaining some terminology along the way "Among the legions of Linux users and admins, there seems to be a sort of passive curiosity about FreeBSD and other BSDs. Like commuters on a packed train, they gaze out at a less crowded, vaguely mysterious train heading in a slightly different direction and wonder what traveling on that train might be like" ** Interview - Michael W. Lucas - mwlucas@michaelwlucas.com (mailto:mwlucas@michaelwlucas.com) / @mwlauthor (https://twitter.com/mwlauthor) FreeBSD Mastery: Storage Essentials (https://www.tiltedwindmillpress.com/?product=freebsd-mastery-storage-essentials) News Roundup OpenSMTPD status update (https://poolp.org/0xa86e/Some-OpenSMTPD-overview,-part-3) The OpenSMTPD guys (http://www.bsdnow.tv/episodes/2013-09-18_mx_with_ttx), particularly Gilles, have posted an update on what they've been up to lately As of 5.6, it's become the default MTA in OpenBSD, and sendmail will be totally gone in 5.7 Email is a much more tricky protocol than you might imagine, and the post goes through some of the weirdness and problems they've had to deal with There's also another post (https://poolp.org/0xa871/The-state-of-filters) that goes into detail on their upcoming filtering API - a feature many have requested The API is still being developed, but you can test it out now if you know what you're doing - full details in the article OpenSMTPD also has portable versions in FreeBSD ports and NetBSD pkgsrc, so check it out *** OpenCrypto changes in FreeBSD (https://lists.freebsd.org/pipermail/svn-src-head/2014-December/065806.html) A little while back, we talked to John-Mark Gurney (http://www.bsdnow.tv/episodes/2014_10_29-ipsecond_wind) about updating FreeBSD's OpenCrypto framework, specifically for IPSEC Some of that work has just landed in the -CURRENT branch, and the commit has a bit of details The ICM and GCM modes of AES were added, and both include support for AESNI There's a new port - "nist-kat" - that can be used to test the new modes of operation Some things were fixed in the process as well, including an issue that would leak timing info and result in the ability to forge messages Code was also borrowed from both OpenBSD and NetBSD to make this possible *** First thoughts on OpenBSD's httpd (http://www.protoc.org/blog/2014/11/23/first-thoughts-on-the-new-openbsd-httpd-server/) Here we have a blog post from a user of OpenBSD's new homegrown web server that made its debut in 5.6 The author loves that it has proper privilege separation, a very simple config syntax and that it always runs in a chroot He also mentions dynamic content hosting with FastCGI, and provides an example of how to set it up Be sure to check our interview with Reyk (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) about the new httpd if you're curious on how it got started Also, if you're running the version that came with 5.6, there's a huge patch (http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig) you can apply to get a lot of the features and fixes from -current without waiting for 5.7 *** Steam on PCBSD (https://www.youtube.com/watch?v=B04EuZ9hpAI) One of the most common questions people who want to use BSD as a desktop ask us is "can I run games?" or "can I use steam?" Steam through the Linux emulation layer (in FreeBSD) may be possible soon, but it's already possible to use it with WINE This video shows how to get Steam set up on PCBSD using the Windows version There are also some instructions in the video description to look over A second video (https://www.youtube.com/watch?v=BJ88B8aWdk0) details getting streaming set up *** Feedback/Questions Charlie writes in (http://slexy.org/view/s2JgqXcw4i) Sean writes in (http://slexy.org/view/s2WormjMCs) Predrag writes in (http://slexy.org/view/s20UmdFrbj) ***