Podcasts about IPsec

Send us a textCybersecurity professionals need a solid understanding of secure communication protocols, not just for exam success but for real-world implementation. This episode unpacks the essential protocols covered in CISSP Domain 4.1.3, providing clear explanations of how each works and when to use them.We begin with a timely discussion of the recent UnitedHealthcare hack, examining how ransomware crippled Change Healthcare systems nationwide. This case study highlights the critical importance of understanding security protocols and being able to articulate potential business impacts to leadership. Sean shares practical approaches for estimating downtime costs to help justify security investments.The heart of this episode explores crucial security protocols including IPsec tunnels, Kerberos authentication, Secure Shell (SSH), and the Signal protocol. Each section covers how these technologies function, their ideal use cases, and their respective strengths and limitations. The discussion extends to transport layer security (TLS), layer 2 tunneling protocol (L2TP), and lesser-known protocols like secure real-time transport protocol (SRTP) and Zimmerman real-time transport protocol (ZRTP).Sean breaks down complex technical concepts into accessible explanations, perfect for both CISSP candidates and practicing security professionals. Understanding these protocols isn't just about passing an exam—it's about making informed decisions when implementing security architecture in your organization. Whether you're preparing for certification or looking to strengthen your organization's security posture, this episode provides valuable insights into the fundamental building blocks of secure communications.Check out cisspcybertraining.com for free resources including practice questions, training videos, and blog posts to support your cybersecurity learning journey.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Send us a textPreparing for a cloud network engineering interview at a tech giant? This episode delivers essential insights from someone who conducts these interviews. Kam Agahian, Senior Director of Cloud Engineering at Oracle, returns to continue our deep dive into what really matters when interviewing for these coveted positions.We begin by addressing listener questions about TCP/IP preparation, with Kam suggesting Wireshark packet analysis as a practical approach to master these foundational concepts. While acknowledging these topics can be dry, he emphasizes their critical importance as differentiators in the interview process.The conversation then shifts to the heart of cloud networking: connectivity between environments. Kam breaks down the two primary approaches – IPsec tunnels versus dedicated connections (like FastConnect, DirectConnect, ExpressRoute) – explaining when each makes sense and what you need to understand about them beyond simple definitions. The discussion includes encryption options, real-world implementation challenges, and how cloud service providers differ in their connectivity models.For routing, Kam explains how priorities have shifted from traditional networking interviews. While IGP protocols matter less at cloud boundaries, BGP knowledge remains crucial – but focused on practical applications rather than obscure features. "90-95% of BGP is done around a few topics – inbound and outbound traffic influence, convergence, and troubleshooting," he notes, advising candidates to understand both the "how" and "why" behind concepts like communities, attributes, and ECMP.Throughout the episode, both hosts emphasize a critical insight: cloud networking interviews aren't configuration tests. The most successful candidates demonstrate deep understanding of why technologies are appropriate for specific scenarios, how they've evolved, and the nuances of their implementation in cloud environments versus traditional networks. This thoughtful approach reveals the problem-solving abilities that tech giants value most in their cloud networking teams.Purchase Chris and Tim's new book on AWS Cloud Networking: https://www.amazon.com/Certified-Advanced-Networking-Certification-certification/dp/1835080839/ Check out the Fortnightly Cloud Networking Newshttps://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/Visit our website and subscribe: https://www.cables2clouds.com/Follow us on BlueSky: https://bsky.app/profile/cables2clouds.comFollow us on YouTube: https://www.youtube.com/@cables2clouds/Follow us on TikTok: https://www.tiktok.com/@cables2cloudsMerch Store: https://store.cables2clouds.com/Join the Discord Study group: https://artofneteng.com/iaatj

У нас было несколько IP-transit'ов, полдюжины серверов, пару кб скриптов на питоне и настроенный 15 лет назад FreeRADIUS. Не то чтобы это всё нам было необходимо, но в какой-то момент мы не смогли остановиться и теперь 30 тысяч одновременных соединений OpenVPN — это что-то из раздряда "ну да, а че такого-то?" Надо разобраться! Про что: Рассказ по потивам OpenVPN@Yandex: большое плавание однопоточного сервера Каково это - 17 лет работы в Яндексе и прикоснуться почти ко всему? С Cisco VPN на OpenVPN. Почему динамический фаервол? Использование сертификатов X509 Интеграция с RADIUS для динамической конфигурации прав доступа. И патчи в апстрим. Почему OpenVPN, а не WireGuard, IPSec? Сообщение telecom №145. Тридцать тысяч OpenVPN-ов появились сначала на linkmeup.

Send us a textDiscover how a ransomware attack nearly brought vodka titan Stoli to its knees, pushing the company to the brink of bankruptcy with a staggering $78 million debt. This episode promises a compelling exploration of the catastrophic impact on their ERP systems and the urgent need for a solid business resiliency plan. Join me, Sean Gerber, as we unravel the complexities of managing IT risks, the geopolitical challenges faced by companies like Stoli, and the critical importance of conveying these risks to senior leadership—especially when regulatory deadlines loom.On a technical front, we'll demystify the nuances between IPsec transport and tunnel modes, breaking down misconceptions and shining a light on potential vulnerabilities such as outdated TLS versions. Learn why HSTS and DNS over HTTPS might not be the silver bullets they appear to be, and how HTTPS, while robust, isn't immune to phishing threats. This episode is an essential guide for cybersecurity professionals keen on fortifying their defenses against the relentless and evolving threats in today's digital landscape. Tune in for a rich blend of analysis and insights that underscore the vital role of awareness and technical knowledge in safeguarding our digital world.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Enhancing FreeBSD Stability With ZFS Pool Checkpoints, Plaintext is not a great format for (system) logs, Initial playlist of 28 BSDCan Videos released, Installing FreeBSD 14 on Raspberry Pi 4B with ZFS root, A practical guide to VPNs, IPv6, routing domains and IPSEC, How to mount ISO or file disk images on OpenBSD, and more NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines Enhancing FreeBSD Stability With ZFS Pool Checkpoints (https://it-notes.dragas.net/2024/07/01/enhancing-freebsd-stability-with-zfs-pool-checkpoints/) Plaintext is not a great format for (system) logs (https://utcc.utoronto.ca/~cks/space/blog/sysadmin/PlaintextNotGreatLogFormat) News Roundup Initial playlist of 28 BSDCan Videos released (http://undeadly.org/cgi?action=article;sid=20240630100913) Installing FreeBSD 14 on Raspberry Pi 4B with ZFS root (https://axcella.com/blog/2024/02/03/installing-freebsd-14-on-raspberry-pi-4b-with-zfs-root/) The following components make up my setup: Raspberry Pi 4B, 8 GB RAM (https://www.raspberrypi.com/products/raspberry-pi-4-model-b/) Official Raspberry Pi 4 Power Supply (https://www.raspberrypi.com/products/power-supply/) Geekworm Raspberry Pi 4 11mm Embedded Heatsink (P165-B) (https://geekworm.com/products/raspberry-pi-4-11mm-embedded-heatsink-p165-b) Geekworm for Raspberry Pi 4, X862 V2.0 M.2 NGFF SATA SSD Storage Expansion Board with USB 3.1 Connector Support Key-B 2280 SSD (https://geekworm.com/products/x862) WD Blue SA510 SATA SSD 2 TB M.2 2280 (https://www.westerndigital.com/products/internal-drives/wd-blue-sa510-sata-m-2-ssd?sku=WDS200T3B0B) 4K 60Hz Micro HDMI to HDMI Adapter (to connect to a monitor, can also run headless with just power and network cable connected) A practical guide to VPNs, IPv6, routing domains and IPSEC (http://undeadly.org/cgi?action=article;sid=20240706084626) How to mount ISO or file disk images on OpenBSD (https://dataswamp.org/~solene/2024-06-15-mount-iso-file-openbsd.html) Beastie Bits DeadBSD Series - There have been a few FreeBSD derived OS's over the years, some stay, many others fade away. In this series, DeadBSD's, we will be revisiting those long gone BSD's and see what we missed out on. Fury (https://www.youtube.com/watch?v=3xl2BdlBjg0) CultBSD (https://www.youtube.com/watch?v=hmT1fXuOyos) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions 569 - RobN - A Thanks (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/569/feedback/Rob%20-%20A%20Thanks.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Join us and other BSD Fans in our BSD Now Telegram channel (https://t.me/bsdnow)

Send us a Text Message.Are multi-layer protocols the key to safeguarding our digital world amidst the rising tide of cyberattacks? Join me, Sean Gerber, as I unravel the complexities of these protocols and their vital role in cybersecurity, drawing from the CISSP ISC² domains 4.1.4 and 4.1.5. By sharing my firsthand experiences and highlighting the alarming $22 million ransomware payout by Change Healthcare, I underscore the urgent need for redundancy in critical systems, especially within vulnerable sectors like healthcare.Let's decode the layers of data encapsulation, from the basic principles of TCP/IP to the robust security offered by TLS and IPsec. We'll discuss how VPN tunnels enhance security and tackle the sophisticated challenge of attackers concealing their activities within encrypted traffic. Discover methods to unmask these covert channels using decryption appliances and targeted traffic inspection, and explore the fascinating realm of steganography for data concealment.The journey continues with a deep dive into data exfiltration techniques, including EDI communication and low-level network protocols like ICMP and DNS. Learn how malicious actors bypass detection and how network administrators can stay vigilant. Finally, I'll share my passion for mentorship in cybersecurity, highlighting the enriching experiences and opportunities available through CISSP Cyber Training and my own platforms. Whether you're a seasoned professional or an aspiring expert, this episode offers valuable insights and resources to bolster your cybersecurity knowledge and career.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Embark on an exciting foray into the ever-evolving world of cybersecurity with me, Sean Gerber, as I chart a new course into independent consultancy. The waters are rough, with the UK's critical infrastructure facing an unprecedented OT threat landscape, exacerbated by global geopolitical unrest. Uncover how seemingly secure supply chains and legacy OT systems can become a playground for cyber adversaries, and why protecting energy and utilities has never been more vital. Gain insight into the Purdue model's crucial role in network segregation, and realize how these strategies are essential defenses against the sophisticated threats of today.Transitioning to the educational side of cyber defense, this episode serves as a beacon for CISSP aspirants. We tackle domain 4.1.3 head-on with a CISSP question session that challenges and hones your understanding of essential security protocols like IPsec and Kerberos. I also unveil the extensive arsenal of resources available at cispsybertraining.com, providing everything from free videos to a meticulously crafted blueprint for acing the CISSP exam. Whether you're a seasoned pro or just starting, this podcast is your ally in the quest for certification and mastery in the digital security realm.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Embark on a cybersecurity odyssey with Sean Gerber as he reveals his leap into the consultancy realm, navigating the precarious balance between the thrill of independence and the stark realities of forging a new path. This episode offers an insider's perspective on secure communication protocols, a fundamental aspect of the CISSP exam, and a critical component of any robust cybersecurity defense. As we dissect the repercussions of the United Health Care hack and its jaw-dropping $22 million ransom, we'll equip you with the acumen to convey the financial stakes of cyber incidents to those who hold the purse strings.As the digital world's intricacies unravel, we delve into the heart of network security with a focus on IPsec configurations and Public Key Infrastructure's role in authentication. You'll gain insights into the synergy between Kerberos and Active Directory, and the critical trade-offs between ease of access and ironclad security. Our journey also scrutinizes the pressing need to abandon outdated algorithms in favor of more resilient encryption standards, ensuring that your remote access remains a bastion against ever-evolving cyber threats.Rounding off our excursion, we examine SRTP and ZRTP, protocols that stand at the vanguard of securing real-time communications like VoIP. Assess the benefits of these protocols against potential hurdles and system intricacies. Moreover, we'll discuss the intersection of the ZRTP with the widely recognized Signal protocol, providing you with a comprehensive understanding of the landscape of secure communications. Join us for a deep dive into the technologies that safeguard our digital interactions and arm yourself with knowledge that transcends the theoretical, ready to be applied in the practical world of cybersecurity.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Le VPN: Virtual Private Networks, o Reti Private Virtuali per gli amanti autarchici della bella lingua italiana.Dopo la pandemia tutti gli YouTuber si sono improvvisamente trasformati in esperti di cybersecurity.Ora sembra che una VPN sia il Santo Graal, la cura per tutti i mali digitali."Metti su una VPN e voilà, sei invincibile come Iron Man!"Ma in quale mondo vivono? Una VPN è carina e tutto il resto, ma pensare che risolva tutti i problemi è come credere che mettere un cerotto su una gamba rotta sia una cura definitiva.Tutti i miei link: https://linktr.ee/br1brownTELEGRAM INSTAGRAM Se ti va supportami https://it.tipeee.com/br1brown

Implementing a system call for OpenBSD, Self-Hosted Email services on OpenBSD, First 5 Minutes on a New FreeBSD Server, OLD COMPUTER RESCUE - X201, sec(4) for Route Based IPSec VPNs, send syslog messages using command-line utilities, Keeping email sorted (the hard way), and more NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines Implementing a system call for OpenBSD (https://poolp.org/posts/2023-07-05/implementing-a-system-call-for-openbsd/) Self-Hosted Email services on OpenBSD (https://www.tumfatig.net/2023/self-hosted-email-services-on-openbsd/) The First 5 Minutes on a New FreeBSD Server (https://herrbischoff.com/2022/12/the-first-5-minutes-on-a-new-freebsd-server/) News Roundup OLD COMPUTER RESCUE - X201 (https://triapul.cz/automa/old-computer-rescue-x201/) [CFT] sec(4) for Route Based IPSec VPNs (http://undeadly.org/cgi?action=article;sid=20230704094238) How to send syslog messages using command-line utilities (https://sleeplessbeastie.eu/2023/09/11/how-to-send-syslog-messages-using-command-line-utilities/) Keeping my email sorted (the hard way) (https://sebastiano.tronto.net/blog/2022-10-19-email-setup/) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Albin - Links (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/530/feedback/Albin%20-%20Links.md) Douglas - Best practices (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/530/feedback/Douglas%20-%20Best%20practices.md) Patrick - Ideas Feedback (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/530/feedback/Patrick%20-%20Ideas%20Feedback.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Join us and other BSD Fans in our BSD Now Telegram channel (https://t.me/bsdnow)

I detta avsnitt av IT-säkerhetspodden undersöker Erik Zalitis och Mattias Jadesköld IPv6. Trots att tekniken funnits i ungefär 20 år och att IPv4 adresserna är slut har det inte riktigt tagit fart på tekniken. Varför är det så och är det värt att gå över till IPv6 om man är ansvarig för ett nätverk? De frågorna diskuterar duon djupare i avsnittet. Och säkerheten givetvis! Säkerheten sägs vara inbyggt i grunden i IPv6 men vad betyder det? Och finns det några falluckor? Ja, det allvarligaste är inte relaterat till tekniken utan någonting annat ... Några begrepp som tas upp är IPsec (massor!), Checksum, packet fragmentation, DDoS, packet injections, DNS leak och man in the middle.

О модной технологии SD-WAN мы говорили (послушать можно здесь и здесь) практически в другой жизни. С тех пор многое изменилось, и SD-WAN пропал из списка тем, обсуждаемых в горячих дискуссиях настоящих сетевиков. Зато появился в дискуссиях, как это ни странно, безопасников. Разбираемся, что изменилось, с сетевиками из крупного вендора безоспасности. О чем: почему Лаборатория Касперского решила выпускать что-то для сетей и как так случилось, что первым продуктом стал именно SD-WAN как устроено решение Касперского: принципиальные отличия нового подхода vs традиционных IPSec-based решений где теперь живет control plane и data plane, и как сделать так, чтобы не падало кто такой этот ваш NFV и при чем тут виртуализация есть ли в современном мире место для OpenFlow как не потерять столь важный ICMP reply: пробники, мониторинги и FEC какие ограничения накладывают реалии, зачем нужен SD-WAN заказчикам в России почему так мало SD-WAN сетей, хотя Gartner называет его чуть ли не самой перспективной сетевой технологией Сообщение telecom №123. Kaspersky. Sd-WAN появились сначала на linkmeup.

Today we discuss IPSec tunnels, about IPSec and how to troubleshoot both building new tunnels and issues with existing ones.

Die Fritzbox ist wohl der populärste Router in Deutschland. Etliche Internet-Provider versuchen mit der Zugabe einer Fritzbox Kunden zu locken und vermutlich war jeder schon selbst mit dem WLAN einer Fritzbox verbunden. Zu der Popularität hat auch das Betriebssystem FritzOS beigetragen, dass Hersteller AVM langfristig pflegt und wofür es regelmäßig Updates veröffentlicht. Ein größeres Update steht nun bevor und soll unter der Versionsnummer FritzOS 7.50 erscheinen. Es bietet unter anderem VPN über das moderne WireGuard-Protokoll an. Zudem lassen sich VPN-Verbindung sowohl über WireGuard als auch über das alte IPSec endlich auch per IPv6 aufbauen. Die c't-Redakteure Dušan Živadinović und Ernst Ahlers haben die Beta-Versionen aus dem Fritz-Labor unter die Lupe genommen. Im c't uplink stellen sie die neuen Funktionen vor, erklären Messwerte, die sie ermittelt haben und bieten Orientierung bei der Fritzbox-Modellpalette. Gemeinsam mit Moderator Keywan Tonekaboni sprechen sie aber auch über Alternativen zum AVM Router und was man beachten sollte, wenn man selbst die Labor-Version des FritzOS testen möchte. Mit dabei: Dušan Živadinović, Ernst Ahlers und Keywan Tonekaboni **SPONSOR-HINWEIS** Dieser Podcast ist gesponsert von msg. Bei msg treibst Du als Spezialist (m/w/d) im Software-Engineering oder IT-Consulting die digitale Transformation ganzer Branchen voran. Entdecke spannende IT-Jobs, beste individuelle Entwicklungsmöglichkeiten sowie flexible Arbeitszeiten mit Überstundenausgleich für deine gesunde Work-Life-Balance! Mehr Infos auf: karriere.msg.group **SPONSOR-HINWEIS ENDE**

Die Fritzbox ist wohl der populärste Router in Deutschland. Etliche Internet-Provider versuchen mit der Zugabe einer Fritzbox Kunden zu locken und vermutlich war jeder schon selbst mit dem WLAN einer Fritzbox verbunden. Zu der Popularität hat auch das Betriebssystem FritzOS beigetragen, dass Hersteller AVM langfristig pflegt und wofür es regelmäßig Updates veröffentlicht. Ein größeres Update steht nun bevor und soll unter der Versionsnummer FritzOS 7.50 erscheinen. Es bietet unter anderem VPN über das moderne WireGuard-Protokoll an. Zudem lassen sich VPN-Verbindung sowohl über WireGuard als auch über das alte IPSec endlich auch per IPv6 aufbauen. Die c't-Redakteure Dušan Živadinović und Ernst Ahlers haben die Beta-Versionen aus dem Fritz-Labor unter die Lupe genommen. Im c't uplink stellen sie die neuen Funktionen vor, erklären Messwerte, die sie ermittelt haben und bieten Orientierung bei der Fritzbox-Modellpalette. Gemeinsam mit Moderator Keywan Tonekaboni sprechen sie aber auch über Alternativen zum AVM Router und was man beachten sollte, wenn man selbst die Labor-Version des FritzOS testen möchte. **SPONSOR-HINWEIS** Dieser Podcast ist gesponsert von msg. Bei msg treibst Du als Spezialist (m/w/d) im Software-Engineering oder IT-Consulting die digitale Transformation ganzer Branchen voran. Entdecke spannende IT-Jobs, beste individuelle Entwicklungsmöglichkeiten sowie flexible Arbeitszeiten mit Überstundenausgleich für deine gesunde Work-Life-Balance! Mehr Infos auf: karriere.msg.group **SPONSOR-HINWEIS ENDE**

Die Fritzbox ist wohl der populärste Router in Deutschland. Etliche Internet-Provider versuchen mit der Zugabe einer Fritzbox Kunden zu locken und vermutlich war jeder schon selbst mit dem WLAN einer Fritzbox verbunden. Zu der Popularität hat auch das Betriebssystem FritzOS beigetragen, dass Hersteller AVM langfristig pflegt und wofür es regelmäßig Updates veröffentlicht. Ein größeres Update steht nun bevor und soll unter der Versionsnummer FritzOS 7.50 erscheinen. Es bietet unter anderem VPN über das moderne WireGuard-Protokoll an. Zudem lassen sich VPN-Verbindung sowohl über WireGuard als auch über das alte IPSec endlich auch per IPv6 aufbauen. Die c't-Redakteure Dušan Živadinović und Ernst Ahlers haben die Beta-Versionen aus dem Fritz-Labor unter die Lupe genommen. Im c't uplink stellen sie die neuen Funktionen vor, erklären Messwerte, die sie ermittelt haben und bieten Orientierung bei der Fritzbox-Modellpalette. Gemeinsam mit Moderator Keywan Tonekaboni sprechen sie aber auch über Alternativen zum AVM Router und was man beachten sollte, wenn man selbst die Labor-Version des FritzOS testen möchte. Mit dabei: Dušan Živadinović, Ernst Ahlers und Keywan Tonekaboni **SPONSOR-HINWEIS** Dieser Podcast ist gesponsert von msg. Bei msg treibst Du als Spezialist (m/w/d) im Software-Engineering oder IT-Consulting die digitale Transformation ganzer Branchen voran. Entdecke spannende IT-Jobs, beste individuelle Entwicklungsmöglichkeiten sowie flexible Arbeitszeiten mit Überstundenausgleich für deine gesunde Work-Life-Balance! Mehr Infos auf: karriere.msg.group **SPONSOR-HINWEIS ENDE**

L2TP/IPSec VPN を設定する機会があり、その際に「トンネル内でサイズが大きなパケットを 1 つでも送出した瞬間にトンネル全体の通信が止まって VPN接続が切れる」というトンネル崩壊現象に悩まされました。

Wireshark TCP Deep Dive continues: You need to understand this - whats the difference between Maximum Transmission Unit (MTU) vs Maximum Segment Size (MSS). // MENU // 00:00 ▶️ Coming Up 00:25 ▶️ Intro 00:32 ▶️ Chris introduction 00:47 ▶️ Topic: Maximum Segment Size (MSS) 01:27 ▶️ Explaining Maximum Transmission Unit (MTU) 08:42 ▶️ Interface layout 10:25 ▶️ David Bombal "War Story" 12:00 ▶️ Wireshark demo 13:26 ▶️ Increasing the MTU on your device for larger connections 16:27 ▶️ Difference between MTU and MSS 19:36 ▶️ Wireshark demo (cont'd) 24:58 ▶️ Using Path MTU Discovery 27:02 ▶️ Ping and Wireshark demo 33:32 ▶️ Cool trick for Mac system 35:08 ▶️ TCP/MSS Clamping 38:21 ▶️ Chris Greer "War Story" 51:09 ▶️ What happens if you can't capture a server 55:08 ▶️ MSS Adjustment commands 56:55 ▶️ Tunnel Path MTU Discovery 57:40 ▶️ Figuring out 1432 01:02:52 ▶️ Conclusion 01:04:48 ▶️ "Cool features" in Wireshark Previous video: https://youtu.be/rmFX1V49K8U // Wireshark PCAP files // MTU PCAP: https://github.com/packetpioneer/yout... War Story PCAP Client: https://github.com/packetpioneer/yout... War Story PCAP Server: https://github.com/packetpioneer/yout... Special “Thumbs Up” and “Subscribe” PCAP: https://github.com/packetpioneer/yout... // VLAD SOCIAL // Twitter: https://twitter.com/Packet_vlad PMTUD Blog: http://www.packettrain.net/2016/09/21... Thanks Vladimir Gerasimov! // GOOD READING // Network Implications of PMTUD: https://www.ipspace.net/kb/Internet/P... Path MTU Discovery: https://www.ipspace.net/kb/Internet/P... Resolve IPv4 Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPsec: https://www.cisco.com/c/en/us/support... Configuring TCP MSS Adjustment: https://www.cisco.com/c/en/us/td/docs... Ethernet MTU and TCP MSS Adjustment Concept for PPPoE Connections: https://www.cisco.com/c/en/us/support... // MY STUFF // https://www.amazon.com/shop/davidbombal // David SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // Chris SOCIAL // Udemy course: https://davidbombal.wiki/chriswireshark LinkedIn: https://www.linkedin.com/in/cgreer/ YouTube: https://www.youtube.com/c/ChrisGreer Twitter: https://twitter.com/packetpioneer // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com tcp mss mtu tcp/ip tcp ip ipv4 wireshark icmp slow icmp dropped packets wireshark tutorial wireshark training packet analysis packet capture tcp handshake tcp analysis tcp connections chris greer wireshark chris greer chris greer wireshark wireshark chris transport control protocol how tcp works tcp/ip transport protocol packet network mtu maximum transmission unit tcp mss maximum segment size free wireshark tutorial network troubleshooting tcp/ip analysis wireshark mtu wireshark mss ipsec gre mpls tunnels troubleshoot slow network troubleshooting slow networks troubleshoot slow internet Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #wireshark #tcp #mtu

About Averywvdial, bup, sshuttle, netselect, popularity-contest, redo, gfblip, GFiber, and now @Tailscale doing WireGuard mesh. Top search result for "epic treatise."Links Referenced: Webpage: https://tailscale.com Tailscale Twitter: https://twitter.com/tailscale Personal Twitter: https://twitter.com/apenwarr TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I'm going to just guess that it's awful because it's always awful. No one loves their deployment process. What if launching new features didn't require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren't what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.Corey: This episode is sponsored by our friends at Revelo. Revelo is the Spanish word of the day, and its spelled R-E-V-E-L-O. It means “I reveal.” Now, have you tried to hire an engineer lately? I assure you it is significantly harder than it sounds. One of the things that Revelo has recognized is something I've been talking about for a while, specifically that while talent is evenly distributed, opportunity is absolutely not. They're exposing a new talent pool to, basically, those of us without a presence in Latin America via their platform. It's the largest tech talent marketplace in Latin America with over a million engineers in their network, which includes—but isn't limited to—talent in Mexico, Costa Rica, Brazil, and Argentina. Now, not only do they wind up spreading all of their talent on English ability, as well as you know, their engineering skills, but they go significantly beyond that. Some of the folks on their platform are hands down the most talented engineers that I've ever spoken to. Let's also not forget that Latin America has high time zone overlap with what we have here in the United States, so you can hire full-time remote engineers who share most of the workday as your team. It's an end-to-end talent service, so you can find and hire engineers in Central and South America without having to worry about, frankly, the colossal pain of cross-border payroll and benefits and compliance because Revelo handles all of it. If you're hiring engineers, check out revelo.io/screaming to get 20% off your first three months. That's R-E-V-E-L-O dot I-O slash screaming.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Generally, at the start of these shows, I mention something about money. When I have a promoted guest, which means that they are sponsoring this episode, I talk about that. This is not that moment. There's no money changing hands here.And in fact, I'm about to talk about a product that I am a huge fan of, but I'm, also as of this recording, not paying for. So, one might think I'm the product, but no. Let's actually start by talking about money. My guest today is Avery Pennarun, the CEO of Tailscale, and as of today, being the day that this goes out, you folks have just raised $100 million in a Series B. First, thank you for joining me, followed immediately by congratulations.Avery: It's great to be here, and thank you. It's an exciting announcement that I hope we don't end up spending too much time talking about because money is a lot more boring than technology. But yeah, we are very happy, both to be here and to be making the announcement.Corey: Yeah. CRV and Insight Partners are the lead investors on the round. And it's great to see because I've been using Tailscale for a while now. And it is a transformative experience for the way that I think about these things. A while back, I wrote a Lambda layer that lets Lambda functions take advantage of it, but in fairness, I did write it, so anyone looking at that should—“Haha, that's why you're not a developer full-time. You're bad at it.” Yes, I am.But I can't stop raving about how useful Tailscale is, with the counterpoint that it's also very difficult to explain to people who are not—at least in my experience—broken in a very particular way, as I am. What is Tailscale? And what does it do?Avery: Right. Well, I mean, first of all, one of the things I really like about Tailscale and what we built is that, you know, even if you're not a super great developer—like you just described yourself—you can get excited about it, you can use it for things, you can build on top of it, and contribute back without having to understand every single little detail of what it does, right? Tailscale is something that a lot of people get excited about without having to know how it works; they just know what it gives them, right? The answer to what Tailscale is, is sort of… it can be hard to explain to people who don't know about the kinds of problems that it solves, but the super short answer is it connects all of your devices and virtual machines and containers to each other, wherever they are, without going through an intermediary, right? So, it minimizes latency and it maximizes throughput, and it minimizes pain. And it sounds like that should be hard, but you can get it all done in, like, five minutes.Corey: I have been using it for a while now. Originally, I was using it and federating through it I believe, via Google. I rebuilt and tore down the entire network in about five minutes, instead started federating through GitHub. Nowadays, you apparently changed your position on that identity and you use third-party SSL sources, as well as retaining user information and login stuff yourselves, which is just, it's almost starved for choice, on some level. But I am such a fan of the product that if you'll forgive me if I talk for about a minute or so on how I use it and my experience of it.Avery: Go for it.Corey: So, I wind up firing up Tailscale, and I have a network that from any of my devices, I can talk to any other. I have a couple of EC2 machines hanging out in AWS, I have a Raspberry Pi that I use as a DNS server sitting in the other room, I have my iPad, I have my iPhone, I have my laptop, I have my desktop, I have a VM sitting over in Google Cloud, I have a different VM sitting over an Oracle Cloud. And all of these things can talk to each other directly over a secured network. I can override DNS and talk to these things just by the machine name, I can talk to them via the address that winds up being passed out to them through this. It is transformative. It works on IPv4, IPv6, if I'm on a network without IPv6 access using Tailscale, suddenly I can.I can emerge from almost any other node on this network. And adding a new device to this is effectively opening a link in a browser on either that device or a different one, clicking approve once I log in, and it's done. That is my experience of it, so far. Is that directionally correct as far as how you think about the product? Because again, I use DNS TXT records as a database for God's sake. I am probably not the world's foremost technical authority on the proper use of things.Avery: Right. Yeah. I mean, that's a good description of what it does. I think it actually—it's weird, right? It's hard to get across in words just how simple it is, right?That one-minute description used a bunch of technical-sounding terminology that probably the listeners to your podcast will understand. But, like, the average tech person doesn't need to know any of those things in order to use Tailscale, right? You download it from the app store on your phone and your laptop. And you install Tailscale on both from the App Store. You log into your Google account or your GitHub account, and that's it. Those two devices are tied together in time and space; they can see each other. You can access a web server that you're running on your laptop from your phone without doing anything else, right?And then you can start a VM in AWS and you load Tailscale in there, and now that's part of your network. And so, there's—you don't need to know what IPv4 and IPv6 even are. You don't need to know what DNS even is. It just, you know, the magic sort of comes together. We do a ton of stuff behind the scenes to make that magic work. But it's this —one thing that one customer said to us one time is, like, “It makes the internet work the way you thought the internet worked until you learned how the internet worked.” If that makes sense.Corey: Right. It basically works on duct tape and toothpicks all spit together, and it's amazing that it works at all. I mean, this is going to sound relatively banal, but the way that I've used Tailscale the most is on my phone or on my iPad or on my Mac. I will connect to the Tailscale network by default, and when that is done, it passes out my pi-hole's IP address as the custom DNS server for the entire network. So, I don't see a whole bunch of ads, not just in browser, but in apps and the rest.And every once in a while when something is broken because an ad server is apparently critical to something, great, I turn off the VPN on that device, use the natural stuff. My experience of the internet gets worse as a result and the thing starts working again, then I turn it back on. It is more or less the thing that I use as a very strange-looking ad blocker, in some respects, that I can toggle on and off with the click of a button. But it's magic, it is effectively magic. From the device side, it's open up an app and toggle a switch, or it is grab from the menu bar on a Mac, there's an application that runs and just click the connect button or the disconnect button.There is no MFA every time you connect. There is no type in a username and password. There is no lengthy handshake. I hit connect and it is connected by the time I have moved the mouse back from the menu bar to the application I was working in. Whenever I show this to someone who uses a corporate VPN, they don't believe me.Avery: Right. Yeah, exactly. It's hard to believe. It's like, “Hey, did anything actually happen here?” Because we removed you know, for example, it doesn't by default catch all your traffic, it only catches the traffic to your private network, so it's safe to leave it on all the time because it's not interfering with what you're doing.What you're describing is using Pi-Hole, which is a Raspberry Pi-based DNS server that is an ad blocker, most people using Pi-Hole have one at home, so when they're at home they get ads blocked, but when they leave home they don't get their ads blocked. If you add Tailscale to that, you can use your Pi-Hole even when you're not at home, and it sort of makes it that much more useful. I think an important difference from, say, other services that you can use an adblocker or a privacy VPN is that we never see your traffic, right? Tailscale creates a private network between you and all your personal devices, and that private network is private even from us, right? We help you connect the devices to each other, but when your traffic goes to Pi-Hole, it's your Pi-Hole. It's not our adblocker. It's your adblocker, right, so we never see what traffic you're going to, we never see what DNS names you're looking up because it was just never made available to us, right?Corey: Right. But did you do—the level of visibility you have into my network is fascinating in a variety of different ways, but it is also equally fascinating—one of those ways—is that how limited it is. You know what devices I have, the last time they've connected, the version of Tailscale they're running, an IP address on it, and you also wind up seeing what services are advertised and available on those networks if I decide to enable that. Which is great for things like development; I'm going to be doing development in a local dev sense on an EC2 instance somewhere. And well, I don't want to set up a tunnel with SSH to wind up having to proxy traffic over there just so I can wind up hitting some high port that I bound to, and I certainly don't want to expose that to the general internet; that is a worst practice for all these things.And Tailscale magically makes this go away. I haven't done this in much depth yet with a variety of my team members, but when you start working on this with teams who are doing development work, someone can have something running on their laptop and just seamlessly share it with their colleagues. It's transformative, especially in an area where very often that colleague is not sitting in the same room getting the greasy fingerprints on your laptop screen.Avery: Yep. Yeah, exactly. So, you mentioned the services list which you have to specifically opt into, and the reason we did that is that, you know, the list of devices and hostnames and IP addresses, we have to collect because that's how the service works, right? You send us the information about your devices, and then we send the public keys for those devices to the other devices. We can't get out of collecting that, whereas the services list is purely an interesting add-on feature, and we decided that we didn't want to collect that by default because it would make people nervous about their privacy.So, if you want that feature, you click it on; if you don't want it, don't turn it on, you can still share services with people inside your network; they just need to know that those services exist. You send them the URL or whatever and it'll work, but it doesn't show up as a list of things that we can see in that case. But yeah, sharing stuff between your coworkers is definitely… is a major use case for Tailscale and dev and infrastructure teams in particular. Like, you can—designers, for example, run a test version of the website on their laptop, and then they say, “Hey, visit this URL on my laptop.” And you don't have to be in the same office, you can both be sitting in different cafes in different cities. Tailscale will make it so that the connection between those two computers still works, even if they're both behind firewalls, even if they're both behind different NATs, and so on.Corey: One of the things that astounded me the most; I am reluctant to completely trust things that are new that touch the network. Early on in my career, I made network engineering mistake 101, which is making a change to the firewall in your data center without having another way in. And the drive across town or calling remote hands to get them to let you back in and when you locked things out. Because you folks are building these things on a pretty consistent clip; there are a lot of updates and releases across all of the platforms. And invariably, I find myself on some devices version behind or so, just because of the pace of innovation. “Oh, great. We're updating the VPN client. Cool. So, I'm going to expect this thing to drop and I'm going to have to go in and jigger it to get it working again.”That has never happened. I have finally given in to, I guess, the iron test of this, and I have closed SSH from the internet to most of these nodes. In fact, some of them sit —the Pi-Hole sitting at home, if you're not on my home network, there is no outside way in without breaking in. It is absolutely one of those things that disappears into the background in a way that I was extraordinarily surprised to find.Avery: Right. Well, that is something—I mean, I'm old and grumpy, I guess, is sort of the beginning part of all this, right? I've seen all this annoying stuff that happens with software. And, you know, and many of us, in fact, at Tailscale are old and grumpy, and we just didn't want to repeat those same things. So, first of all, network stuff to an even stronger degree than virtually any other kind of product, if your network stops working, everything stops working, right, so it's number one priority that Tailscale has to not mess up your network.Because if it does, you instantly lose faith. There's kind of like—Tailscale gives you this magical feeling when you first install it, but that feeling of magic goes away very quickly the first time it screws something up and you can't connect when you really need to. So, we put a huge amount of work into making sure that you can connect when you really need to. We have a lot of automated tests. One of our policies that I think is almost unheard of is that we intend to never deprecate support for older versions of the Tailscale client.And to this day, we're about three years into Tailscale, we've never deprecated an old client that anybody is using. So eventually, people—though in fact hard to believe, but eventually, people do stop using some old versions, so those ones don't work anymore, necessarily. But any version of Tailscale that is in use today is going to keep working as long as anybody is using it. We have a very, very, very strong backwards compatibility policy. Because the worst thing that I can imagine is having some Raspberry Pi sitting out in the void somewhere that I haven't looked at for two years, that whoops, Tailscale broke it, and now I can't connect to it, and now I have to go drive down there and fix it, right? It would be just insultingly terrible for that to happen.And we just make sure that doesn't happen. Another thing that people get excited about is, like, on a Debian system or whatever, if you've got the Debian package installed, you can do an apt-get upgrade. Tailscale upgrades and even your SSH session doesn't drop. Every now and then people [comment and was like 00:14:13] —Corey: That was the weirdest part. I was expecting it to go away or hang for a long period of time. And sure, I guess it might drop a packet or so, I've never bothered to look because it is so seamless.Avery: Right. Yeah, exactly. It's just, like, “Wait. Did anything even happen?” It's like, “Yes”—Corey: Right—Avery: —“Something happened. We upgraded it out from underneath you.”Corey: —my next thing is [crosstalk 00:14:28]—yeah, I grep Tailscale on the process table. Like, okay, is this just a stale thing that's existing [unintelligible 00:14:34] to bounce it? No, it has just been started. It was so seamless under the hood that it was amazing. There is something that is—a lot of things have been very deeply right on this.Something else that I think is worth pointing out is that if any company had the brainpower there to roll their own crypto, it would be you folks, but you don't. You're riding on top of WireGuard, an open-source project that does full-mesh VPNs with terrible user interfaces.Avery: Yep. So, you know, I guess disclosure. Back in 1997 when I started my first startup, I was not smart enough to not roll my own crypto. And therefore the VPN I wrote at the time definitely had giant security holes. It was also not that popular, so nobody found them. But I, you know eventually I found [crosstalk 00:15:21]—Corey: “Except a bank, which I really shouldn't disclose.” Kidding, I'm kidding. But yeah.Avery: [laugh]. No, no, no. The bank never used that software. [laugh]. But yeah. Nowadays, I've been through a lot, and I… I would not describe myself as a security expert. Although people often describe me as a security expert. I don't know what that means. But I am enough of an expert to know that I should not be rolling my own crypto. And the people who invented WireGuard, it's one of the—I feel like I'm overstating things, but I'm not—it's one of the biggest leaps forward in cryptography, in probably the history of computing. Now, it builds on a series of things that are part of the same leap forward, right? It's built on the protocol that Signal uses called the Noise Protocol, right? Signal and Noise are built on the Ed25519 curve, made by —or popularized by Dan Bernstein who's a major cryptographer in this area. Sometimes popular, sometimes—Corey: Oh, djb.Avery: —not popular. Yeah, exactly.Corey: He also, near and dear to my heart, wrote djbdns, which was a well-known, widely deployed DNS server, by which I of course mean database. Please, continue.Avery: Yep. [laugh]. I've been a huge fan of basically everything djb has ever made in the history of—Corey: Oh, you're a qmail person. I am on the postfix side of [unintelligible 00:16:37].Avery: Yep. Well, my first startup back in 1997, we made Linux-based server appliances for small businesses. And we use qmail, we use djbdns, we used a couple of other djb products. And you know, for the history of that product—you know, leaving aside my VPN that was a security hole—the djb stuff never had a single problem. That company was eventually acquired by IBM.One of the first things IBM did is, like, “Whoa, djb has a super-weird software license. We can't be doing this. Let's replace it with software that has a decent license.” So, they dropped out djbdns and started using BIND. Within a week, there was a security hole in BIND that affected all of these appliances that they now controlled, right?So, djb is a very big-brained, super genius in security, whatever you might think of his personality. And it's sort of like was the basis for this revolution in cryptography that WireGuard has sort of brought to the networking world. And it's hard to overstate. Just, like, the number of lines of code, there's something like 100 times less code to implement WireGuard than to implement IPsec. Like, that is very hard to believe, but it is actually the case.And that made it something really powerful to build on top of. Like, it's super hard for somebody like me to screw up the security of a WireGuard deployment, where it's very easy to screw up the security of an IPsec deployment.Corey: This episode is sponsored by our friends at Oracle Cloud. Counting the pennies, but still dreaming of deploying apps instead of “Hello, World” demos? Allow me to introduce you to Oracle's Always Free tier. It provides over 20 free services and infrastructure, networking, databases, observability, management, and security. And—let me be clear here—it's actually free. There's no surprise billing until you intentionally and proactively upgrade your account. This means you can provision a virtual machine instance or spin up an autonomous database that manages itself, all while gaining the networking, load balancing, and storage resources that somehow never quite make it into most free tiers needed to support the application that you want to build. With Always Free, you can do things like run small-scale applications or do proof-of-concept testing without spending a dime. You know that I always like to put asterisks next to the word free? This is actually free, no asterisk. Start now. Visit snark.cloud/oci-free that's snark.cloud/oci-free.Corey: I just want to call something out as well, that when I say that you folks definitely have the intellectual firepower to roll your own crypto should you choose to do so, but you chose not to, if anything, I'm understating it. To be clear, one of the blog posts you had somewhat recently out was how you are maintaining what is effectively your own fork of the Go programming language. Which is one of those things when someone hears that it's like, “I'm sorry, can you say that again? Because I am almost certain I misunderstood something.” What is the high-level version of that?Avery: Well, there's, I think, two important points there. One of them is that yes, we did fork the Go programming language; it's supposed to be a temporary fork because it allows us to do some experiments with the go back-end. And the primary reason we were able to do that is because we employ a couple of people who used to be on the core Go team. And that was not because we went out looking for people who used to be on the core Go team, that's just how it worked out. But because we do, it's easier for them to fork Go than it would be for the average person, and in many ways, it's easier for them to get their job done by just continuing to work on the codebase they've already worked on.But the second point is actually, as compilers go, the Go compiler is probably the very easiest one I've ever seen to be able to fork and edit. Like it's super-clear code, you're just editing Go code, which is already pretty easy. But they really put a ton of work into making it readable and understandable. So, like, average people actually can fork the Go compiler and not be completely bamboozled by how difficult everything is, right? Compared to, like, GCC where just building the thing is something that takes you weeks to learn how to do, right, Go is just, like, you run this script and build your compiler [unintelligible 00:19:35]—Corey: Yeah. Let me clear this quarter on my schedule so I can go ahead and do that. Yeah, no, thank you.Avery: Yeah. I've built copies of GCC and it's absolutely nightmarish, right? And built people's forks of GCC for special embedded processors and stuff. And this is, like, a f—this is a career that you can specialize in, building GCC, right? There are people that do this, right? And the Go compiler, it's really—Corey: Well, it's 40 years of load-bearing technical debt.Avery: Yeah. Yeah. But the Go compiler. It's very nice; it's just a program that's written in Go, that compiles under Go, and then you end up with one binary, right? And as long as you have that binary, everything just works, right? And so, it's actually surprisingly easy to fork Go. I don't want to—you know, I wouldn't put that on the same level of difficulty as, like, not screwing up cryptography, if you're trying to do it yourself. [crosstalk 00:20:16]Corey: [crosstalk 00:20:16] their own crypto algorithm that they themselves can't defeat. Yeah, it turns out that basically, breaking crypto is a team sport. Who knew?Avery: Yeah. Exactly. Generally, with security, you have this problem a lot, right? It's a lot harder to build a system that nobody can break into, than it is to break into a random system, right? Because you know, the job of securing something against everybody is much harder than the job of finding something you can break into.Corey: So, I did have a question about something you said earlier, where one of the use cases—one of the design goals—is not to have a breaking change to a point where an old device cannot still connect to the private network. But you do have a key expiry for devices where a device needs to relog in, and it can be anywhere between 3 and 180 as I look at it. I don't know if some of the more enterprise-y options have longer options that they can set, but what happen—how do you not have to drive out to the back of beyond to re-authenticate that Raspberry Pi every six months?Avery: Ah. So, this is something, it's at the policy layer, and we have not finished refining this to perfection, I would say, right now. What we do have though, if your key does expire, there's a button in the admin panel to say, like, boost this device for a little bit longer. Sort of unexpire it for another 30 minutes—I don't remember what the—how much time it is—then you can SSH into the device and do a proper key refresh on it without actually having to drive out there. Now, we did for one version, accidentally break the key reactivation feature so that if the client noticed it's key is expired, it actually disconnected from the Tailscale network altogether and then didn't receive the message to, like, “Hey, could you please increase the length of your key?” That was fixable by power cycling it, which you could often get somebody to do without driving all the way out there. But we fixed that, so now that—Corey: “Have you tried turning it off and back on again,” is still a surprisingly effective way of troubleshooting something.Avery: Yeah, exactly. So, that wasn't—I mean, it was kind of annoying for some people. But yeah, the reason we use, by default, every key always expires is because unlimited time credentials are one of the worst security holes that people don't really acknowledge. Because technically, it'll never be the, like—you know, it'll never show up as the highest severity security hole that you have an unlimited time credential sitting in your home directory, but it is something that—well, I can tell a story. There is a company that I heard about that had you know—SSH keys are typically unlimited time credentials; the easiest way to do it is you run ssh-keygen, it puts something in your home directory, you copy the public key to all the devices you want to be able to log into, and then you never think about it again.So, this is a company that, of course, every developer in their company had done this; they had a production network with a bunch of SSH keys in it. Some not very ethical employee worked there, had keys in their production systems, and eventually got fired. Now, of course, this company had good processes in place, they went through all the devices and took out this person's public key from all the devices. What they didn't know is that during lunch one day, this person had gone around to all their coworkers' workstations that hadn't been locked, downloaded the private keys for those people on his—Corey: Oh no.Avery: —computer before he got fired. And so, shortly after he got fired, their entire production network got wiped out. Now, they didn't have enough forensics at the time to know how it all got wiped out, so they spent some time putting it all back in place, this time with forensics. About a month later—they rebuilt everything from scratch, all new public keys and everything. You couldn't possibly have any backdoors in this system, right?And then a month later, it all got wiped out again. This time, the forensics revealed and, like, it was one of the existing employees, coming from a different country, that had gotten into their private production network and wiped everything out. How did that happen? It was because this person had years earlier, downloaded all their public—or private keys when he wandered around through the office. You can fix this problem instantly, by just expiring your keys and forcing your rotation periodically, right?SSH doesn't make that very easy. You can with SSH setup, SSH certificate authentication, which is a huge ordeal to get configured, but once it's working, it solves this particular problem, right? Tailscale [crosstalk 00:24:19]—Corey: On Mac and iOS, there is a slight improvement to this that I'm a big fan of because I agree with you. I am lousy at rotating my keys, but there's an open-source project called Secretive that I use on the Mac that stores the private key in the Secure Enclave, which the Mac will not let out of it. And I have to use Touch ID to authenticate every time I want to connect to something. Which can get annoying from time to time, but there is no way for someone to copy that off. Historically, I would—Avery: That's true.Corey: Have a passphrase that was also tied to the key so if someone grabbed it off the disk, it still theoretically would not be usable. And that was—but again, that is an absolute vector that needs to be addressed and thought about. Key rotation is huge.Avery: And you have to go through this effort to sort it all out, right? So Tailscale, we just have this policy: We don't do unlimited length credentials; we do key rotation for everything, and we just sort of set different time limits for this rotation depending on how picky you want to be about it. But any key expiry is much, much better than no key expiry. Even if you set it to a six-month key expiry, you still have at least it's only the six-month window that somebody could theoretically reuse your keys. And we can also rotate keys behind the scenes and so on.So, in the SSH case, the way people use Tailscale, you stopped opening the SSH port to the world. You're only SSH when you're connected over Tailscale. The fact that your Tailscale keys rotate and expire over time is what protects your SSH session. So, you could keep using static SSH keys that never expire—don't try to figure out all this other complicated stuff, right—and you're still protected from these private SSH, like, unlimited length keys. Now, that said, for servers, Tailscale does have a button where you can say, like, “Please stop expiring the key.” This is a server, nobody's ever going to get physical access to the machine.The only thing we could do with the private key for this machine is allow other people to SSH into it, which is not very dangerous, right? It's pretty much, like, somebody stealing your SSH authorized keys file; like, it doesn't really matter. And for that case, you turn off the expiry altogether. But expiring keys is intended for use by, like, devices that employees are actually holding in their hands where if it expires, it's no big deal, you push the login button and it refreshes.Corey: There's something that is very nice about dealing with something that is just so sensible. I mean, we've all—at least in the olden days of running sysadmin stuff, we had this problem we would generate—or purchase back in those days—SSL certificates and, great, they expire to a year or so at the end of the year, people forget, and then it would expire you to run around fixing this. And the default knee-jerk response was that was awful. Let's get the next one for five years so we didn't have to think about it that long.And it's always a wildcard and so it gets put all over the place, and you wind up with these problems. One of the things that Let's Encrypt has done super well is forcing a rotation every 90 days so you know where it is. It's just often enough you want to automate it. And ACM, the AWS certificate manager that they use, takes a slightly different approach. It doesn't give you the private key; it embeds it in other places so they can handle the rotation themselves.And they start screaming in your email if they can't verify that it's time for renewal long before it hits. It's different approaches to the problem, but yeah, five years out, how should I know all the places the certificate has wound up in that intervening time? Most of the people who did it aren't there anymore. And one day, surprise, a website breaks, either because its SSL cert isn't working, or one of the back-end services it depends on suddenly doesn't have that working. It's become a mess, so having a forced modernity to these things is important.Avery: Right. It's forced modernity, and it's just basically, it's all behind the scenes. Like, you don't even think about the fact that Tailscale gave you a key because that is not relevant to your day-to-day life, right? You logged in, something happened, all these devices ended up on your network. What actually happened is that public and private keys—you know, a private key was generated, the public keys were distributed properly, things are getting rotated, but you don't have to care about all that stuff.So, it's fun that Tailscale is what we call secure by default, right? People love to use it because it's easier, it makes their life easier, but security teams like it because actually, it changes the default security posture from, like, “Ugh, I'm going to have to tell everybody to please stop doing these five things because it always creates security holes,” to like, “Whoa, the thing that they're going to do most naturally is actually going to be safe.” Right? I really like that about it. You're not thinking about certificates, but their certificates are getting rotated exactly as they should be.Corey: There's just something so nice about computers doing the heavy lifting for us. It's one of the weird things about Tailscale is it falls into a very strange spot where there is effectively zero maintenance burden on me, but I still use it to toggle it on or off in scenarios often enough to remember that it's there and that I'm using it. It is the perfect sweet spot of being somewhat close to top of mind, but never in a sense that is, “Oh, I got to deal with this freaking thing again.” It never feels that way. Logging into it, it has long-lived sessions at the browser, so it isn't one of those, ah, you have to go back to GitHub and re-authenticate and do all these other dog-and-pony show things. It just works. It is damn near a consumer-level of ease-of-use, start to finish. The hard part, of course, is how on earth you explain this to someone [laugh] without a background in this space.Avery: Yeah, exactly. It's something we ask ourselves sometimes is, like, well, you know, Tailscale is great for developers right now. It is easy enough to use, even for consumers, but, like, how would you explain it to consumers and find a good use case for consumers? And it's something that I think we are going to do eventually, but it hasn't been, up until now, a super high priority for us just because developers are this sort of like the core audience that we haven't even finished building a great product that does everything that they want, yet. There is one little feature in Tailscale that's the beginning of something that's consumer-friendly; it's called Taildrop.I don't know if you've seen this one. You can turn it on, and basically, it acts like AirDrop in Apple products, except you don't need to care about physical proximity and it works with every kind of device, not just Apple devices, right? So, you can add it as—it shows up in the share pane on your Mac OS or Windows or iOS device. You can use it from Linux, you just use it to send files of any type, and it sends them point to point not through a cloud provider so that we never see a copy of the file. It only goes between your devices over your encrypted network. So, that's something that consumers kind of like.Corey: Feels like Tailprint for Bonjour could wind up being another aspect of this as well. And I'm still hoping for something almost Ansible-like where run the following command, whether it's pre-approved or not, on a following subset of things. In my case, for example, it's, I would love it if it would just automatically, when I press the button, update Tailscale across all of the nodes that support it, namely the Linux boxes. I don't think you can trigger an App Store update from within a sandboxed app on iOS, but I've been—Avery: Right.Corey: Surprised before. Yeah. But it's nice to be able to do some things.Avery: Yeah. This is one of those—yeah, we get that request a lot for, like, can you push a button to auto-update Tailscale? It makes me really sad that we get this request because the need for this is a sign that all of the OS vendors have completely botched software updates, right? Like, the OS should be the thing, updating your software on a good schedule based on a set of rules, and it shouldn't be the job of every single application to provide their own software update. It's actually a massive, embarrassing, security hole that software can even update itself, right?Because if it can update itself, then you know, imagine someone breaks into the production services of a company that is offering a particular program. They put malware into a version of the software, they put it into the software update server, and then they trigger everything in the network to push the software update to those devices. Now, you've got malware installed on all your devices, right? It's very strange that people asked for this as a feature. [laugh].Tailscale currently does not have that feature; it doesn't push software updates on its own. But it's such a popular feature that I think we're going to have to implement it because everybody wants this because Windows, for example, is simply just never going to automatically update your software for you. We have to have these weird-super admin rights on your machine so that we can push software updates because nobody else will. I feel really weird about that. You know, the security world should be protesting this more.But instead, they're like, asking, can you please put this feature in because I've got a checklist in my compliance thing that says, “Is all your software up-to-date?” I don't have a checklist item that says, “Does any of my software have super-admin rights that they shouldn't have?” Right? It's sort of, I guess, the next level of supply-chain management is the big word. Nobody—there is no supply chain management for software.Corey: There isn't, for better or worse. I wish there were, but there simply is not. Ugh. Next year, maybe. We hope.Avery: Yep. So, you have to trust your vendors, fundamentally, which I guess will always be true. That's true for Tailscale as well, right? Whether or not we include the software update pushing. If you're installing a VPN product provided by a vendor, you have to trust that we're going to put the right stuff into the software.And the best—the only thing I can really do is just be honest about these issues and say, “Well, look, we try our best. We definitely try not to implement features that are going to turn into security holes for you.” And I think we do a lot better than most vendors do in that area. But it's very hard to be perfect because nobody knows how to do software supply chain well.Corey: Ugh. I hear you. I that's the nice thing, too. Honestly, the big reason I know I need to update these things and the reason I want to do it's actually you. Because whenever I log in and look at my devices in the Tailscale thing, there's a little icon next to the one that there's an update available here.And you have fixed a lot of the niceties on this, like, ah, there's an update available for the iOS version. It's, “Really? Because it's not available in the Apple Store yet,” as I sit there spamming the thing. That stopped happening. There's a lot of just very nice quality-of-life improvements that are easy to miss.Avery: Yep, yeah, that's kind of weird. We actually went a little overboard on the update available notifications for a while because there's always this trade-off, right? Like I said, we have a policy of never breaking old versions, so when people see the update available notification, they kind of panic. It's, like, “Oh no, I better install the update, before Talescale cuts me off.” And, like, well, we're not actually ever going to cut you off, so you shouldn't have to worry about that stuff.But on the other hand, you're not going to get the latest features and bug fixes unless you're running the latest version, so when people email us saying, “Hey, I'm using Tailscale from six months ago, and I have this problem,” the first thing our support team does is say, “Well, can you please try the latest one, and does the problem go away?” Because it's kind of inefficient debugging six-month-old software. So, one way we were trying to, like, minimize that cost is, like, hey, we could just tell people there's a new version available and then maybe they'll update it themselves. But that resulted in people panicking. Like, oh, no, I need to install the software really, really soon because I can't afford to break my network.Corey: Right.Avery: And because our system is based on WireGuard and this is —you know, I'll probably jinx it by saying this but, like, we've never had an actual security hole that we've had to issue a Tailscale update to resolve, right? People see the update available thing and, like, “Oh, no, I bet there's a whole bunch of vulnerabilities that they fixed.” It's like, “Well, no.” WireGuard has also never had a vulnerability, right? [laugh] it's… yeah, it's, you know, sooner or later there probably will be one, and when there is one, we'll probably have to make the, you know, update notification in red or something instead of just the little icon on the admin panel. But yeah, it's—Corey: [laugh].Avery: —we try [crosstalk 00:35:23]—Corey: Nice job on jinxing it, by the way, I appreciate that.Avery: Yeah I know. I mean, I try to try my best. [laugh]. But I've actually been surprised. It's very much like my experience with all the djb stuff we used in the past.Like, when we were using qmail and djbdns for years, there was never once a security hole, right? It's very interesting that it is possible to design software that never once has a security hole. And nobody does that, right? I mean, I would say I'm not as smart as djb; our software is probably, you know, not going to be as one hundred percent perfect as that, but we try really, really hard to aim for that as a goal.Corey: Yeah. I really want to thank you for taking the time to speak with me about everything Tailscale is up to. And again, congratulations on your Series B. If people want to learn more, where should they go?Avery: I guess, tailscale.com is the place. We also have @tailscale in Twitter. My own personal Twitter is @apenwarr, which you probably won't be able to spell unless you Google for me or something—Corey: But it's in the [show notes 00:36:19], which makes this even easier.Avery: It is? Ah, there you go. So yeah, there's lots of information. But the number one thing I tell people is, like, look, it is a lot easier to get started than you think it is. Even after you've heard it 100 times, nobody ever believes how easy it is to get started. Just go to the App Store, download the app, log into your account, and you're already done, right? Try that and you don't even have to read anything.Corey: I would tear you apart for that statement if it weren't—if it were slightly less true than it is, but it is transformative. Give it a try. It's a strong endorsement from me. Thank you so much for your time. I appreciate it.Avery: Thank you, too. Great talking to you, and talk next time.Corey: Indeed. Avery Pennarun, CEO of Tailscale. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this show, please leave a five-star review on your podcast platform of choice, and smash the like and subscribe buttons, whereas if you've hated it, same thing—five-star review, smash the buttons—and also leave an angry bitter comment about how you are smart enough to roll your own crypto, so you don't understand why other people wouldn't do it.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

PurposeThe infrastructure for Nutanix Disaster Recovery-as-a-Service (DRaaS) supports a tenant cluster and a production virtual private cloud (VPC) for each customer. Customers generally have production VMs running in their on-premises cluster, which is connected to the DRaaS VPC using an IPsec tunnel. This is used by the DRaaS workflow to replicate on-premises production data.During a disaster recovery situation or while running disaster recovery tests, VMs will failover from on-premises to the DRaaS cluster. When this occurs, all VMs in one subnet of an on-premises network (e.g., 192.168.10.0/24) usually failover to DRaaS. If the customer chooses to preserve the IP, VMs in DRaaS come up with the same IPs as on-premises (e.g., 192.168.10.0/24 network).In this type of disaster recovery situation, customers can choose which critical VMs are replicated to DRaaS. But in those cases, on-premises VMs cannot communicate with VMs in DRaaS. Host: Andy WhitesideCo-host: Harvey GreenCo-host: Jirah Cox

In this episode we are going to look at Crypto Map.We will be discussing Syntax to Configure a Crypto Map, Crypto Map Configuration, and finally Apply and Verify the Crypto Map.Thank you so much for listening to this episode of my series on Network Security for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Network Security v1 (NetSec)Episode 19 - Implement Site-to-Site IPsec VPNsPart D - Crypto MapPodcast Number: 79-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment 

In this episode we are going to look at IPsec Policy.We will be discussing Define Interesting Traffic and Configure IPsec Transform Set.Thank you so much for listening to this episode of my series on Network Security for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Network Security v1 (NetSec)Episode 19 - Implement Site-to-Site IPsec VPNsPart C - IPsec PolicyPodcast Number: 78-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment 

Philippe Humeau, Founder of CrowdSec discusses some of the biggest issues currently facing cybersecurity and how open-source cybersecurity platforms combat them.

In this episode we are going to look at ISAKMP Policy.We will be discussing the Default ISAKMP Policies, Syntax to Configure a New ISAKMP Policy, ISAKMP Policy Configuration, and finally Pre-Shared Key Configuration.Thank you so much for listening to this episode of my series on Network Security for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Network Security v1 (NetSec)Episode 19 - Implement Site-to-Site IPsec VPNsPart B - ISAKMP PolicyPodcast Number: 77-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment 

Podcast Geeksleague 238, enregistré ce vendredi 15 avril 2022. Petit podcast entre nous ! Dans ce Geeksleague 238 pas d'invité mais un invité quand même ! Car MaxHafniar est passé sur Discord nous faire un debrief de la LuxCon Pour s'abonner à notre flux RSS PodcastPour nous soutenir via TipeeePour nous écouter sur DezzerNous rejoindre sur DiscordNous rejoindre sur Instagram Au sommaire : 00:00 -Introduction07:15 - News Tech30:29 - Weird West36:00 - Debrief de la LuxCon42:38 - Coup de gueule -Star Trek Picard saison 246:40 - 3 Chaine Youtube à ne pas rater54:00 - Coup de coeur - BD la terre vagabonde56:12 - Le VPN (partie 2)01:39:38 - Coup de coeur - Hades01:41:21 - Coup de coeur - La cité maudite01:44:30 - Le Dragon Quizz Point : la réponse est GUN01:57:00 - Outro Remerciements : À nos Tipeurs Pour en savoir plus : News tech de la semaine https://trollsetlegendes.be/https://www.badgeek.fr/podrennes/ VPN https://www.le-vpn.com/history-of-vpn/https://en.wikipedia.org/wiki/IPsec https://fr.wikipedia.org/wiki/R%C3%A9seau_priv%C3%A9_virtuel https://webcache.googleusercontent.com/search?q=cache:1hBQFpJBmn8J:https://www.networxsecurity.org/members-area/glossary/i/ipsec.html+&cd=3&hl=fr&ct=clnk&gl=be&client=ubuntu https://www.mozilla.org/fr/products/vpn/more/what-is-a-vpn/ https://www.scaleway.com/en/docs/tutorials/openvpn-instant-app/https://framalibre.org/tags/vpnhttps://www.mozilla.org/fr/products/vpn/https://mullvad.net/fr/ 3 Chaînes Youtube à ne pas rater La séance de MartyChronik FictionTravel Alone Idea Petit erratum sur le podcast, on dit que speedons est au bénéfice de Médecins sans Frontrière, mais c'est pour Médecin du Monde que les dons sont récoltés https://www.youtube.com/watch?v=tSZovMLr0yg

On today's Heavy Networking podcast, guest Cory Steele visits the podcast to make the case that overlays such as LISP offer unique benefits for the network. Greg Ferro disagrees, and makes the case for protocols like QUIC, TLS, and IPSec, and argues for the concept of end-to-end connectivity as the IP network was intended.

On today's Heavy Networking podcast, guest Cory Steele visits the podcast to make the case that overlays such as LISP offer unique benefits for the network. Greg Ferro disagrees, and makes the case for protocols like QUIC, TLS, and IPSec, and argues for the concept of end-to-end connectivity as the IP network was intended.

On today's Heavy Networking podcast, guest Cory Steele visits the podcast to make the case that overlays such as LISP offer unique benefits for the network. Greg Ferro disagrees, and makes the case for protocols like QUIC, TLS, and IPSec, and argues for the concept of end-to-end connectivity as the IP network was intended.

Recovering files from broken laptop, low data mode in iOS13, cleaning malware from PC (boot in safe mode, Geek Uninstaller, Avast Antivirus, Malwarebytes, Autoruns), configuring router for WiFi calling (enable IPSec, ports 4500 and 500), system backup vs system image, Profiles in IT (Jean E. Sammet, female programming pioneer), Windows 10 runs on over half of world computers, FogCam update (worlds longest running webcam), iPhones can be repaired in independent repair shops, What3Words maps the world (humanizing GPS coordinates), next storage breakthrough (DNA), generating power from the night sky (thermoelectric generator), CA law may end the gig economy, and asteroid passes close to the Earth (big as a skyscrapper, 3M miles away). This show originally aired on Saturday, September 14, 2019, at 9:00 AM EST on WFED (1500 AM).

WireGuard is a new VPN protocol that promises to be faster and more secure at the same time. And you can now connect to a WireGuard server on iOS thanks to the official open source app. Compared to other VPN protocols, such as OpenVPN and IPsec, it can maintain a VPN connection even if you change from one network to another. Let's say you're in a hotel and you're heading to a busy conference center.

OpenBSD 6.2 is here, style arguments, a second round of viewer interview questions, how to set CPU affinity for FreeBSD jails, containers on FreeNAS & more! Headlines OpenBSD 6.2 Released (https://www.openbsd.org/62.html) OpenBSD continues their six month release cadence with the release of 6.2, the 44th release On a disappointing note, the song for 6.2 will not be released until December Highlights: Improved hardware support on modern platforms including ARM64/ARMv7 and octeon, while amd64 users will appreciate additional support for the Intel Kaby Lake video cards. Network stack improvements include extensive SMPization improvements and a new FQ-CoDel queueing discipline, as well as enhanced WiFi support in general and improvements to iwn(4), iwm(4) and anthn(4) drivers. Improvements in vmm(4)/vmd include VM migration, as well as various compatibility and performance improvements. Security enhancements including a new freezero(3) function, further pledge(2)ing of base system programs and conversion of several daemons to the fork+exec model. Trapsleds, KARL, and random linking for libcrypto and ld.so, dramatically increase security by making it harder to find helpful ROP gadgets, and by creating a unique order of objects per-boot. A unique kernel is now created by the installer to boot from after install/upgrade. The base system compiler on the amd64 and i386 platforms has switched to clang(1). New versions of OpenSSH, OpenSMTPd, LibreSSL and mandoc are also included. The kernel no longer handles IPv6 Stateless Address Autoconfiguration (RFC 4862), allowing cleanup and simplification of the IPv6 network stack. Improved IPv6 checks for IPsec policies and made them consistent with IPv4. Enabled the use of per-CPU caches in the network packet allocators. Improved UTF-8 line editing support for ksh(1) Emacs and Vi input mode. breaking change for nvme(4) users with GPT: If you are booting from an nvme(4) drive with a GPT disk layout, you are affected by an off-by-one in the driver with the consequence that the sector count in your partition table may be incorrect. The only way to fix this is to re-initialize the partition table. Backup your data to another disk before you upgrade. In the new bsd.rd, drop to a shell and re-initialize the GPT: fdisk -iy -g -b 960 sdN Why we argue: style (https://www.sandimetz.com/blog/2017/6/1/why-we-argue-style) I've been thinking about why we argue about code, and how we might transform vehement differences of opinion into active forces for good. My thoughts spring from a very specific context. Ten or twelve times a year I go to an arbitrary business and spend three or more days teaching a course in object-oriented design. I'm an outsider, but for a few days these business let me in on their secrets. Here's what I've noticed. In some places, folks are generally happy. Programmers get along. They feel as if they are all "in this together." At businesses like this I spend most of my time actually teaching object-oriented design. Other places, folks are surprisingly miserable. There's a lot of discord, and the programmers have devolved into competing "camps." In these situations the course rapidly morphs away from OO Design and into wide-ranging group discussions about how to resolve deeply embedded conflicts. Tolstoy famously said that "Happy families are all alike; every unhappy family is unhappy in its own way." This is known as the Anna Karenina Principle, and describes situations in which success depends on meeting all of a number of criteria. The only way to be happy is to succeed at every one of them. Unhappiness, unfortunately, can be achieved by any combination of failure. Thus, all happy businesses are similar, but unhappy ones appear unique in their misery. Today I'm interested in choices of syntax, i.e whether or not your shop has agreed upon and follows a style guide. If you're surprised that I'm starting with this apparently mundane issue, consider yourself lucky in your choice of workplace. If you're shaking your head in rueful agreement about the importance of this topic, I feel your pain. I firmly believe that all of the code that I personally have to examine should come to me in a consistent format. Code is read many more times than it is written, which means that the ultimate cost of code is in its reading. It therefore follows that code should be optimized for readability, which in turn dictates that an application's code should all follow the same style. This is why FreeBSD, and most other open source projects, have a preferred style. Some projects are less specific and less strict about it. Most programmers agree with the prior paragraph, but here's where things begin to break down. As far as I'm concerned, my personal formatting style is clearly the best. However, I'm quite sure that you feel the same. It's easy for a group of programmers to agree that all code should follow a common style, but surprisingly difficult to get them to agree on just what that common style should be. Avoid appointing a human "style cop", which just forces someone to be an increasingly ill-tempered nag. Instead, supply programmers with the information they need to remedy their own transgressions. By the time a pull request is submitted, mis-stylings should long since have been put right. Pull request conversations ought to be about what code does rather than how code looks. What about old code? Ignore it. You don't have to re-style all existing code, just do better from this day forward. Defer updating old code until you touch it for other reasons. Following this strategy means that the code you most often work on will gradually take on a common style. It also means that some of your existing code might never get updated, but if you never look at it, who cares? If you choose to re-style code that you otherwise have no need to touch, you're declaring that changing the look of this old code has more value to your business than delivering the next item on the backlog. The opportunity cost of making a purely aesthetic change includes losing the benefit of what you could have done instead. The rule-of-thumb is: Don't bother updating the styling of stable, existing code unless not doing so costs you money. Most open source projects also avoid reformatting code just to change the style, because of the merge conflicts this will cause for downstream consumers If you disagree with the style guide upon which your team agrees, you have only two honorable options: First, you can obey the guide despite your aversion. As with me in the Elm story above, this act is likely to change your thinking so that over time you come to prefer the new style. It's possible that if you follow the guide you'll begin to like it. Alternatively, you can decide you will not obey the style guide. Making this decision demands that you leave your current project and find some other project whose guide matches your preferred style. Go there and follow that one. Notice that both of these choices have you following a guide. This part is not optional. The moral of this story? It's more important for all code to be formatted the same than it is for any one of us to get our own way. Commit to agreeing upon and following a style guide. And if you find that your team cannot come to an agreement, step away from this problem and start a discussion about power. There have been many arguments about style, and it can often be one of the first complaints of people new to any open source project This article covers it fairly well from both sides, a) you should follow the style guide of the project you are contributing to, b) the project should review your actual code, then comment on the style after, and provide gentle guidance towards the right style, and avoid being “style cops” *** Interview - The BSDNow Crew, Part II News Roundup Building FreeBSD for the Onion Omega 2 (https://github.com/sysadminmike/freebsd-onion-omega2-build) I got my Onion Omega 2 devices in the mail quite a while ago, but I had never gotten around to trying to install FreeBSD on them. They are a different MIPS SoC than the Onion Omega 1, so it would not work out of the box at the time. Now, the SoC is supported! This guide provides the steps to build an image for the Omega 2 using the freebsd-wifi-build infrastructure First some config files are modified to make the image small enough for the Omega 2's flash chip The DTS (Device Tree Source) files are not yet included in FreeBSD, so they are fetched from github Then the build for the ralink SoC is run, with the provided DTS file and the MT7628_FDT kernel config Once the build is complete, you'll have a tftp image file. Then that image is compressed, and bundled into a uboot image Write the files to a USB stick, and plug it into the Omega's dock Turn it on while holding the reset button with console open Press 1 to get into the command line. You will need to reset the usb: usb reset Then load the kernel boot image: fatload usb 0:1 0x80800000 kernel.MT7628_FDT.lzma.uImage And boot it: bootm 0x80800000 At this point FreeBSD should boot Mount a userland, and you should end up in multi-user mode Hopefully this will get even easier in the next few weeks, and we'll end up with a more streamlined process to tftp boot the device, then write FreeBSD into the onboard flash so it boots automatically. *** Setting the CPU Affinity on FreeBSD Jails with ezjail (https://www.neelc.org/setting-the-cpu-affinity-on-freebsd-jails-with-ezjail/) While there are more advanced resource controls available for FreeBSD jails, one of the most basic ways to control CPU usage is to limit the subset of CPUs that each jail can use. This can make sure that every jail has access to some dedicated resources, while at the same time doesn't have the ability to entirely dominate the machine I just got a new home server: a HP ProLiant ML110 G6. Being a FreeBSD person myself, it was natural that I used it on my server instead of Linux I chose to use ezjail to manage the jails on my ProLiant, with the initial one being a Tor middle node. Despite the fact that where my ML110 is, the upstream is only 35mbps (which is pretty good for cable), I did not want to give my Tor jail access to all four cores. Setting the CPU Affinity would let you choose a specific CPU core (or a range of cores) you want to use. However, it does not just let you pick the number of CPU cores you want and make FreeBSD choose the core running your jail. Going forward, I assumed that you have already created a jail using ezjail-admin. I also do not cover limiting a jail to a certain percentage of CPU usage. ezjail-admin config -c [CORENUMBERFIRST]-[CORENUMBERLAST] [JAIL_NAME] or ezjail-admin config -c [CORENUMBERFIRST],[CORENUMBERSECOND],...,[CORENUMBERN] [JAILNAME] And hopefully, you should have your ezjail-managed FreeBSD jail limited to the CPU cores you want. While I did not cover a CPU percentage or RAM usage, this can be done with rctl I'll admit: it doesn't really matter which CPU a jail runs on, but it might matter if you don't want a jail to have access to all the CPU cores available and only want [JAILNAME] to use one core. Since it's not really possible just specify the number of CPU cores with ezjail (or even iocell), a fallback would be to use CPU affinity, and that requires you to specify an exact CPU core. I know it's not the best solution (it would be better if we could let the scheduler choose provided a jail only runs on one core), but it's what works. We use this at work on high core count machines. When we have multiple databases colocated on the same machine, we make sure each one has a few cores to itself, while it shares other cores with the rest of the machine. We often reserve a core or two for the base system as well. *** A practical guide to containers on FreeNAS for a depraved psychopath. (https://medium.com/@andoriyu/a-practical-guide-to-containers-on-freenas-for-a-depraved-psychopath-c212203c0394) If you are interested in playing with Docker, this guide sets up a Linux VM running on FreeBSD or FreeNAS under bhyve, then runs linux docker containers on top of it You know that jails are dope and I know that jails are dope, yet no one else knows it. So here we are stuck with docker. Two years ago I would be the last person to recommend using docker, but a whole lot of things has changes past years… This tutorial uses iohyve to manage the VMs on the FreeBSD or FreeNAS There are many Linux variants you can choose from — RancherOS, CoreOS are the most popular for docker-only hosts. We going to use RancherOS because it's more lightweight out of the box. Navigate to RancherOS website and grab link to latest version sudo iohyve setup pool=zpool kmod=1 net=em0 sudo iohyve fetch https://releases.rancher.com/os/latest/rancheros.iso sudo iohyve renameiso rancheros.iso rancheros-v1.0.4.iso sudo pkg install grub2-bhyve sudo iohyve create rancher 32G sudo iohyve set rancher loader=grub-bhyve ram=8G cpu=8 con=nmdm0 os=debian sudo iohyve install rancher rancheros-v1.0.4.iso sudo iohyve console rancher Then the tutorial does some basic configuration of RancherOS, and some house keeping in iohyve to make RancherOS come up unattended at boot The whole point of this guide is to reduce pain, and using the docker CLI is still painful. There are a lot of Web UIs to control docker. Most of them include a lot of orchestrating services, so it's just overkill. Portainer is very lightweight and can be run even on Raspberry Pi Create a config file as described After reboot you will be able to access WebUI on 9000 port. Setup is very easy, so I won't go over it The docker tools for FreeBSD are still being worked on. Eventually you will be able to host native FreeBSD docker containers on FreeBSD jails, but we are not quite there yet In the meantime, you can install sysutils/docker and use it to manage the docker instances running on a remote machine, or in this case, the RancherOS VM running in bhyve *** Beastie Bits The Ghost of Invention: A Visit to Bell Labs, excerpt from the forthcoming book: “Kitten Clone: Inside Alcatel-Lucent” (https://www.wired.com/2014/09/coupland-bell-labs/) OpenBSD Cookbook (set of Ansible playbooks) (https://github.com/ligurio/openbsd-cookbooks) 15 useful sockstat commands to find open ports on FreeBSD (https://www.tecmint.com/sockstat-command-examples-to-find-open-ports-in-freebsd/) A prehistory of Slashdot (https://medium.freecodecamp.org/a-pre-history-of-slashdot-6403341dabae) Using ed, the unix line editor (https://medium.com/@claudio.santos.ribeiro/using-ed-the-unix-line-editor-557ed6466660) *** Feedback/Questions Malcolm - ZFS snapshots (http://dpaste.com/16EB3ZA#wrap) Darryn - Zones (http://dpaste.com/1DGHQJP#wrap) Mohammad - SSH Keys (http://dpaste.com/08G3VTB#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv)

We explore whether a BSD can replicate Cisco router performance; RETGUARD, OpenBSDs new exploit mitigation technology, Dragonfly's HAMMER2 filesystem implementation & more! This episode was brought to you by Headlines Can a BSD system replicate the performance of a Cisco router? (https://www.reddit.com/r/networking/comments/6upchy/can_a_bsd_system_replicate_the_performance_of/) Short Answer: No, but it might be good enough for what you need Traditionally routers were built with a tightly coupled data plane and control plane. Back in the 80s and 90s the data plane was running in software on commodity CPUs with proprietary software. As the needs and desires for more speeds and feeds grew, the data plane had to be implemented in ASICs and FPGAs with custom memories and TCAMs. While these were still programmable in a sense, they certainly weren't programmable by anyone but a small handful of people who developed the hardware platform. The data plane was often layered, where features not handled by the hardware data plane were punted to a software only data path running on a more general CPU. The performance difference between the two were typically an order or two of magnitude. source (https://fd.io/wp-content/uploads/sites/34/2017/07/FDioVPPwhitepaperJuly2017.pdf) Except for encryption (e.g. IPsec) or IDS/IPS, the true measure of router performance is packets forwarded per unit time. This is normally expressed as Packets-per-second, or PPS. To 'line-rate' forward on a 1gbps interface, you must be able to forward packets at 1.488 million pps (Mpps). To forward at "line-rate" between 10Gbps interfaces, you must be able to forward at 14.88Mpps. Even on large hardware, kernel-forwarding is limited to speeds that top out below 2Mpps. George Neville-Neil and I did a couple papers on this back in 2014/2015. You can read the papers (https://github.com/freebsd-net/netperf/blob/master/Documentation/Papers/ABSDCon2015Paper.pdf) for the results. However, once you export the code from the kernel, things start to improve. There are a few open source code bases that show the potential of kernel-bypass networking for building a software-based router. The first of these is netmap-fwd which is the FreeBSD ip_forward() code hosted on top of netmap, a kernel-bypass technology present in FreeBSD (and available for linux). Full-disclosure, netmap-fwd was done at my company, Netgate. netmap-fwd will l3 forward around 5 Mpps per core. slides (https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf) The first of these is netmap-fwd (https://github.com/Netgate/netmap-fwd) which is the FreeBSD ip_forward() code hosted on top of netmap (https://github.com/luigirizzo/netmap), a kernel-bypass technology present in FreeBSD (and available for linux). Full-disclosure, netmap-fwd was done at my company, Netgate. (And by "my company" I mean that I co-own it with my spouse.). netmap-fwd will l3 forward around 5 Mpps per core. slides (https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf) Nanako Momiyama of the Keio Univ Tokuda Lab presented on IP Forwarding Fastpath (https://www.bsdcan.org/2017/schedule/events/823.en.html) at BSDCan this past May. She got about 5.6Mpps (roughly 10% faster than netmap-fwd) using a similar approach where the ip_foward() function was rewritten as a module for VALE (the netmap-based in-kernel switch). Slides (https://2016.eurobsdcon.org/PresentationSlides/NanakoMomiyama_TowardsFastIPForwarding.pdf) from her previous talk at EuroBSDCon 2016 are available. (Speed at the time was 2.8Mpps.). Also a paper (https://www.ht.sfc.keio.ac.jp/~nanako/conext17-sw.pdf) from that effort, if you want to read it. Of note: They were showing around 1.6Mpps even after replacing the in-kernel routing lookup algorithm with DXR. (DXR was written by Luigi Rizzo, who is also the primary author of netmap.) Not too long after netmap-fwd was open sourced, Ghandi announced packet-journey, an application based on drivers and libraries and from DPDK. Packet-journey is also an L3 router. The GitHub page for packet-journey lists performance as 21,773.47 mbps (so 21.77Gbps) for 64-byte UDP frames with 50 ACLs and 500,000 routes. Since they're using 64-byte frames, this translates to roughly 32.4Mpps. Finally, there is recent work in FreeBSD (which is part of 11.1-RELEASE) that gets performance up to 2x the level of netmap-fwd or the work by Nanako Momiyama. 10 million PPS: Here (http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html) is a decent introduction. But of course, even as FreeBSD gets up to being able to do 10gbps at line-rate, 40 and 100 gigabits are not uncommon now Even with the fastest modern CPUs, this is very little time to do any kind of meaningful packet processing. At 10Gbps, your total budget per packet, to receive (Rx) the packet, process the packet, and transmit (Tx) the packet is 67.2 ns. Complicating the task is the simple fact that main memory (RAM) is 70 ns away. The simple conclusion here is that, even at 10Gbps, if you have to hit RAM, you can't generate the PPS required for line-rate forwarding. There is some detail about design tradeoffs in the Ryzen architecture and how that might impact using those machines as routers Anyway... those are all interesting, but the natural winner here is FD.io's Vector Packet Processing (VPP). Read this (http://blogs.cisco.com/sp/a-bigger-helping-of-internet-please) VPP is an efficient, flexible open source data plane. It consists of a set of forwarding nodes arranged in a directed graph and a supporting framework. The framework has all the basic data structures, timers, drivers (and interfaces to both DPDK and netmap), a scheduler which allocates the CPU time between the graph nodes, performance and debugging tools, like counters and built-in packet trace. The latter allows you to capture the paths taken by the packets within the graph with high timestamp granularity, giving full insight into the processing on a per-packet level. The net result here is that Cisco (again, Cisco) has shown the ability to route packets at 1 Tb/s using VPP on a four socket Purley system There is also much discussion of the future of pfSense, as they transition to using VPP This is a very lengthy write up which deserves a full read, plus there are some comments from other people *** RETGUARD, the OpenBSD next level in exploit mitigation, is about to debut (https://marc.info/?l=openbsd-tech&m=150317547021396&w=2) This year I went to BSDCAN in Ottawa. I spent much of it in the 'hallway track', and had an extended conversation with various people regarding our existing security mitigations and hopes for new ones in the future. I spoke a lot with Todd Mortimer. Apparently I told him that I felt return-address protection was impossible, so a few weeks later he sent a clang diff to address that issue... The first diff is for amd64 and i386 only -- in theory RISC architectures can follow this approach soon. The mechanism is like a userland 'stackghost' in the function prologue and epilogue. The preamble XOR's the return address at top of stack with the stack pointer value itself. This perturbs by introducing bits from ASLR. The function epilogue undoes the transform immediately before the RET instruction. ROP attack methods are impacted because existing gadgets are transformed to consist of " RET". That pivots the return sequence off the ROP chain in a highly unpredictable and inconvenient fashion. The compiler diff handles this for all the C code, but the assembly functions have to be done by hand. I did this work first for amd64, and more recently for i386. I've fixed most of the functions and only a handful of complex ones remain. For those who know about polymorphism and pop/jmp or JOP, we believe once standard-RET is solved those concerns become easier to address seperately in the future. In any case a substantial reduction of gadgets is powerful. For those worried about introducing worse polymorphism with these "xor; ret" epilogues themselves, the nested gadgets for 64bit and 32bit variations are +1 "xor %esp,(%rsp); ret", +2 "and $0x24,%al; ret" and +3 "and $0xc3,%al; int3". Not bad. Over the last two weeks, we have received help and advice to ensure debuggers (gdb, egdb, ddb, lldb) can still handle these transformed callframes. Also in the kernel, we discovered we must use a smaller XOR, because otherwise userland addresses are generated, and cannot rely on SMEP as it is really new feature of the architecture. There were also issues with pthreads and dlsym, which leads to a series of uplifts around _builtinreturn_address and DWARF CFI. Application of this diff doesn't require anything special, a system can simply be built twice. Or shortcut by building & installing gnu/usr.bin/clang first, then a full build. We are at the point where userland and base are fully working without regressions, and the remaining impacts are in a few larger ports which directly access the return address (for a variety of reasons). So work needs to continue with handling the RET-addr swizzle in those ports, and then we can move forward. You can find the full message with the diff here (https://marc.info/?l=openbsd-tech&m=150317547021396&w=2) *** Interview - Ed Maste, Charlie & Siva - @ed_maste (https://twitter.com/ed_maste), @yzgyyang (https://twitter.com/yzgyyang) & @svmhdvn (https://twitter.com/svmhdvn) Co-op Students for the FreeBSD Foundation *** News Roundup Next DFly release will have an initial HAMMER2 implementation (http://lists.dragonflybsd.org/pipermail/users/2017-August/313558.html) The next DragonFly release (probably in September some time) will have an initial HAMMER2 implementation. It WILL be considered experimental and won't be an installer option yet. This initial release will only have single-image support operational plus basic features. It will have live dedup (for cp's), compression, fast recovery, snapshot, and boot support out of the gate. This first H2 release will not have clustering or multi-volume support, so don't expect those features to work. I may be able to get bulk dedup and basic mirroring operational by release time, but it won't be very efficient. Also, right now, sync operations are fairly expensive and will stall modifying operations to some degree during the flush, and there is no reblocking (yet). The allocator has a 16KB granularity (on HAMMER1 it was 2MB), so for testing purposes it will still work fairly well even without reblocking. The design is in a good place. I'm quite happy with how the physical layout turned out. Allocations down to 1KB are supported. The freemap has a 16KB granularity with a linear counter (one counter per 512KB) for packing smaller allocations. INodes are 1KB and can directly embed 512 bytes of file data for files 512 bytes. The freemap is also zoned by type for I/O locality. The blockrefs are 'fat' at 128 bytes but enormously powerful. That will allow us to ultimately support up to a 512-bit crypto hash and blind dedup using said hash. Not on release, but that's the plan. I came up with an excellent solution for directory entries. The 1KB allocation granularity was a bit high but I didn't want to reduce it. However, because blockrefs are now 128 byte entities, and directory entries are hashed just like in H1, I was able to code them such that a directory entry is embedded in the blockref itself and does not require a separate data reference or allocation beyond that. Filenames up to 64 bytes long can be accomodated in the blockref using the check-code area of the blockref. Longer filenames will use an additional data reference hanging off the blockref to accomodate up to 255 char filenames. Of course, a minimum of 1KB will have to be allocated in that case, but filenames are

FreeBSD 11.1-RELEASE is out, we look at building at BSD home router, how to be your own OpenBSD VPN provider, and find that glob matching can be simple and fast. This episode was brought to you by Headlines FreeBSD 11.1-RELEASE (https://www.freebsd.org/releases/11.1R/relnotes.html) FreeBSD 11.1 was released on July 26th (https://www.freebsd.org/releases/11.1R/announce.asc) You can download it as an ISO or USB image, a prebuilt VM Image (vmdk, vhd, qcow2, or raw), and it is available as a cloud image (Amazon EC2, Microsoft Azure, Google Compute Engine, Vagrant) Thanks to everyone, including the release engineering team who put so much time and effort into managing this release and making sure it came out on schedule, all of the FreeBSD developers who contributed the features, the companies that sponsored that development, and the users who tested the betas and release candidates. Support for blacklistd(8) has been added to OpenSSH The cron(8) utility has been updated to add support for including files within /etc/cron.d and /usr/local/etc/cron.d by default. The syslogd(8) utility has been updated to add the include keyword which allows specifying a directory containing configuration files to be included in addition to syslog.conf(5). The default syslog.conf(5) has been updated to include /etc/syslog.d and /usr/local/etc/syslog.d by default. The zfsbootcfg(8) utility has been added, providing one-time boot.config(5)-style options The efivar(8) utility has been added, providing an interface to manage UEFI variables. The ipsec and tcpmd5 kernel modules have been added, these can now be loaded without having to recompile the kernel A number of new IPFW modules including Network Prefix Translation for IPv6 as defined in RFC 6296, stateless and stateful NAT64, and a module to modify the TCP-MSS of packets A huge array of driver updates and additions The NFS client now supports the Amazon® Elastic File System™ (EFS) The new ZFS Compressed ARC feature was added, and is enabled by default The EFI loader has been updated to support TFTPFS, providing netboot support without requiring an NFS server For a complete list of new features and known problems, please see the online release notes and errata list, available at: FreeBSD 11.1-RELEASE Release Notes (https://www.freebsd.org/releases/11.1R/relnotes.html) FreeBSD 11.1-RELEASE Errata (https://www.freebsd.org/releases/11.1R/errata.html) For more information about FreeBSD release engineering activities, please see: Release Engineering Information (https://www.freebsd.org/releng/) Availability FreeBSD 11.1-RELEASE is now available for the amd64, i386, powerpc, powerpc64, sparc64, armv6, and aarch64 architectures. FreeBSD 11.1-RELEASE can be installed from bootable ISO images or over the network. Some architectures also support installing from a USB memory stick. The required files can be downloaded as described in the section below. SHA512 and SHA256 hashes for the release ISO, memory stick, and SD card images are included at the bottom of this message. PGP-signed checksums for the release images are also available at: FreeBSD 11.1 Release Checksum Signatures (https://www.freebsd.org/releases/11.1R/signatures.html) A PGP-signed version of this announcement is available at: FreeBSD 11.1-RELEASE Announcement (https://www.FreeBSD.org/releases/11.1R/announce.asc) *** Building a BSD home router - ZFS and Jails (https://eerielinux.wordpress.com/2017/07/15/building-a-bsd-home-router-pt-8-zfs-and-jails/) Part of a series of posts about building a router: Part 1 (https://eerielinux.wordpress.com/2017/05/30/building-a-bsd-home-router-pt-1-hardware-pc-engines-apu2/) -- discussing why you want to build your own router and how to assemble the APU2 Part 2 (https://eerielinux.wordpress.com/2017/06/03/building-a-bsd-home-router-pt-2-the-serial-console-excursion) -- some Unix history explanation of what a serial console is Part 3 (https://eerielinux.wordpress.com/2017/06/10/building-a-bsd-home-router-pt-3-serial-access-and-flashing-the-firmware/) -- demonstrating serial access to the APU and covering firmware update Part 4 (https://eerielinux.wordpress.com/2017/06/15/building-a-bsd-home-router-pt-4-installing-pfsense/) -- installing pfSense Part 5 (https://eerielinux.wordpress.com/2017/06/20/building-a-bsd-home-router-pt-5-installing-opnsense/) -- installing OPNsense instead Part 6 (https://eerielinux.wordpress.com/2017/06/30/building-a-bsd-home-router-pt-7-advanced-opnsense-setup/) -- Comparison of pfSense and OPNsense Part 7 (https://eerielinux.wordpress.com/2017/06/30/building-a-bsd-home-router-pt-7-advanced-opnsense-installation/) -- Advanced installation of OPNsense After the advanced installation in part 7, the tutorials covers converting an unused partition into swap space, and converting the system to ZFS After creating a new pool using the set aside partition, some datasets are created, and the log files, ports, and obj ZFS datasets are mounted The tutorial then goes on to cover how to download the ports tree, and install additional software on the router I wonder what part 9 will be about. *** Be your own VPN provider with OpenBSD (v2) (https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.htm) This article covers how to build your own VPN server with some advanced features including: Full Disk Encryption (FDE) Separate CA/signing machine (optional) Multiple DNSCrypt proxy instances for failover OpenVPN: Certificate Revocation List/CRL (optional) OpenVPN: TLS 1.2 only OpenVPN: TLS cipher based on AES-256-GCM only OpenVPN: HMAC-SHA512 instead of HMAC-SHA1 OpenVPN: TLS encryption of control channel (makes it harder to identify OpenVPN traffic) The article starts with an explanation of the differences between OpenVPN and IPSEC. In the end the author chose OpenVPN because you can select the port it runs on, and it has a better chance of working from hotel or coffee shop WiFi. The guide them walks through doing an installation on an encrypted disk, with a caution about the limitations of encrypted disk with virtual machines hosted by other parties. The guide then locks down the newly installed system, configuring SSH for keys only, adding some PF rules, and configuring doas Then networking is configured, including enabling IP forwarding since this machine is going to act as the VPN gateway Then a large set of firewall rules are created that NAT the VPN traffic out of the gateway, except for DNS requests that are redirected to the gateways local unbound Then some python scripts are provided to block brute force attempts We will use DNSCrypt to make our DNS requests encrypted, and Unbound to have a local DNS cache. This will allow us to avoid using our VPS provider DNS servers, and will also be useful to your future VPN clients which will be able to use your VPN server as their DNS server too Before configuring Unbound, which is the local DNS cache which will make requests to dnscrypt_proxy, we can configure an additional dnscrypt instance, as explained in the pkg readme. Indeed, dnscrypt DNS servers being public ones, they often goes into maintenance, become offline or temporarily unreachable. To address this issue, it is possible to setup multiple dnscrypt instances. Below are the steps to follow to add one, but you can add more if you wish Then a CA and Certificate are created for OpenVPN OpenVPN is installed and configured as a server Configuration is also provided for a client, and a mobile client Thanks to the author for this great tutorial You might also want to check out this section from their 2015 version of this post: Security vs Anonymity (https://networkfilter.blogspot.nl/2015/01/be-your-own-vpn-provider-with-openbsd.html#security_anonymity) *** Essen Hackathon Trip - Benedict Reuschling (https://www.freebsdfoundation.org/blog/2017-essen-hackathon-trip-report-benedict-reuschling/) Over on the FreeBSD Foundation Blog, Benedict provides a detailed overview of the Essen Hackathon we were at a few weeks ago. Head over there and give it a read, and get a feel for what these smaller type of community events are like. Hopefully you can attend, or better yet, organize, a similar event in your area. News Roundup Blog about my self-hosted httpd blog (https://reykfloeter.com/posts/blog-about-my-blog) I really like Twitter because it allows me to share short messages, we have a great community, and 140 characters are enough for everybody. And this statement was exactly 140 characters, but sometimes I want to say more than that. And that's why I finally created this new blog. I was never really into blogging because I barely had time or the audience to write long articles. I sometimes wrote short stories for sites like undeadly.org, I collected some of them here, but my own blog was hosted on tumblr and never saw any activity. I want to try it again, and this time I decided to create a self-hosted blog. Something that runs on my own server and with httpd, the web server that I wrote for OpenBSD. So I was looking for potential blogging tools that I could use to run my own blog. Besides the popular and heavyweight ones such as WordPress, there are countless other options: I looked at blogs from fellow developers, such as Ted Unangst's flak (I like the fact that it is written in Lua but the implementation is a bit over my head), or Pelican that is used by Peter Hessler for bad.network (but, sorry, I don't like Python), and finally Kristaps Dzonsons' sblg that is used for all of his projects and blogs. I decided to use sblg. Kristaps keeps on releasing very useful free software. Most well-known is mandoc, at least everyone is using it for manpages these days, but there is is also his BCHS (beaches) web stack which strongly advertises OpenBSD's httpd. Great. I also use kcgi whenever I have to write small CGIs. So sblg seemed like the right choice to me. Let me quickly iterate over my current Makefile. I keep on tweaking this file, so it might have been changed by the time you are reading this article. Please note that the Makefile is written for OpenBSD's make, a distant derivative of pmake which is not like GNU make. I'm not a designer or web developer, but I appreciate good looking web pages. I wanted to have something that is responsive, works on desktops and mobiles, looks somewhat modern, works without JavaScript, but doesn't disqualify me for all the eye candy from a geek point of view. I bootstrapped the theme by creating a simple grid layout with a fairly typical blog style: banner, top menu, middle text, sidebar. In 2017, bootstrap is probably a vintage (or retro) framework but it makes it very easy to create responsive pages with a proper layout and without caring about all the CSS and HTML5 madness too much. I also use Font Awesome because it is awesome, provides some fancy icons, and was suggested in sblg's example templates (let's blame Kristaps for it). I do not include any JavaScript which prevents me from using bootstrap's responsive hamburger menu. I have to admit that "reykfloeter" is not an ideal name for a blog. My actual name is "Reyk Flöter", and I normally just use my first name "reyk" as a user- and nickname, but it was taken when I registered my Twitter account and the related domain. So I picked reykfloeter in a few places. I'm aware that my German last name is nearly unpronounceable for others, so "reykfloeter" appears like a random concatenation of letters. As most of us, I own a number of domains and maybe I should move the blog to bsd.plumbing (which is used as a home for relayd and httpd), arc4random.com (but I intended to use it as a fine OpenBSD-powered Entropy-as-a-Service for poor Linuxers), or even copper.coffee? In addition to the domain, I also need a good blog name or tag line. A very memorable example in the BSD world is Peter Hansteen's THAT GRUMPY BSD GUY blog. So what should I use? Reyk Flöter's blog OpenBSD hacker. Coffee nerd. Founder. Ask Reyk (imaginary how-tos and 10 step guides) Sewage, Drainage and BSD Plumbing (bsd.plumbing/blog) A Replacement Call for Random (arc4random.com) Coffee with Reyk (copper.coffee) For now it will just be reykfloeter - blog iXsystems releases the X10 (https://www.ixsystems.com/blog/serverenvy-truenas-x10/) TrueNAS X10 is the the 3rd generation of the TrueNAS unified storage line. The X10 is the first of a new TrueNAS series, and will be expandable to up to 360TB with the TrueNAS ES12 expansion shelf. The X10 is cost effective, at a 30% lower price point than the Z20, making it an effective addition to your backup/DR infrastructure. The street price of a 20TB non-HA model falls under $10K. It's designed to move with six predefined configurations that match common use cases. The dual controllers for high availability are an optional upgrade to ensure business continuity and avoid downtime. The X10 boasts 36 hot swap SAS using two expansion shelves, for up to 360TB of storage, allowing you to backup thousands of VMs or share tens of thousands of files. One of the use cases for TrueNAS X10 is for backup, so users can upgrade the X10 to two ports of blazing 10GigE connectivity. The 20TB non-HA model enables you to backup over 7,000 VDI VMs for under $3.00 per VM. Overall, the X10 is a greener solution than the TrueNAS Z product line, with the non-HA version boasting only 138 watts of power and taking up only 2U of space. Best of all, the TrueNAS X10 starts at $5,500 street. You can purchase a 120TB configuration today for under $20K street. Glob Matching Can Be Simple And Fast Too (https://research.swtch.com/glob) Here's a straightforward benchmark. Time how long it takes to run ls (a)nb in a directory with a single file named a100, compared to running ls | grep (a.)nb. Superscripts denote string repetition and parentheses are for grouping only, so that when n is 3, we're running ls aaab in a directory containing the single file aaa…aaa (100 a's), compared against ls | grep a.a.a.b in the same directory. The exception seems to be the original Berkeley csh, which runs in linear time (more precisely, time linear in n). Looking at the source code, it doesn't attempt to perform glob expansion itself. Instead it calls the C library implementation glob(3), which runs in linear time, at least on this Linux system. So maybe we should look at programming language implementations too. Most programming languages provide some kind of glob expansion, like C's glob. Let's repeat the experiment in a variety of different programming languages: Perhaps the most interesting fact evident in the graph is that GNU glibc, the C library used on Linux systems, has a linear-time glob implementation, but BSD libc, the C library used on BSD and macOS systems, has an exponential-time implementation. PHP is not shown in the graph, because its glob function simply invokes the host C library's glob(3), so that it runs in linear time on Linux and in exponential time on non-Linux systems. (I have not tested what happens on Windows.) All the languages shown in the graph, however, implement glob matching without using the host C library, so the results should not vary by host operating system. The netkit ftpd runs quickly on Linux because it relies on the host C library's glob function. If run on BSD, the netkit ftpd would take exponential time. ProFTPD ships a copy of the glibc glob, so it should run quickly even on BSD systems. Ironically, Pure-FTPd and tnftpd take exponential time on Linux because they ship a copy of the BSD glob function. Presumably they do this to avoid assuming that the host C library is bug-free, but, at least in this one case, the host C library is better than the one they ship. Additional Reading This post is an elaboration of an informal 2012 Google+ post showing that most shells used exponential-time glob expansion. At the time, Tom Duff, the author of Plan 9's rc shell, commented that, “I can confirm that rc gets it wrong. My excuse, feeble as it is, is that doing it that way meant that the code took 10 minutes to write, but it took 20 years for someone to notice the problem. (That's 10 ‘programmer minutes', i.e. less than a day.)” I agree that's a reasonable decision for a shell. In contrast, a language library routine, not to mention a network server, today needs to be robust against worst-case inputs that might be controlled by remote attackers, but nearly all of the code in question predates that kind of concern. I didn't realize the connection to FTP servers until I started doing additional research for this post and came across a reference to CVE-2010-2632 in FreeBSD's glob implementation. BSD VPS Providers Needed (https://torbsd.github.io/blog.html#bsd-vps) One of TDP's recent projects is accumulating a list of virtual private server services (VPS) that provide a BSD option. VPS's are generally inexpensive services that enable the user to only concern themselves with software configuration, and not be bothered with hardware or basic operating system setup. In the pre-Cloud era, VPS providers were the “other people's computers” that users outsourced their systems to. The same shortcomings of cloud services apply to VPS providers. You don't control the hardware. Your files are likely viewable by users up the directory hierarchy. The entropy source or pool is a single source for multiple systems. The same time drift applies to all time-keeping services. Nevertheless, VPS services are often cheap and provide a good spread in terms of geography. All a provider really needs is a few server-grade computers and a decent network connection. VPS's are still a gateway drug to bare-metal servers, although it seems more and more of these gateway users stop at stage one. Cheap systems with a public IP are also a great way to tinker with a new operating system. For this reason, TDP created this list of BSD VPS providers. Some explicitly deny running Tor as a server. Some just reference vague “proxy services.” Others don't mention Tor or proxies at all. The list is a start with currently just under 70 VPS providers listed. Input through various channels already started, and TDP intends to update the list over the coming months. A first draft email and open letter addressed to the providers were drafted, and we are looking to speak directly to at least some of the better-known BSD VPS providers. We may be able to convince a few to allow public Tor relays, or at least published bridges. These providers could be new BSD users' gateway drug into the world of BSD Tor nodes. Running a Tor relay shouldn't be considered a particularly risky activity. Maybe we can adjust that perception. Let us know any input via email or GitHub, and we'll be glad to make updates. Beastie Bits Avoid OS Detection with OpenBSD (https://blog.cagedmonster.net/avoid-os-detection-openbsd/) TrueOS update to fix updating (https://www.trueos.org/blog/update-fix-updating/) MidnightBSD 0.8.5 VirtualBox Install (https://www.youtube.com/watch?v=I08__ZWaJ0w) BSD Pizza Night in Portland (http://calagator.org/events/tag/BSD) *** Feedback/Questions Andrew - BSDCan videos? (http://dpaste.com/08E90PX) Marc - The Rock64 Board (http://dpaste.com/08KE40G) Jason - Follow up on UEFI and Bhyve (http://dpaste.com/2EP7BFC) Patrick - EFI booting (http://dpaste.com/34Z9SFM) ***

We look at an OpenBSD setup on a new laptop, revel in BSDCan trip reports, and visit daemons and friendly ninjas. This episode was brought to you by Headlines OpenBSD and the modern laptop (http://bsdly.blogspot.de/2017/07/openbsd-and-modern-laptop.html) Peter Hansteen has a new blog post about OpenBSD (http://www.openbsd.org/) on laptops: Did you think that OpenBSD is suitable only for firewalls and high-security servers? Think again. Here are my steps to transform a modern mid to high range laptop into a useful Unix workstation with OpenBSD. One thing that never ceases to amaze me is that whenever I'm out and about with my primary laptop at conferences and elsewhere geeks gather, a significant subset of the people I meet have a hard time believing that my laptop runs OpenBSD, and that it's the only system installed. and then it takes a bit of demonstrating that yes, the graphics runs with the best available resolution the hardware can offer, the wireless network is functional, suspend and resume does work, and so forth. And of course, yes, I do use that system when writing books and articles too. Apparently heavy users of other free operating systems do not always run them on their primary workstations. Peter goes on to describe the laptops he's had over the years (all running OpenBSD) and after BSDCan 2017, he needed a new one due to cracks in the display. So the time came to shop around for a replacement. After a bit of shopping around I came back to Multicom, a small computers and parts supplier outfit in rural Åmli in southern Norway, the same place I had sourced the previous one. One of the things that attracted me to that particular shop and their own-branded offerings is that they will let you buy those computers with no operating system installed. That is of course what you want to do when you source your operating system separately, as we OpenBSD users tend to do. The last time around I had gone for a "Thin and lightweight" 14 inch model (Thickness 20mm, weight 2.0kg) with 16GB RAM, 240GB SSD for system disk and 1TB HD for /home (since swapped out for a same-size SSD, as the dmesg will show). Three years later, the rough equivalent with some added oomph for me to stay comfortable for some years to come ended me with a 13.3 inch model, 18mm and advertised as 1.3kg (but actually weighing in at 1.5kg, possibly due to extra components), 32GB RAM, 512GB SSD and 2TB harddisk. For now the specification can be viewed online here (https://www.multicom.no/systemconfigurator.aspx?q=st:10637291;c:100559;fl:0#4091-10500502-1;4086-10637290-1;4087-8562157-2;4088-9101982-1;4089-9101991-1) (the site language is Norwegian, but product names and units of measure are not in fact different). The OpenBSD installer is a wonder of straightforward, no-nonsense simplicity that simply gets the job done. Even so, if you are not yet familiar with OpenBSD, it is worth spending some time reading the OpenBSD FAQ's installation guidelines and the INSTALL.platform file (in our case, INSTALL.amd64) to familiarize yourself with the procedure. If you're following this article to the letter and will be installing a snapshot, it is worth reading the notes on following -current too. The main hurdle back when I was installing the 2014-vintage 14" model was getting the system to consider the SSD which showed up as sd1 the automatic choice for booting (I solved that by removing the MBR, setting the size of the MBR on the hard drive that showed up as sd0 to 0 and enlarging the OpenBSD part to fill the entire drive). + He goes on to explain the choices he made in the installer and settings made after the reboot to set up his work environment. Peter closes with: If you have any questions on running OpenBSD as a primary working environment, I'm generally happy to answer but in almost all cases I would prefer that you use the mailing lists such as misc@openbsd.org or the OpenBSD Facebook (https://www.facebook.com/groups/2210554563/) group so the question and hopefully useful answers become available to the general public. Browsing the slides for my recent OpenBSD and you (https://home.nuug.no/~peter/openbsd_and_you/) user group talk might be beneficial if you're not yet familiar with the system. And of course, comments on this article are welcome. BSDCan 2017 Trip Report: Roller Angel (https://www.freebsdfoundation.org/blog/2017-bsdcan-trip-report-roller-angel/) We could put this into next week's show, because we have another trip report already that's quite long. After dropping off my luggage, I headed straight over to the Goat BoF which took place at The Royal Oak. There were already a number of people there engaged in conversation with food and drink. I sat down at a table and was delighted that the people sitting with me were also into the BSD's and were happy to talk about it the whole time. I felt right at home from the start as people were very nice to me, and were interested in what I was working on. I honestly didn't know that I would fit in so well. I had a preconceived notion that people may be a bit hard to approach as they are famous and so technically advanced. At first, people seemed to only be working in smaller circles. Once you get more familiar with the faces, you realize that these circles don't always contain the same people and that they are just people talking about specific topics. I found that it was easy to participate in the conversation and also found out that people are happy to get your feedback on the subject as well. I was actually surprised how easily I got along with everyone and how included I felt in the activities. I volunteered to help wherever possible and got to work on the video crew that recorded the audio and slides of the talks. The people at BSDCan are incredibly easy to talk to, are actually interested in what you're doing with BSD, and what they can do to help. It's nice to feel welcome in the community. It's like going home. Dan mentioned in his welcome on the first day of BSDCan that the conference is like home for many in the community. The trip report is very detailed and chronicles the two days of the developer summit, and the two days of the conference There was some discussion about a new code of conduct by Benno Rice who mentioned that people are welcome to join a body of people that is forming that helps work out issues related to code of conduct and forwards their recommendations on to core. Next, Allan introduced the idea of creating a process for formally discussing big project changes or similar discussions that is going to be known as FCP or FreeBSD Community Proposal. In Python we have the Python Enhancement Proposal or PEP which is very similar to the idea of FCP. I thought this idea is a great step for FreeBSD to be implementing as it has been a great thing for Python to have. There was some discussion about taking non-code contributions from people and how to recognize those people in the project. There was a suggestion to have a FreeBSD Member status created that can be given to people whose non-code contributions are valuable to the project. This idea seemed to be on a lot of people's minds as something that should be in place soon. The junior jobs on the FreeBSD Wiki were also brought up as a great place to look for ideas on how to get involved in contributing to FreeBSD. Roller wasted no time, and started contributing to EdgeBSD at the conference. On the first day of BSDCan I arrived at the conference early to coordinate with the team that records the talks. We selected the rooms that each of us would be in to do the recording and set up a group chat via WhatsApp for coordination. Thanks to Roller, Patrick McAvoy, Calvin Hendryx-Parker, and all of the others who volunteered their time to run the video and streaming production at BSDCan, as well as all others who volunteered, even if it was just to carry a box. BSDCan couldn't happen without the army of volunteers. After the doc lounge, I visited the Hacker Lounge. There were already several tables full of people talking and working on various projects. In fact, there was a larger group of people who were collaborating on the new libtrue library that seemed to be having a great time. I did a little socializing and then got on my laptop and did some more work on the documentation using my new skills. I really enjoyed having a hacker lounge to go to at night. I want to give a big thank you to the FreeBSD Foundation for approving my travel grant. It was a great experience to meet the community and participate in discussions. I'm very grateful that I was able to attend my first BSDCan. After visiting the doc lounge a few times, I managed to get comfortable using the tools required to edit the documentation. By the end of the conference, I had submitted two documentation patches to the FreeBSD Bugzilla with several patches still in progress. Prior to the conference I expected that I would be spending a lot of time working on my Onion Omega and Edge Router Lite projects that I had with me, but I actually found that there was always something fun going on that I would rather do or work on. I can always work on those projects at home anyway. I had a good time working with the FreeBSD community and will continue working with them by editing the documentation and working with Bugzilla. One of the things I enjoy about these trip reports is when they help convince other people to make the trip to their first conference. Hopefully by sharing their experience, it will convince you to come to the next conference: vBSDCon in Virginia, USA: Sept 7-9 EuroBSDCon in Paris, France: Sept 21-24 BSDTW in Taipei, Taiwan: November 11-12 (CFP ends July 31st) *** BSDCan 2017 - Trip report double-p (http://undeadly.org/cgi?action=article&sid=20170629150641) Prologue Most overheard in Tokyo was "see you in Ottawaaaaah", so with additional "personal item" being Groff I returned home to plan the trip to BSDCan. Dan was very helpful with getting all the preparations (immigration handling), thanks for that. Before I could start, I had to fix something: the handling of the goat. With a nicely created harness, I could just hang it along my backpack. Done that it went to the airport of Hamburg and check-in for an itinerary of HAM-MUC-YUL. While the feeder leg was a common thing, boarding to YUL was great - cabin-crew likes Groff :) Arriving in Montreal was like entering a Monsoon zone or something, sad! After the night the weather was still rain-ish but improving and i shuttled to Dorval VIARail station to take me to Ottawa (ever avoid AirCanada, right?). Train was late, but the conductor (or so) was nice to talk to - and wanted to know about Groff's facebook page :-P. Picking a cab in Ottawa to take me to "Residence" was easy at first - just that it was the wrong one. Actually my fault and so I had a "nice, short" walk to the actual one in the rain with wrong directions. Eventually I made it and after unpacking, refreshment it was time to hit the Goat BOF! Day 1 Since this was my first BSDCan I didnt exactly knew what to expect from this BOF. But it was like, we (Keeper, Dan, Allan, ..) would talk about "who's next" and things like that. How mistaken I was :). Besides the sheer amount of BSD people entering the not-so-yuuge Oak some Dexter sneaked in camouflage. The name-giver got a proper position to oversee the mess and I was glad I did not leave him behind after almost too many Creemores. Day 2 Something happened it's crystal blue on the "roof" and sun is trying its best to wake me up. To start the day, I pick breakfast at 'Father+Sons' - I can really recommend that. Very nice home made fries (almost hashbrowns) and fast delivery! Stuffed up I trott along to get to phessler's tutorial about BGP-for-sysadmins-and-developers. Peter did a great job, but the "lab" couldn't happen, since - oh surprise - the wifi was sluggish as hell. Must love the first day on a conference every time. Went to Hackroom in U90 afterwards, just to fix stuff "at home". IPsec giving pains again. Time to pick food+beer afterwards and since it's so easy to reach, we went to the Oak again. Having a nice backyard patio experience it was about time to meet new people. Cheers to Tom, Aaron, Nick, Philip and some more, we'd an awesome night there. I also invited some not-really-computer local I know by other means who was completly overwhelmed by what kind of "nerds" gather around BSD. He planned to stay "a beer" - and it was rather some more and six hours. Looks like "we" made some impression on him :). Day 3 Easy day, no tutorials at hand, so first picking up breakfast at F+S again and moving to hackroom in U90. Since I promised phessler to help with an localized lab-setup, I started to hack on a quick vagrant/ansible setup to mimic his BGP-lab and went quickly through most of it. Plus some more IPsec debugging and finally fixing it, we went early in the general direction of the Red Lion to pick our registration pack. But before that could happen it was called to have shawarma at 3brothers along. Given a tight hangover it wasn't the brightest idea to order a poutine m-(. Might be great the other day, it wasn't for me at the very time and had to throw away most of it :(. Eventually passing on to the Red Lion I made the next failure with just running into the pub - please stay at the front desk until "seated". I never get used to this concept. So after being "properly" seated, we take our beers and the registration can commence after we had half of it. So I register myself; btw it's a great idea to grant "not needed" stuff to charity. So dont pick "just because", think about it if you really need this or that gadget. Then I register Groff - he really needs badges - just to have Dru coming back to me some minutes later one to hand me the badge for Henning. That's just "amazing"; I dont know IF i want to break this vicious circle the other day, since it's so funny. Talked to Theo about the ongoing IPsec problems and he taught me about utrace(2) which looks "complicated" but might be an end of the story the other day. Also had a nice talk to Peter (H.) about some other ideas along books. BTW, did I pay for ongoing beers? I think Tom did - what a guy :). Arriving at the Residence, I had to find my bathroom door locked (special thing).. crazy thing is they dont have a master key at the venue, but to have to call in one from elsewhere. Short night shortened by another 30minutes :(. Day 4 Weather is improving into beach+sun levels - and it's Conference Day! The opening keynote from Geist was very interesting ("citation needed"). Afterwards I went to zfs-over-ssh, nothing really new (sorry Allan). But then Jason had a super interesting talk on how about to apply BSD for the health-care system in Australia. I hope I can help him with the last bits (rdomain!) in the end. While lunch I tried to recall my memories about utrace(2) while talking to Theo. Then it was about to present my talk and I think it was well perceipted. One "not so good" feedback was about not taking the audience more into account. I think I was asking every other five slides or so - but, well. The general feedback (in spoken terms) was quite good. I was a bit "confused" and I did likely a better job in Tokyo, but well. Happened we ended up in the Oak again.. thanks to mwl, shirkdog, sng, pitrh, kurtm for having me there :) Day 5 While the weather had to decide "what next", I rushed to the venue just to gather Reyk's talk about vmd(8). Afterwards it was MSTP from Paeps which was very interesting and we (OpenBSD) should look into it. Then happened BUG BOF and I invite all "coastal Germans" to cbug.de :) I had to run off for other reasons and came back to Dave's talk which was AWESOME. Following was Rod's talk.. well. While I see his case, that was very poor. The auction into closing was awesome again, and I spend $50 on a Tshirt. :) + Epilogue I totally got the exit dates wrong. So first cancel a booking of an Hotel and then rebook the train to YUL. So I have plenty of time "in the morning" to get breakfast with the local guy. After that he drives me to VIARail station and I dig into "business" cussions. Well, see you in Ottawa - or how about Paris, Taipei? Bind Broker (http://www.tedunangst.com/flak/post/bind-broker) Ted Unangst writes about an interesting idea he has He has a single big server, and lots of users who would like to share it, many want to run web servers. This would be great, but alas, archaic decisions made long ago mean that network sockets aren't really files and there's this weird concept of privileged ports. Maybe we could assign each user a virtual machine and let them do whatever they want, but that seems wasteful. Think of the megabytes! Maybe we could setup nginx.conf to proxy all incoming connections to a process of the user's choosing, but that only works for web sites and we want to be protocol neutral. Maybe we could use iptables, but nobody wants to do that. What we need is a bind broker. At some level, there needs to be some kind of broker that assigns IPs to users and resolves conflicts. It should be possible to build something of this nature given just the existing unix tools we have, instead of changing system design. Then we can deploy our broker to existing systems without upgrading or disrupting their ongoing operation. The bind broker watches a directory for the creation, by users, of unix domain sockets. Then it binds to the TCP port of the same name, and transfers traffic between them. A more complete problem specification is as follows. A top level directory, which contains subdirectories named after IP addresses. Each user is assigned a subdirectory, which they have write permission to. Inside each subdirectory, the user may create unix sockets named according to the port they wish to bind to. We might assign user alice the IP 10.0.0.5 and the user bob the IP 10.0.0.10. Then alice could run a webserver by binding to net/10.0.0.5/80 and bob could run a mail server by binding to net/10.0.0.10/25. This maps IP ownership (which doesn't really exist in unix) to the filesystem namespace (which does have working permissions). So this will be a bit different than jails. The idea is to use filesystem permissions to control which users can bind to which IP addresses and ports The broker is responsible for watching each directory. As new sockets are created, it should respond by binding to the appropriate port. When a socket is deleted, the network side socket should be closed as well. Whenever a connection is accepted on the network side, a matching connection is made on the unix side, and then traffic is copied across. A full set of example code is provided There's no completely portable way to watch a directory for changes. I'm using a kevent extension. Otherwise we might consider a timeout and polling with fstat, or another system specific interface (or an abstraction layer over such an interface). Otherwise, if one of our mappings is ready to read (accept), we have a new connection to handle. The first half is straightforward. We accept the connection and make a matching connect call to the unix side. Then I broke out the big cheat stick and just spliced the sockets together. In reality, we'd have to set up a read/copy/write loop for each end to copy traffic between them. That's not very interesting to read though. The full code, below, comes in at 232 lines according to wc. Minus includes, blank lines, and lines consisting of nothing but braces, it's 148 lines of stuff that actually gets executed by the computer. Add some error handling, and working read/write code, and 200 lines seems about right. A very interesting idea. I wonder about creating a virtual file system that would implement this and maybe do a bit more to fully flesh out this idea. What do you think? *** News Roundup Daemons and friendly Ninjas (https://euroquis.nl/bobulate/?p=1600) There's quite a lot of software that uses CMake as a (meta-)buildsystem. A quick count in the FreeBSD ports tree shows me 1110 ports (over a thousand) that use it. CMake generates buildsystem files which then direct the actual build — it doesn't do building itself. There are multiple buildsystem-backends available: in regular usage, CMake generates Makefiles (and does a reasonable job of producing Makefiles that work for GNU Make and for BSD Make). But it can generate Ninja, or Visual Studio, and other buildsystem files. It's quite flexible in this regard. Recently, the KDE-FreeBSD team has been working on Qt WebEngine, which is horrible. It contains a complete Chromium and who knows what else. Rebuilding it takes forever. But Tobias (KDE-FreeBSD) and Koos (GNOME-FreeBSD) noticed that building things with the Ninja backend was considerably faster for some packages (e.g. Qt WebEngine, and Evolution data-thingy). Tobias wanted to try to extend the build-time improvements to all of the CMake-based ports in FreeBSD, and over the past few days, this has been a success. Ports builds using CMake now default to using Ninja as buildsystem-backend. Here's a bitty table of build-times. These are one-off build times, so hardly scientifically accurate — but suggestive of a slight improvement in build time. Name Size GMake Ninja liblxt 50kB 0:32 0:31 llvm38 1655kB * 19:43 musescore 47590kB 4:00 3:54 webkit2-gtk3 14652kB 44:29 37:40 Or here's a much more thorough table of results from tcberner@, who did 5 builds of each with and without ninja. I've cut out the raw data, here are just the average-of-five results, showing usually a slight improvement in build time with Ninja. Name av make av ninj Delta D/Awo compiler-rt 00:08 00:07 -00:01 -14% openjpeg 00:06 00:07 +00:01 +17% marble 01:57 01:43 -00:14 -11% uhd 01:49 01:34 -00:15 -13% opencacscade 04:08 03:23 -00:45 -18% avidemux 03:01 02:49 -00:12 – 6% kdevelop 01:43 01:33 -00:10 – 9% ring-libclient 00:58 00:53 -00:05 – 8% Not everything builds properly with Ninja. This is usually due to missing dependencies that CMake does not discover; this shows up when foo depends on bar but no rule is generated for it. Depending on build order and speed, bar may be there already by the time foo gets around to being built. Doxygen showed this, where builds on 1 CPU core were all fine, but 8 cores would blow up occasionally. In many cases, we've gone and fixed the missing implicit dependencies in ports and upstreams. But some things are intractable, or just really need GNU Make. For this, the FreeBSD ports infrastructure now has a knob attached to CMake for switching a port build to GNU Make. Normal: USES=cmake Out-of-source: USES=cmake:outsource GNU Make: USES=cmake:noninja gmake OoS, GMake: USES=cmake:outsource,noninja gmake Bad: USES=cmake gmake For the majority of users, this has no effect, but for our package-building clusters, and for KDE-FreeBSD developers who build a lot of CMake-buildsystem software in a day it may add up to an extra coffee break. So I'll raise a shot of espresso to friendship between daemons and ninjas. Announcing the pkgsrc-2017Q2 release (http://mail-index.netbsd.org/pkgsrc-users/2017/07/10/msg025237.html) For the 2017Q2 release we welcome the following notable package additions and changes to the pkgsrc collection: Firefox 54 GCC 7.1 MATE 1.18 Ruby 2.4 Ruby on Rails 4.2 TeX Live 2017 Thunderbird 52.1 Xen 4.8 We say goodbye to: Ruby 1.8 Ruby 2.1 The following infrastructure changes were introduced: Implement optional new pkgtasks and init infrastructure for pkginstall. Various enhancements and fixes for building with ccache. Add support to USE_LANGUAGES for newer C++ standards. Enhanced support for SSP, FORTIFY, and RELRO. The GitHub mirror has migrated to https://github.com/NetBSD/pkgsrc In total, 210 packages were added, 43 packages were removed, and 1,780 package updates were processed since the pkgsrc-2017Q1 release. *** OpenBSD changes of note 624 (http://www.tedunangst.com/flak/post/openbsd-changes-of-note-624) There are a bunch, but here are a few that jump out: Start plugging some leaks. Compile kernels with umask 007. Install them minus read permissions. Pure preprocessor implementation of the roff .ec and .eo requests, though you are warned that very bad things will happen to anybody trying to use these macros in OpenBSD manuals. Random linking for arm64. And octeon. And alpha. And hppa. There's some variation by platform, because every architecture has the kernel loaded with different flavors of initial physical and virtual mappings. And landisk. And loongson. And sgi. And macppc. And a gap file for sparc64, but nobody yet dares split locore. And arm7. Errata for perl File::Path race condition. Some fixes for potential link attacks against cron. Add pledge violations to acct reporting. Take random linking to the next stage. More about KARL - kernel address randomized link. As noted, a few difficulties with hibernate and such, but the plan is coming together. Add a new function reorder_kernel() that relinks and installs the new kernel in the background on system startup. Add support for the bootblocks to detect hibernate and boot the previous kernel. Remove the poorly described “stuff” from ksh. Replace usage of TIOCSTI in csh using a more common IO loop. Kind of like the stuff in ksh, but part of the default command line editing and parsing code, csh would read too many characters, then send the ones it didn't like back into the terminal. Which is weird, right? Also, more importantly, eliminating the code that uses TIOCSTI to inject characters into ttys means that maybe TIOCSTI can be removed. Revamp some of the authentication logging in ssh. Add a verbose flag to rm so you can panic immediately upon seeing it delete the wrong file instead of waiting to discover your mistake after the fact. Update libexpat to version 2.2.1 which has some security fixes. Never trust an expat, that's my motto. Update inteldrm to code based on Linux 4.4.70. This brings us support for Skylake and Cherryview and better support for Broadwell and Valleyview. Also adds MST support. Fun times for people with newish laptops. *** OPNsense 17.1.9 released (https://opnsense.org/opnsense-17-1-9-released/) firewall: move gateway switching from system to firewall advanced settings firewall: keep category selection when changing tabs firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple) interfaces: show VLAN description during edit firmware: opnsense-revert can now handle multiple packages at once firmware: opnsense-patch can now handle permission changes from patches dnsmasq: use canned –bogus-priv for noprivatereverse dnsmasq: separate log file, ACL and menu entries dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt) dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt) intrusion detection: suppress “fast mode available” boot warning in PCAP mode openvpn: plugin framework adaption unbound: add local-zone type transparent for PTR zone (contributed by Davide Gerhard) unbound: separate log file, ACL and menu entries wizard: remove HTML from description strings mvc: group relation to something other than uuid if needed mvc: rework “item in” for our Volt templates lang: Czech to 100% translated (contributed by Pavel Borecki) plugins: zabbix-agent 1.1 (contributed by Frank Wall) plugins: haproxy 1.16 (contributed by Frank Wall) plugins: acme-client 1.8 (contributed by Frank Wall) plugins: tinc fix for switch mode (contributed by Johan Grip) plugins: monit 1.3 (contributed by Frank Brendel) src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz) src: add Intel Atom Cherryview SOC HSUART support src: add the ID for the Huawei ME909S LTE modem src: HardenedBSD Stack Clash mitigations[1] ports: sqlite 3.19.3[2] ports: openvpn 2.4.3[3] ports: sudo 1.8.20p2[4] ports: dnsmasq 2.77[5] ports: openldap 2.4.45[6] ports: php 7.0.20[7] ports: suricata 3.2.2[8] ports: squid 3.5.26[9] ports: carootnss 3.31 ports: bind 9.11.1-P2[10] ports: unbound 1.6.3[11] ports: curl 7.54.1[12] *** Beastie Bits Thinkpad x230 - trying to get TrackPoint / Touchpad working in X (http://lists.dragonflybsd.org/pipermail/users/2017-July/313519.html) FreeBSD deprecates all r-cmds (rcp, rlogin, etc.) (http://marc.info/?l=freebsd-commits-all&m=149918307723723&w=2) Bashfill - art for your terminal (https://max.io/bash.html) Go 1.9 release notes: NetBSD support is broken, please help (https://github.com/golang/go/commit/32002079083e533e11209824bd9e3a797169d1c4) Jest, A ReST api for creating and managing FreeBSD jails written in Go (https://github.com/altsrc-io/Jest) *** Feedback/Questions John - zfs send/receive (http://dpaste.com/3ANETHW#wrap) Callum - laptops (http://dpaste.com/11TV0BJ) & An update (http://dpaste.com/3A14BQ6#wrap) Lars - Snapshot of VM datadisk (http://dpaste.com/0MM37NA#wrap) Daryl - Jail managers (http://dpaste.com/0CDQ9EK#wrap) ***

In which we interview a unicorn, FreeNAS 11.0 is out, show you how to run Nextcloud in a FreeBSD jail, and talk about the connection between oil changes and software patches. This episode was brought to you by Headlines FreeNAS 11.0 is Now Here (http://www.freenas.org/blog/freenas-11-0/) The FreeNAS blog informs us: After several FreeNAS Release Candidates, FreeNAS 11.0 was released today. This version brings new virtualization and object storage features to the World's Most Popular Open Source Storage Operating System. FreeNAS 11.0 adds bhyve virtual machines to its popular SAN/NAS, jails, and plugins, letting you use host web-scale VMs on your FreeNAS box. It also gives users S3-compatible object storage services, which turns your FreeNAS box into an S3-compatible server, letting you avoid reliance on the cloud. FreeNAS 11.0 also introduces the beta version of a new administration GUI. The new GUI is based on the popular Angular framework and the FreeNAS team expects the GUI to be themeable and feature complete by 11.1. The new GUI follows the same flow as the existing GUI, but looks better. For now, the FreeNAS team has released it in beta form to get input from the FreeNAS community. The new GUI, as well as the classic GUI, are selectable from the login screen. Also new in FreeNAS 11 is an Alert Service page which configures the system to send critical alerts from FreeNAS to other applications and services such as Slack, PagerDuty, AWS, Hipchat, InfluxDB, Mattermost, OpsGenie, and VictorOps. FreeNAS 11.0 has an improved Services menu that adds the ability to manage which services and applications are started at boot. The FreeNAS community is large and vibrant. We invite you to join us on the FreeNAS forum (https://forums.freenas.org/index.php) and the #freenas IRC channel on Freenode. To download FreeNAS and sign-up for the FreeNAS Newsletter, visit freenas.org/download (http://www.freenas.org/download/). Building an IPsec Gateway With OpenBSD (https://www.exoscale.ch/syslog/2017/06/26/building-an-ipsec-gateway-with-openbsd/) Pierre-Yves Ritschard wrote the following blog article: With private networks just released on Exoscale, there are now more options to implement secure access to Exoscale cloud infrastructure. While we still recommend the bastion approach, as detailed in this article (https://www.exoscale.ch/syslog/2016/01/15/secure-your-cloud-computing-architecture-with-a-bastion/), there are applications or systems which do not lend themselves well to working this way. In these cases, the next best thing is building IPsec gateways. IPsec is a protocol which works directly at layer 3. It uses its configuration to determine which network flows should be sent encrypted on the wire. Once IPsec is correctly configured, selected network flows are transparently encrypted and applications do not need to modify anything to benefit from secured traffic. In addition to encryption, IPSec also authenticates the end points, so you can be sure you are exchanging packets with a trusted host For the purposes of this article we will work under the following assumptions: We want a host to network setup, providing access to cloud-hosted infrastructure from a desktop environment. Only stock tooling should be used on desktop environment, no additional VPN client should be needed. In this case, to ensure no additional software is needed on the client, we will configure an L2TP/IPsec gateway. This article will use OpenBSD as the operating system to implement the gateway. While this choice may sound surprising, OpenBSD excels at building gateways of all sorts thanks to its simple configuration formats and inclusion of all necessary software and documentation to do so in the base system. The tutorial assumes you have setup a local network between the hosts in the cloud, and walks through the configuration of an OpenBSD host as a IPsec gateway On the OpenBSD host, all necessary software is already installed. We will configure the system, as well as pf, npppd, and ipsec + Configure L2TP + Configure IPsec + Configure NAT + Enabled services: ipsec isakmpd npppd The tutorial then walks through configuring a OS X client, but other desktops will be very similar *** Running Nextcloud in a jail on FreeBSD (https://ramsdenj.com/2017/06/05/nextcloud-in-a-jail-on-freebsd.html) I recently setup Nextcloud 12 inside a FreeBSD jail in order to allow me access to files i might need while at University. I figured this would be a optimal solution for files that I might need access to unexpectedly, on computers where I am not in complete control. My Nextcloud instance is externally accessible, and yet if someone were to get inside my Jail, I could rest easy knowing they still didn't have access to the rest of my host server. I chronicled the setup process including jail setup using iocage, https with Lets Encrypt, and full setup of the web stack. Nextcloud has a variety of features such as calendar synchronization, email, collaborative editing, and even video conferencing. I haven't had time to play with all these different offerings and have only utilized the file synchronization, but even if file sync is not needed, Nextcloud has many offerings that make it worth setting up. MariaDB, PHP 7.0, and Apache 2.4 To manage my jails I'm using iocage. In terms of jail managers it's a fairly new player in the game of jail management and is being very actively developed. It just had a full rewrite in Python, and while the code in the background might be different, the actual user interface has stayed the same. Iocage makes use of ZFS clones in order to create “base jails”, which allow for sharing of one set of system packages between multiple jails, reducing the amount of resources necessary. Alternatively, jails can be completely independent from each other; however, using a base jail makes it easier to update multiple jails as well. + pkg install iocage + sysrc iocageenable=YES + iocage fetch -r 11.0-RELEASE + iocage create tag="stratus" jailzfs=on vnet=off boot=on ip4_addr="sge0|172.20.0.100/32" -r 11.0-RELEASE + iocage start stratus + iocage console stratus I have chosen to provide storage to the Nextcloud Jail by mounting a dataset over NFS on my host box. This means my server can focus on serving Nextcloud and my storage box can focus on housing the data. The Nextcloud Jail is not even aware of this since the NFS Mount is simply mounted by the host server into the jail. The other benefit of this is the Nextcloud jail doesn't need to be able to see my storage server, nor the ability to mount the NFS share itself. Using a separate server for storage isn't necessary and if the storage for my Nextcloud server was being stored on the same server I would have created a ZFS dataset on the host and mounted it into the jail. Next I set up a dataset for the database and delegated it into the jail. Using a separate dataset allows me to specify certain properties that are better for a database, it also makes migration easier in case I ever need to move or backup the database. With most of the requirements in place it was time to start setting up Nextcloud. The requirements for Nextcloud include your basic web stack of a web server, database, and PHP. Also covers the setup of acme.sh for LetsEncrypt. This is now available as a package, and doesn't need to be manually fetched Install a few more packages, and do a bit of configuration, and you have a NextCloud server *** Historical: My first OpenBSD Hackathon (http://bad.network/historical-my-first-openbsd-hackathon.html) This is a blog post by our friend, and OpenBSD developer: Peter Hessler This is a story about encouragement. Every time I use the word "I", you should think "I as in me, not I as in the author". In 2003, I was invited to my first OpenBSD Hackathon. Way before I was into networking, I was porting software to my favourite OS. Specifically, I was porting games. On the first night most of the hackathon attendees end up at the bar for food and beer, and I'm sitting next to Theo de Raadt, the founder of OpenBSD. At some point during the evening, he's telling me about all of these "crazy" ideas he has about randomizing libraries, and protections that can be done in ld.so. (ld.so is the part of the OS that loads the libraries your program needs. It's, uh, kinda important.) Theo is encouraging me to help implement some of these ideas! At some point I tell Theo "I'm just a porter, I don't know C." Theo responds with "It isn't hard, I'll have Dale (Rahn) show you how ld.so works, and you can do it." I was hoping that all of this would be forgotten by the next day, but sure enough Dale comes by. "Hey, are you Peter? Theo wanted me to show you how ld.so works" Dale spends an hour or two showing me how it works, the code structure, and how to recover in case of failure. At first I had lots of failures. Then more failures. And even more failures. Once, I broke my machine so badly I had to reinstall it. I learned a lot about how an OS works during this. But, I eventually started doing changes without it breaking. And some even did what I wanted! By the end of the hackathon I had came up with a useful patch, that was committed as part of a larger change. I was a nobody. With some encouragement, enough liquid courage to override my imposter syndrome, and a few hours of mentoring, I'm now doing big projects. The next time you're sitting at a table with someone new to your field, ask yourself: how can you encourage them? You just might make the world better. Thank you Dale. And thank you Theo. Everyone has to start somewhere. One of the things that sets the BSDs apart from certain other open source operating systems, is the welcoming community, and the tradition of mentorship. Sure, someone else in the OpenBSD project could have done the bits that Peter did, likely a lot more quickly, but then OpenBSD wouldn't have gained a new committer. So, if you are interested in working on one of the BSDs, reach out, and we'll try to help you find a mentor. What part of the system do you want to work on? *** Interview - Dan McDonald - allcoms@gmail.com (mailto:allcoms@gmail.com) (danboid) News Roundup FreeBSD 11.1-RC1 Available (https://lists.freebsd.org/pipermail/freebsd-stable/2017-July/087340.html) 11.1-RC1 Installation images are available for: amd64, i386 powerpc, powerpc64 sparc64 armv6 BANANAPI, BEAGLEBONE, CUBIEBOARD, CUBIEBOARD2, CUBOX-HUMMINGBOARD, GUMSTIX, RPI-B, RPI2, PANDABOARD, WANDBOARD aarch64 (aka arm64), including the RPI3, Pine64, OverDrive 1000, and Cavium Server A summary of changes since BETA3 includes: Several build toolchain related fixes. A use-after-free in RPC client code has been corrected. The ntpd(8) leap-seconds file has been updated. Various VM subsystem fixes. The '_' character is now allowed in newfs(8) labels. A potential sleep while holding a mutex has been corrected in the sa(4) driver. A memory leak in an ioctl handler has been fixed in the ses(4) driver. Virtual Machine Disk Images are available for the amd64 and i386 architectures. Amazon EC2 AMI Images of FreeBSD/amd64 EC2 AMIs are available The freebsd-update(8) utility supports binary upgrades of amd64 and i386 systems running earlier FreeBSD releases. Systems running earlier FreeBSD releases can upgrade as follows: freebsd-update upgrade -r 11.1-RC1 During this process, freebsd-update(8) may ask the user to help by merging some configuration files or by confirming that the automatically performed merging was done correctly. freebsd-update install The system must be rebooted with the newly installed kernel before continuing. shutdown -r now After rebooting, freebsd-update needs to be run again to install the new userland components: freebsd-update install It is recommended to rebuild and install all applications if possible, especially if upgrading from an earlier FreeBSD release, for example, FreeBSD 10.x. Alternatively, the user can install misc/compat10x and other compatibility libraries, afterwards the system must be rebooted into the new userland: shutdown -r now Finally, after rebooting, freebsd-update needs to be run again to remove stale files: freebsd-update install Oil changes, safety recalls, and software patches (http://www.daemonology.net/blog/2017-06-14-oil-changes-safety-recalls-software-patches.html) Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done (I'm sure I could do it myself, but the time it would cost is worth more than the money it would save) and I drive little enough — about 2000 km/year — that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. From what I've seen, I don't think I'm alone in taking a somewhat lackadaisical approach to routine oil changes. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix — the cost is covered by the manufacturer. I started thinking about this distinction — and more specifically the difference in user behaviour — in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying — and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. Think about it: If the NHS couldn't access patient records due to WannaCry, it suggests WannaCry infiltrated systems used to access patient records — meaning that someone else exploiting the same vulnerabilities could have accessed those records. The SMB subsystem in Windows was not merely broken; until patches were applied, it was actively unsafe. I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls — unless you're certain that you're not affected, take care of them as a matter of urgency — but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems. There are a few factors which I think are major contributors to this problem. First, the number of updates: When critical patches occur frequently enough to become routine, alarm fatigue sets in and people cease to give the attention updates deserve, even if on a conscious level they still recognize the importance of applying updates. Colin also talks about his time as the FreeBSD Security Officer, and the problems in ensuring the patches are correct and do not break the system when installed He also points out the problem of systems like Windows Update, the combines optional updates, and things like its license checking tool, in the same interface that delivers important updates. Or my recent machines, that gets constant popups about how some security updates will not be delivered because my processor is too new. My bank sends me special offers in the mail but phones if my credit card usage trips fraud alarms; this is the sort of distinction in intrusiveness we should see for different types of software updates Finally, I think there is a problem with the mental model most people have of computer security. Movies portray attackers as geniuses who can break into any system in minutes; journalists routinely warn people that "nobody is safe"; and insurance companies offer insurance against "cyberattacks" in much the same way as they offer insurance against tornados. Faced with this wall of misinformation, it's not surprising that people get confused between 400 pound hackers sitting on beds and actual advanced persistent threats. Yes, if the NSA wants to break into your computer, they can probably do it — but most attackers are not the NSA, just like most burglars are not Ethan Hunt. You lock your front door, not because you think it will protect you from the most determined thieves, but because it's an easy step which dramatically reduces your risk from opportunistic attack; but users don't see applying security updates as the equivalent of locking their front door when they leave home. SKIP grep, use AWK (http://blog.jpalardy.com/posts/skip-grep-use-awk/) This is a tip from Jonathan Palardy in a series of blog posts about awk. It is especially helpful for people who write a lot of shell scripts or are using a lot of pipes with awk and grep. Over the years, I've seen many people use this pattern (filter-map): $ [data is generated] | grep something | awk '{print $2}' but it can be shortened to: $ [data is generated] | awk '/something/ {print $2}' AWK can take a regular expression (the part between the slashes) and matches that to the input. Anything that matches is being passed to the print $2 action (to print the second column). Why would I do this? I can think of 4 reasons: *it's shorter to type *it spawns one less process *awk uses modern (read “Perl”) regular expressions, by default – like grep -E *it's ready to “augment” with more awk How about matching the inverse (search for patterns that do NOT match)? But “grep -v” is OK… Many people have pointed out that “grep -v” can be done more concisely with: $ [data is generated] | awk '! /something/' See if you have such combinations of grep piped to awk and fix those in your shell scripts. It saves you one process and makes your scripts much more readable. Also, check out the other intro links on the blog if you are new to awk. *** vim Adventures (https://vim-adventures.com) This website, created by Doron Linder, will playfully teach you how to use vim. Hit any key to get started and follow the instructions on the playing field by moving the cursor around. There is also a menu in the bottom left corner to save your game. Try it out, increase your vim-fu, and learn how to use a powerful text editor more efficiently. *** Beastie Bits Slides from PkgSrcCon (http://pkgsrc.org/pkgsrcCon/2017/talks.html) OpenBSD's doas adds systemd compat shim (http://marc.info/?l=openbsd-tech&m=149902196520920&w=2) Deadlock Empire -- “Each challenge below is a computer program of two or more threads. You take the role of the Scheduler - and a cunning one! Your objective is to exploit flaws in the programs to make them crash or otherwise malfunction.” (https://deadlockempire.github.io/) EuroBSDcon 2017 Travel Grant Application Now Open (https://www.freebsdfoundation.org/blog/eurobsdcon-2017-travel-grant-application-now-open/) Registration for vBSDCon is open (http://www.vbsdcon.com/) - Registration is only $100 if you register before July 31. Discount hotel rooms arranged at the Hyatt for only $100/night while supplies last. BSD Taiwan call for papers opens, closes July 31st (https://bsdtw.org/)Windows Application Versand *** Feedback/Questions Joseph - Server Monitoring (http://dpaste.com/2AM6C2H#wrap) Paulo - Updating Jails (http://dpaste.com/1Z4FBE2#wrap) Kevin - openvpn server (http://dpaste.com/2MNM9GJ#wrap) Todd - several questions (http://dpaste.com/17BVBJ3#wrap) ***

This week on BSD Now, Adrian Chadd on bringing up 802.11ac in FreeBSD, a PFsense and OpenVPN tutorial, and we talk about an interesting ZFS storage pool checkpoint project. This episode was brought to you by Headlines Bringing up 802.11ac on FreeBSD (http://adrianchadd.blogspot.com/2017/04/bringing-up-80211ac-on-freebsd.html) Adrian Chadd has a new blog post about his work to bring 802.11ac support to FreeBSD 802.11ac allows for speeds up to 500mbps and total bandwidth into multiple gigabits The FreeBSD net80211 stack has reasonably good 802.11n support, but no 802.11ac support. I decided a while ago to start adding basic 802.11ac support. It was a good exercise in figuring out what the minimum set of required features are and another excuse to go find some of the broken corner cases in net80211 that needed addressing. 802.11ac introduces a few new concepts that the stack needs to understand. I decided to use the QCA 802.11ac parts because (a) I know the firmware and general chip stuff from the first generation 11ac parts well, and (b) I know that it does a bunch of stuff (like rate control, packet scheduling, etc) so I don't have to do it. If I chose, say, the Intel 11ac parts then I'd have to implement a lot more of the fiddly stuff to get good behaviour. Step one - adding VHT channels. I decided in the shorter term to cheat and just add VHT channels to the already very large ieee80211channel map. The linux way of there being a channel context rather than hundreds of static channels to choose from is better in the long run, but I wanted to get things up and running. So, that's what I did first - I added VHT flags for 20, 40, 80, 80+80 and 160MHz operating modes and I did the bare work required to populate the channel lists with VHT channels as well. Then I needed to glue it into an 11ac driver. My ath10k port was far enough along to attempt this, so I added enough glue to say "I support VHT" to the iccaps field and propagated it to the driver for monitor mode configuration. And yes, after a bit of dancing, I managed to get a VHT channel to show up in ath10k in monitor mode and could capture 80MHz wide packets. Success! By far the most fiddly was getting channel promotion to work. net80211 supports the concept of dumb NICs (like atheros 11abgn parts) very well, where you can have multiple virtual interfaces but the "driver" view of the right configuration is what's programmed into the hardware. For firmware NICs which do this themselves (like basically everything sold today) this isn't exactly all that helpful. So, for now, it's limited to a single VAP, and the VAP configuration is partially derived from the global state and partially derived from the negotiated state. It's annoying, but it is adding to the list of things I will have to fix later. the QCA chips/firmware do 802.11 crypto offload. They actually pretend that there's no key - you don't include the IV, you don't include padding, or anything. You send commands to set the crypto keys and then you send unencrypted 802.11 frames (or 802.3 frames if you want to do ethernet only.) This means that I had to teach net80211 a few things: + frames decrypted by the hardware needed to have a "I'm decrypted" bit set, because the 802.11 header field saying "I'm decrypted!" is cleared + frames encrypted don't have the "i'm encrypted" bit set + frames encrypted/decrypted have no padding, so I needed to teach the input path and crypto paths to not validate those if the hardware said "we offload it all." Now comes the hard bit of fixing the shortcomings before I can commit the driver. There are .. lots. The first one is the global state. The ath10k firmware allows what they call 'vdevs' (virtual devices) - for example, multiple SSID/BSSID support is implemented with multiple vdevs. STA+WDS is implemented with vdevs. STA+P2P is implemented with vdevs. So, technically speaking I should go and find all of the global state that should really be per-vdev and make it per-vdev. This is tricky though, because a lot of the state isn't kept per-VAP even though it should be. Anyway, so far so good. I need to do some of the above and land it in FreeBSD-HEAD so I can finish off the ath10k port and commit what I have to FreeBSD. There's a lot of stuff coming - including all of the wave-2 stuff (like multiuser MIMO / MU-MIMO) which I just plainly haven't talked about yet. Viva la FreeBSD wireless! pfSense and OpenVPN Routing (http://www.terrafoundry.net/blog/2017/04/12/pfsense-openvpn/) This article tries to be a simple guide on how to enable your home (or small office) https://www.pfsense.org/ (pfSense) setup to route some traffic via the vanilla Internet, and some via a VPN site that you've setup in a remote location. Reasons to Setup a VPN: Control Security Privacy Fun VPNs do not instantly guarantee privacy, they're a layer, as with any other measure you might invoke. In this example I used a server that's directly under my name. Sure, it was a country with strict privacy laws, but that doesn't mean that the outgoing IP address wouldn't be logged somewhere down the line. There's also no reason you have to use your own OpenVPN install, there are many, many personal providers out there, who can offer the same functionality, and a degree of anonymity. (If you and a hundred other people are all coming from one IP, it becomes extremely difficult to differentiate, some VPN providers even claim a ‘logless' setup.) VPNs can be slow. The reason I have a split-setup in this article, is because there are devices that I want to connect to the internet quickly, and that I'm never doing sensitive things on, like banking. I don't mind if my Reddit-browsing and IRC messages are a bit slower, but my Nintendo Switch and PS4 should have a nippy connection. Services like Netflix can and do block VPN traffic in some cases. This is more of an issue for wider VPN providers (I suspect, but have no proof, that they just blanket block known VPN IP addresses.) If your VPN is in another country, search results and tracking can be skewed. This is arguable a good thing, who wants to be tracked? But it can also lead to frustration if your DuckDuckGo results are tailored to the middle of Paris, rather than your flat in Birmingham. The tutorial walks through the basic setup: Labeling the interfaces, configuring DHCP, creating a VPN: Now that we have our OpenVPN connection set up, we'll double check that we've got our interfaces assigned With any luck (after we've assigned our OPENVPN connection correctly, you should now see your new Virtual Interface on the pfSense Dashboard We're charging full steam towards the sections that start to lose people. Don't be disheartened if you've had a few issues up to now, there is no “right” way to set up a VPN installation, and it may be that you have to tweak a few things and dive into a few man-pages before you're set up. NAT is tricky, and frankly it only exists because we stretched out IPv4 for much longer than we should have. That being said it's a necessary evil in this day and age, so let's set up our connection to work with it. We need NAT here because we're going to masque our machines on the LAN interface to show as coming from the OpenVPN client IP address, to the OpenVPN server. Head over to Firewall -> NAT -> Outbound. The first thing we need to do in this section, is to change the Outbound NAT Mode to something we can work with, in this case “Hybrid.” Configure the LAN interface to be NAT'd to the OpenVPN address, and the INSECURE interface to use your regular ISP connection Configure the firewall to allow traffic from the LAN network to reach the INSECURE network Then add a second rule allowing traffic from the LAN network to any address, and set the gateway the the OPENVPN connection And there you have it, traffic from the LAN is routed via the VPN, and traffic from the INSECURE network uses the naked internet connection *** Switching to OpenBSD (https://mndrix.blogspot.co.uk/2017/05/switching-to-openbsd.html) After 12 years, I switched from macOS to OpenBSD. It's clean, focused, stable, consistent and lets me get my work done without any hassle. When I first became interested in computers, I thought operating systems were fascinating. For years I would reinstall an operating system every other weekend just to try a different configuration: MS-DOS 3.3, Windows 3.0, Linux 1.0 (countless hours recompiling kernels). In high school, I settled down and ran OS/2 for 5 years until I graduated college. I switched to Linux after college and used it exclusively for 5 years. I got tired of configuring Linux, so I switched to OS X for the next 12 years, where things just worked. But Snow Leopard was 7 years ago. These days, OS X is like running a denial of service attack against myself. macOS has a dozen apps I don't use but can't remove. Updating them requires a restart. Frequent updates to the browser require a restart. A minor XCode update requires me to download a 4.3 GB file. My monitors frequently turn off and require a restart to fix. A system's availability is a function (http://techthoughts.typepad.com/managing_computers/2007/11/availability-mt.html) of mean time between failure and mean time to repair. For macOS, both numbers are heading in the wrong direction for me. I don't hold any hard feelings about it, but it's time for me to get off this OS and back to productive work. I found OpenBSD very refreshing, so I created a bootable thumb drive and within an hour had it up and running on a two-year old laptop. I've been using it for my daily work for the past two weeks and it's been great. Simple, boring and productive. Just the way I like it. The documentation is fantastic. I've been using Unix for years and have learned quite a bit just by reading their man pages. OS releases come like clockwork every 6 months and are supported for 12. Security and other updates seem relatively rare between releases (roughly one small patch per week during 6.0). With syspatch in 6.1, installing them should be really easy too. ZFS Storage Pool Checkpoint Project (https://sdimitro.github.io/post/zpool-checkpoint) During the OpenZFS summit last year (2016), Dan Kimmel and I quickly hacked together the zpool checkpoint command in ZFS, which allows reverting an entire pool to a previous state. Since it was just for a hackathon, our design was bare bones and our implementation far from complete. Around a month later, we had a new and almost complete design within Delphix and I was able to start the implementation on my own. I completed the implementation last month, and we're now running regression tests, so I decided to write this blog post explaining what a storage pool checkpoint is, why we need it within Delphix, and how to use it. The Delphix product is basically a VM running DelphixOS (a derivative of illumos) with our application stack on top of it. During an upgrade, the VM reboots into the new OS bits and then runs some scripts that update the environment (directories, snapshots, open connections, etc.) for the new version of our app stack. Software being software, failures can happen at different points during the upgrade process. When an upgrade script that makes changes to ZFS fails, we have a corresponding rollback script that attempts to bring ZFS and our app stack back to their previous state. This is very tricky as we need to undo every single modification applied to ZFS (including dataset creation and renaming, or enabling new zpool features). The idea of Storage Pool Checkpoint (aka zpool checkpoint) deals with exactly that. It can be thought of as a “pool-wide snapshot” (or a variation of extreme rewind that doesn't corrupt your data). It remembers the entire state of the pool at the point that it was taken and the user can revert back to it later or discard it. Its generic use case is an administrator that is about to perform a set of destructive actions to ZFS as part of a critical procedure. She takes a checkpoint of the pool before performing the actions, then rewinds back to it if one of them fails or puts the pool into an unexpected state. Otherwise, she discards it. With the assumption that no one else is making modifications to ZFS, she basically wraps all these actions into a “high-level transaction”. I definitely see value in this for the appliance use case Some usage examples follow, along with some caveats. One of the restrictions is that you cannot attach, detach, or remove a device while a checkpoint exists. However, the zpool add operation is still possible, however if you roll back to the checkpoint, the device will no longer be part of the pool. Rather than a shortcoming, this seems like a nice feature, a way to help users avoid the most common foot shooting (which I witnessed in person at Linux Fest), adding a new log or cache device, but missing a keyword and adding it is a storage vdev rather than a aux vdev. This operation could simply be undone if a checkpoint where taken before the device was added. *** News Roundup Review of TrueOS (https://distrowatch.com/weekly.php?issue=20170501#trueos) TrueOS, which was formerly named PC-BSD, is a FreeBSD-based operating system. TrueOS is a rolling release platform which is based on FreeBSD's "CURRENT" branch, providing TrueOS with the latest drivers and features from FreeBSD. Apart from the name change, TrueOS has deviated from the old PC-BSD project in a number of ways. The system installer is now more streamlined (and I will touch on that later) and TrueOS is a rolling release platform while PC-BSD defaulted to point releases. Another change is PC-BSD used to allow the user to customize which software was installed at boot time, including the desktop environment. The TrueOS project now selects a minimal amount of software for the user and defaults to using the Lumina desktop environment. From the conclusions: What I took away from my time with TrueOS is that the project is different in a lot of ways from PC-BSD. Much more than just the name has changed. The system is now more focused on cutting edge software and features in FreeBSD's development branch. The install process has been streamlined and the user begins with a set of default software rather than selecting desired packages during the initial setup. The configuration tools, particularly the Control Panel and AppCafe, have changed a lot in the past year. The designs have a more flat, minimal look. It used to be that PC-BSD did not have a default desktop exactly, but there tended to be a focus on KDE. With TrueOS the project's in-house desktop, Lumina, serves as the default environment and I think it holds up fairly well. In all, I think TrueOS offers a convenient way to experiment with new FreeBSD technologies and ZFS. I also think people who want to run FreeBSD on a desktop computer may want to look at TrueOS as it sets up a graphical environment automatically. However, people who want a stable desktop platform with lots of applications available out of the box may not find what they want with this project. A simple guide to install Ubuntu on FreeBSD with byhve (https://www.davd.eu/install-ubuntu-on-freebsd-with-bhyve/) David Prandzioch writes in his blog: For some reasons I needed a Linux installation on my NAS. bhyve is a lightweight virtualization solution for FreeBSD that makes that easy and efficient. However, the CLI of bhyve is somewhat bulky and bare making it hard to use, especially for the first time. This is what vm-bhyve solves - it provides a simple CLI for working with virtual machines. More details follow about what steps are needed to setup vm_bhyve on FreeBSD Also check out his other tutorials on his blog: https://www.davd.eu/freebsd/ (https://www.davd.eu/freebsd/) *** Graphical Overview of the Architecture of FreeBSD (https://dspinellis.github.io/unix-architecture/arch.pdf) This diagram tries to show the different components that make up the FreeBSD Operating Systems It breaks down the various utilities, libraries, and components into some categories and sub-categories: User Commands: Development (cc, ld, nm, as, etc) File Management (ls, cp, cmp, mkdir) Multiuser Commands (login, chown, su, who) Number Processing (bc, dc, units, expr) Text Processing (cut, grep, sort, uniq, wc) User Messaging (mail, mesg, write, talk) Little Languages (sed, awk, m4) Network Clients (ftp, scp, fetch) Document Preparation (*roff, eqn, tbl, refer) Administrator and System Commands Filesystem Management (fsck, newfs, gpart, mount, umount) Networking (ifconfig, route, arp) User Management (adduser, pw, vipw, sa, quota*) Statistics (iostat, vmstat, pstat, gstat, top) Network Servers (sshd, ftpd, ntpd, routed, rpc.*) Scheduling (cron, periodic, rc.*, atrun) Libraries (C Standard, Operating System, Peripheral Access, System File Access, Data Handling, Security, Internationalization, Threads) System Call Interface (File I/O, Mountable Filesystems, File ACLs, File Permissions, Processes, Process Tracing, IPC, Memory Mapping, Shared Memory, Kernel Events, Memory Locking, Capsicum, Auditing, Jails) Bootstrapping (Loaders, Configuration, Kernel Modules) Kernel Utility Functions Privilege Management (acl, mac, priv) Multitasking (kproc, kthread, taskqueue, swi, ithread) Memory Management (vmem, uma, pbuf, sbuf, mbuf, mbchain, malloc/free) Generic (nvlist, osd, socket, mbuf_tags, bitset) Virtualization (cpuset, crypto, device, devclass, driver) Synchronization (lock, sx, sema, mutex, condvar_, atomic_*, signal) Operations (sysctl, dtrace, watchdog, stack, alq, ktr, panic) I/O Subsystem Special Devices (line discipline, tty, raw character, raw disk) Filesystems (UFS, FFS, NFS, CD9660, Ext2, UDF, ZFS, devfs, procfs) Sockets Network Protocols (TCP, UDP, UCMP, IPSec, IP4, IP6) Netgraph (50+ modules) Drivers and Abstractions Character Devices CAM (ATA, SATA, SAS, SPI) Network Interface Drivers (802.11, ifae, 100+, ifxl, NDIS) GEOM Storage (stripe, mirror, raid3, raid5, concat) Encryption / Compression (eli, bde, shsec, uzip) Filesystem (label, journal, cache, mbr, bsd) Virtualization (md, nop, gate, virtstor) Process Control Subsystems Scheduler Memory Management Inter-process Communication Debugging Support *** Official OpenBSD 6.1 CD - There's only One! (http://undeadly.org/cgi?action=article&sid=20170503203426&mode=expanded) Ebay auction Link (http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452) Now it turns out that in fact, exactly one CD set was made, and it can be yours if you are the successful bidder in the auction that ends on May 13, 2017 (About 3 days from when this episode was recorded). The CD set is hand made and signed by Theo de Raadt. Fun Fact: The winning bidder will have an OpenBSD CD set that even Theo doesn't have. *** Beastie Bits Hardware Wanted by OpenBSD developers (https://www.openbsd.org/want.html) Donate hardware to FreeBSD developers (https://www.freebsd.org/donations/index.html#components) Announcing NetBSD and the Google Summer of Code Projects 2017 (https://blog.netbsd.org/tnf/entry/announcing_netbsd_and_the_google) Announcing FreeBSD GSoC 2017 Projects (https://wiki.freebsd.org/SummerOfCode2017Projects) LibreSSL 2.5.4 Released (https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4-relnotes.txt) CharmBUG Meeting - Tor Browser Bundle Hack-a-thon (https://www.meetup.com/CharmBUG/events/238218840/) pkgsrcCon 2017 CFT (https://mail-index.netbsd.org/netbsd-advocacy/2017/05/01/msg000735.html) Experimental Price Cuts (https://blather.michaelwlucas.com/archives/2931) Linux Fest North West 2017: Three Generations of FreeNAS: The World's most popular storage OS turns 12 (https://www.youtube.com/watch?v=x6VznQz3VEY) *** Feedback/Questions Don - Reproducible builds & gcc/clang (http://dpaste.com/2AXX75X#wrap) architect - C development on BSD (http://dpaste.com/0FJ854X#wrap) David - Linux ABI (http://dpaste.com/2CCK2WF#wrap) Tom - ZFS (http://dpaste.com/2Z25FKJ#wrap) RAIDZ Stripe Width Myth, Busted (https://www.delphix.com/blog/delphix-engineering/zfs-raidz-stripe-width-or-how-i-learned-stop-worrying-and-love-raidz) Ivan - Jails (http://dpaste.com/1Z173WA#wrap) ***

This week on the show, we've got some great stories to bring you, a look at the odder side of UNIX history This episode was brought to you by Headlines syspatch in testing state (http://marc.info/?l=openbsd-tech&m=148058309126053&w=2) Antoine Jacoutot ajacoutot@ openbsd has posted a call for testing for OpenBSD's new syspatch tool “syspatch(8), a "binary" patch system for -release is now ready for early testing. This does not use binary diffing to update the system, but regular signed tarballs containing the updated files (ala installer).” “I would appreciate feedback on the tool. But please send it directly to me, there's no need to pollute the list. This is obviously WIP and the tool may or may not change in drastic ways.” “These test binary patches are not endorsed by the OpenBSD project and should not be trusted, I am only providing them to get early feedback on the tool. If all goes as planned, I am hoping that syspatch will make it into the 6.1 release; but for it to happen, I need to know how it breaks your systems :-)” Instructions (http://syspatch.openbsd.org/pub/OpenBSD/6.0/syspatch/amd64/README.txt) If you test it, report back and let us know how it went *** Weston working (https://lists.freebsd.org/pipermail/freebsd-current/2016-December/064198.html) Over the past few years we've had some user-interest in the state of Wayland / Weston on FreeBSD. In the past day or so, Johannes Lundberg has sent in a progress report to the FreeBSD mailing lists. Without further ADO: We had some progress with Wayland that we'd like to share. Wayland (v1.12.0) Working Weston (v1.12.0) Working (Porting WIP) Weston-clients (installed with wayland/weston port) Working XWayland (run X11 apps in Wayland compositor) Works (maximized window only) if started manually but not when launching X11 app from Weston. Most likely problem with Weston IPC. Sway (i3-compatible Wayland compositor) Working SDL20 (Wayland backend) games/stonesoup-sdl briefly tested. https://twitter.com/johalun/status/811334203358867456 GDM (with Wayland) Halted - depends on logind. GTK3 gtk3-demo runs fine on Weston (might have to set GDK_BACKEND=wayland first. GTK3 apps working (gedit, gnumeric, xfce4-terminal tested, xfce desktop (4.12) does not yet support GTK3)“ Johannes goes on to give instructions on how / where you can fetch their WiP and do your own testing. At the moment you'll need Matt Macy's newer Intel video work, as well as their ports tree which includes all the necessary software bits. Before anybody asks, yes we are watching this for TrueOS! *** Where the rubber meets the road (part two) (https://functionallyparanoid.com/2016/12/15/where-the-rubber-meets-the-road-part-two/) Continuing with our story from Brian Everly from a week ago, we have an update today on the process to dual-boot OpenBSD with Arch Linux. As we last left off, Arch was up and running on the laptop, but some quirks in the hardware meant OpenBSD would take a bit longer. With those issues resolved and the HD seen again, the next issue that reared its head was OpenBSD not seeing the partition tables on the disk. After much frustration, it was time to nuke and pave, starting with OpenBSD first this time. After a successful GPT partitioning and install of OpenBSD, he went back to installing Arch, and then the story got more interesting. “I installed Arch as I detailed in my last post; however, when I fired up gdisk I got a weird error message: “Warning! Disk size is smaller than the main header indicates! Loading secondary header from the last sector of the disk! You should use ‘v' to verify disk integrity, and perhaps options on the expert's menu to repair the disk.” Immediately after this, I saw a second warning: “Caution: Invalid backup GPT header, but valid main header; regenerating backup header from main header.” And, not to be outdone, there was a third: “Warning! Main and backup partition tables differ! Use the ‘c' and ‘e' options on the recovery & transformation menu to examine the two tables.” Finally (not kidding), there was a fourth: “Warning! One or more CRCs don't match. You should repair the disk!” Given all of that, I thought to myself, “This is probably why I couldn't see the disk properly when I partitioned it under Linux on the OpenBSD side. I'll let it repair things and I should be good to go.” I then followed the recommendation and repaired things, using the primary GPT table to recreate the backup one. I then installed Arch and figured I was good to go.“ After confirming through several additional re-installs that the behavior was reproducible, he then decided to go full on crazy,and partition with MBR. That in and of itself was a challenge, since as he mentions, not many people dual-boot OpenBSD with Linux on MBR, especially using luks and lvm! If you want to see the details on how that was done, check it out. The story ends in success though! And better yet: “Now that I have everything working, I'll restore my config and data to Arch, configure OpenBSD the way I like it and get moving. I'll take some time and drop a note on the tech@ mailing list for OpenBSD to see if they can figure out what the GPT problem was I was running into. Hopefully it will make that part of the code stronger to get an edge-case bug report like this.” Take note here, if you run into issues like this with any OS, be sure to document in detail what happened so developers can explore solutions to the issue. *** FreeBSD and ZFS as a time capsule for OS X (https://blog.feld.me/posts/2016/12/using-freebsd-as-a-time-capsule-for-osx/) Do you have any Apple users in your life? Perhaps you run FreeBSD for ZFS somewhere else in the house or office. Well today we have a blog post from Mark Felder which shows how you can use FreeBSD as a time-capsule for your OSX systems. The setup is quite simple, to get started you'll need packages for netatalk3 and avahi-app for service discovery. Next up will be your AFP configuration. He helpfully provides a nice example that you should be able to just cut-n-paste. Be sure to check the hosts allow lines and adjust to fit your network. Also of note will be the backup location and valid users to adjust. A little easier should be the avahi setup, which can be a straight copy-n-paste from the site, which will perform the service advertisements. The final piece is just enabling specific services in /etc/rc.conf and either starting them by hand, or rebooting. At this point your OSX systems should be able to discover the new time-capsule provider on the network and DTRT. *** News Roundup netbenches - FreeBSD network forwarding performance benchmark results (https://github.com/ocochard/netbenches) Olivier Cochard-Labbé, original creator of FreeNAS, and leader of the BSD Router Project, has a github repo of network benchmarks There are many interesting results, and all of the scripts, documentation, and configuration files to run the tests yourself IPSec Performance on an Atom C2558, 12-head vs IPSec Performance Branch (https://github.com/ocochard/netbenches/tree/master/Atom_C2558_4Cores-Intel_i350/ipsec/results/fbsd12.projects-ipsec.equilibrium) Compared to: Xeon L5630 2.13GHz (https://github.com/ocochard/netbenches/tree/2f3bb1b3c51e454736f1fcc650c3328071834f8d/Xeon_L5630-4Cores-Intel_82599EB/ipsec/results/fbsd11.0) and IPSec with Authentication (https://github.com/ocochard/netbenches/tree/305235114ba8a3748ad9681c629333f87f82613a/Atom_C2558_4Cores-Intel_i350/ipsec.ah/results/fbsd12.projects-ipsec.equilibrium) I look forward to seeing tests on even more hardware, as people with access to different configurations try out these benchmarks *** A tcpdump Tutorial and Primer with Examples (https://danielmiessler.com/study/tcpdump/) Most users will be familiar with the basics of using tcpdump, but this tutorial/primer is likely to fill in a lot of blanks, and advance many users understanding of tcpdump “tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.” tcpdump is an important tool for any system or network administrator, it is not just for security. It is often the best way to figure out why the network is not behaving as expected. “In a discipline so dependent on a true understanding of concepts vs. rote learning, it's important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.” Not just that, but TCP/IP is a very interesting protocol, considering how little it has changed in its 40+ year history “First off, I like to add a few options to the tcpdump command itself, depending on what I'm looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet.” “It's also important to note that tcpdump only takes the first 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything.” The page has a nice table of the most useful options It also has a great primer on doing basic filtering If you are relatively new to using tcpdump, I highly recommend you spend a few minutes reading through this article *** How Unix made it to the top (http://minnie.tuhs.org/pipermail/tuhs/2016-December/007519.html) Doug McIlroy gives us a nice background post on how “Unix made it to the top” It's fairly short / concise, so I felt it would be good to read in its entirety. “It has often been told how the Bell Labs law department became the first non-research department to use Unix, displacing a newly acquired stand-alone word-processing system that fell short of the department's hopes because it couldn't number the lines on patent applications, as USPTO required. When Joe Ossanna heard of this, he told them about roff and promised to give it line-numbering capability the next day. They tried it and were hooked. Patent secretaries became remote members of the fellowship of the Unix lab. In due time the law department got its own machine. Less well known is how Unix made it into the head office of AT&T. It seems that the CEO, Charlie Brown, did not like to be seen wearing glasses when he read speeches. Somehow his PR assistant learned of the CAT phototypesetter in the Unix lab and asked whether it might be possible to use it to produce scripts in large type. Of course it was. As connections to the top never hurt, the CEO's office was welcomed as another ouside user. The cost--occasionally having to develop film for the final copy of a speech--was not onerous. Having teethed on speeches, the head office realized that Unix could also be useful for things that didn't need phototypesetting. Other documents began to accumulate in their directory. By the time we became aware of it, the hoard came to include minutes of AT&T board meetings. It didn't seem like a very good idea for us to be keeping records from the inner sanctum of the corporation on a computer where most everybody had super-user privileges. A call to the PR guy convinced him of the wisdom of keeping such things on their own premises. And so the CEO's office bought a Unix system. Just as one hears of cars chosen for their cupholders, so were theseusers converted to Unix for trivial reasons: line numbers and vanity.“ Odd Comments and Strange Doings in Unix (http://orkinos.cmpe.boun.edu.tr/~kosar/odd.html) Everybody loves easter-eggs, and today we have some fun odd ones from the history throughout UNIX told by Dennis Ritchie. First up, was a fun one where the “mv” command could sometimes print the following “values of b may give rise to dom!” “Like most of the messages recorded in these compilations, this one was produced in some situation that we considered unlikely or as result of abuse; the details don't matter. I'm recording why the phrase was selected. The very first use of Unix in the "real business" of Bell Labs was to type and produce patent applications, and for a while in the early 1970s we had three typists busily typing away in the grotty lab on the sixth floor. One day someone came in and observed on the paper sticking out of one of the Teletypes, displayed in magnificent isolation, this ominous phrase: values of b may give rise to dom! It was of course obvious that the typist had interrupted a printout (generating the "!" from the ed editor) and moved up the paper, and that the context must have been something like "varying values of beta may give rise to domain wall movement" or some other fragment of a physically plausible patent application.But the phrase itself was just so striking! Utterly meaningless, but it looks like what... a warning? What is "dom?" At the same time, we were experimenting with text-to-voice software by Doug McIlroy and others, and of course the phrase was tried out with it. For whatever reason, its rendition of "give rise to dom!" accented the last word in a way that emphasized the phonetic similarity between "doom" and the first syllable of "dominance." It pronounced "beta" in the British style, "beeta." The entire occurrence became a small, shared treasure.The phrase had to be recorded somewhere, and it was, in the v6 source. Most likely it was Bob Morris who did the deed, but it could just as easily have been Ken. I hope that your browser reproduces the b as a Greek beta.“ Next up is one you might have heard before: /* You are not expected to understand this */> Every now and then on Usenet or elsewhere I run across a reference to a certain comment in the source code of the Sixth Edition Unix operating system. I've even been given two sweatshirts that quote it. Most probably just heard about it, but those who saw it in the flesh either had Sixth Edition Unix (ca. 1975) or read the annotated version of this system by John Lions (which was republished in 1996: ISBN 1-57298-013-7, Peer-to-Peer Communications).It's often quoted as a slur on the quantity or quality of the comments in the Bell Labs research releases of Unix. Not an unfair observation in general, I fear, but in this case unjustified. So we tried to explain what was going on. "You are not expected to understand this" was intended as a remark in the spirit of "This won't be on the exam," rather than as an impudent challenge. There's a few other interesting stories as well, if the odd/fun side of UNIX history at all interests you, I would recommend checking it out. Beastie Bits With patches in review the #FreeBSD base system builds 100% reproducibly (https://twitter.com/ed_maste/status/811289279611682816) BSDCan 2017 Call for Participation (https://www.freebsdfoundation.org/news-and-events/call-for-papers/bsdcan-2017/) ioCell 2.0 released (https://github.com/bartekrutkowski/iocell/releases) who even calls link_ntoa? (http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa) Booting Androidx86 under bhyve (https://twitter.com/pr1ntf/status/809528845673996288) Feedback/Questions Chris - VNET (http://pastebin.com/016BfvU9) Brian - Package Base (http://pastebin.com/8JJeHuRT) Wim - TrueOS Desktop All-n-one (http://pastebin.com/VC0DPQUF) Daniel - Long Boots (http://pastebin.com/q7pFu7pR) Bryan - ZFS / FreeNAS (http://pastebin.com/xgUnbzr7) Bryan - FreeNAS Security (http://pastebin.com/qqCvVTLB) ***

The wait is over, 11.0 of FreeBSD has (officially) launched. We'll have coverage of this, plus a couple looks back at UNIX history, and a crowd-favorite guest today. This episode was brought to you by Headlines FreeBSD 11.0-RELEASE Now Available (https://lists.freebsd.org/pipermail/freebsd-announce/2016-October/001760.html) FreeBSD 11.0-RELEASE is now officially out. A last minute reroll to pickup OpenSSL updates and a number of other security fixes meant the release was a little behind schedule, and shipped as 11.0-RELEASE-p1, but the release is better for it Improved support for 802.11n and various wifi drivers Support for the AArch64 (arm64) architecture has been added. Native graphics support has been added to the bhyve(8) hypervisor. A new flag, “onifconsole” has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off. The xz(1) utility has been updated to support multi-threaded compression. A number of kernel panics related to VNET have been fixed The IMAGACT_BINMISC kernel configuration option has been enabled by default, which enables application execution through emulators, such as QEMU via binmiscctl(8). The GENERIC kernel configuration has been updated to include the IPSEC option by default. The kern.osrelease and kern.osreldate are now configurable jail(8) parameters A new sysctl(8), kern.racct.enable, has been added, which when set to a non-zero value allows using rctl(8) with the GENERIC kernel. A new kernel configuration option, RACCT_DISABLED has also been added. The minimum (arcmin) and maximum (arcmax) values for the ZFS adaptive replacement cache can be modified at runtime. Changes to watch out for: OpenSSH DSA key generation has been disabled by default. It is important to update OpenSSH keys prior to upgrading. Additionally, Protocol 1 support has been removed. By default, the ifconfig(8) utility will set the default regulatory domain to FCC on wireless interfaces. As a result, newly created wireless interfaces with default settings will have less chance to violate country-specific regulations. An issue was discovered with Amazon® EC2™ images which would cause the virtual machine to hang during boot when upgrading from previous FreeBSD versions. New EC2™ installations are not affected, but existing installations running earlier releases are advised to wait until the issue is resolved in an Errata Notice before upgrading. An Errata Notice to address this is planned following the release. *** process listing consistency (http://www.tedunangst.com/flak/post/process-listing-consistency) Ted Unangst asks: how consistent is the output of ps(1)? If processes are starting and exiting constantly, and you run ps(1), is the output guaranteed to reflect that exact moment in time, or might it include some processes that have gone away before ps(1) exited, and include some processes that did not exist when ps(1) was started? Ted provides a little example chicken/egg program to try to create such an inconsistency, so you can test out your OS On OpenBSD ps(1) was switched away from the reading kernel memory directly, and instead uses the KERNPROCALL sysctl Thus sysctl can iterate over the entire process list, copying out information to ps(1), without blocking. If we prevent processes from forking or exiting during this time, we get a consistent snapshot. The snapshot may be stale, but it will never show us a viewpoint that never happened. So, OpenBSD will always be consistent, or will it? Is there a way to trick ps on OpenBSD? Not everything is consistent. There's a separate sysctl, KERNPROCARGV, that reads the command line arguments for a process, but it only works on one process at a time. Processes can modify their own argv at any time. A second test program changes the process title of both the chicken and the egg, and if you run ps(1), you can get back a result that never actually happened. The argv of the first program is read by ps(1), and in the meantime, it changes to a different value. The second program also changes its value, so now when ps(1) reads it, it sees the new value, not the original value from when ps(1) was started. So the output is not that consistent, but is it worth the effort to try to make it so? DragonFlyBSD - if_iwm - Add basic powermanagement support via ifconfig wlan0 powersave (http://lists.dragonflybsd.org/pipermail/commits/2016-October/624673.html) WiFi can often be one of the biggest drains on your laptop battery, so anything we can do to improve the situation should be embraced. Imre Vadász over at the DragonFly project has done that, porting over a new set of power management support from Linux to the if_iwm driver. if_iwm - Add basic powermanagement support via ifconfig wlan0 powersave. The DEVICEPOWERFLAGSCAMMSK flag was removed in the upstream iwlwifi in Linux commit ceef91c89480dd18bb3ac51e91280a233d0ca41f. Add scpsdisabled flag to struct iwmsoftc, which corresponds to mvm->psdisabled in struct iwl_mvm in Linux iwlwifi. Adds a hw.iwm.powerscheme tunable which corresponds to the powerscheme module parameter in Linux iwlwifi. Set this to 1 for completely disabling power management, 2 (default) for balanced powermanagement, and 3 for lowerpower mode (which does dtim period skipping). Imports the constants.h file from iwlwifi as ifiwmconstants.h. This doesn't allow changing the powermanagement setting while connected, also one can only choose between enabled and disabled powersaving with ifconfig (so switching between balanced and low-power mode requires rebooting to change the tunable). After any changes to powermanagement (i.e. "ifconfig wlan0 powersave" to enable powermanagement, or "ifconfig wlan0 -powersave" for disabling powermanagement), one has to disconnect and reconnect to the accespoint for the change to take effect.“ Good stuff! These positive changes need to happen more often and sooner, so we can all eek out every drop of power from our respective laptops. *** Helping out an Internet Friend…Dual boot OpenBSD (https://functionallyparanoid.com/2016/10/03/helping-out-an-internet-friend/) Dual-booting OpenBSD and Linux, via UEFI. A year ago we wouldn't be discussing this, but today we have an article where somebody has done exactly that. This Journey was undertaken by Brian Everly (Indiana Bug), partly due to a friend who wanted to dual-boot his laptop which already has an existing UEFI install on it. As a proof of concept, he began by replicating the setup in VMware with UEFI He started by throwing Ubuntu into the VM, with some special attention paid to partitioning to ensure enough room left-over for OpenBSD later. I created a 64MB EFI partition at the front of the disk. Next, I created a 20GB primary partition at the beginning of the space, mounted as the root (/) filesystem. I then added a 4096MB swap partition for Ubuntu. Finally, I used the rest of the free space to create a Reserved BIOS Boot Area FAT32 partition that was not associated with a mount point – this is where I will be installing OpenBSD. With that done, he wrapped up the Ubuntu installation and then turned over to to the OpenBSD side. Some manual partitioning was required to install to the “Reserved FAT32” partition. I mashed through the defaults in the OpenBSD installer until I got to the disk partitioning. Since I told VMWare to make my hard drive an IDE one, I knew I was playing around with wd0 and not sd0 (my USB key). I dumped into fdisk by selecting to (E)dit the partition scheme and saw my setup from Linux. First was the EFI partition (I am guessing I'll have to copy my bootx64.efi file to that at some point), second was the Linux etx4 partition, third was my Linux swap partition and fourth was a weird looking one that is the “Reserved BIOS Boot” partition. That's the one I'll fiddle with. Issuing the command “edit 3” allowed me to fiddle with that partition #3 (remember, we start counting at zero). I set it's type to “A6” (OpenBSD) and then took the defaults with the exception of naming it “OpenBSD”. A quick “write” followed by a “quit” allowed me to update my new partition and get back to the installer. Once the installation was wrapped up (OpenBSD helpfully already created the /boot/EFI partition with the correct EFI loader installed) he was able to reboot and select between the two systems at the UEFI bios screen. For kicks, he lastly went into Ubuntu and grabbed refind. Installing refind provided a fancy graphical selector between the two systems without too much trouble. Next step will be to replicate this process on his friend's laptop. Wishing you luck with that journey! Interview - Bryan Cantrill - email@email (mailto:email@email) / @twitter (https://twitter.com/user) CTO of Joyent *** News Roundup After 22 Years, 386BSD Gets An Update (https://bsd.slashdot.org/story/16/10/09/0230203/after-22-years-386bsd-gets-an-update) Slashdot brings us an interesting mention this week, specifically that after 22 years, we now have an update to 386BSD. 386BSD was last released back in 1994 with a series of articles in Dr. Dobb's Journal -- but then developers for this BSD-based operating system started migrating to both FreeBSD and NetBSD. An anonymous Slashdot reader writes: The last known public release was version 0.1. Until Wednesday, when Lynne Jolitz, one of the co-authors of 386BSD, released the source code to version 1.0 as well as 2.0 on Github. 386BSD takes us back to the days when you could count every file in your Unix distribution and more importantly, read and understand all of your OS source code. 386BSD is also the missing link between BSD and Linux. One can find fragments of Linus Torvalds's math emulation code in the source code of 386BSD. To quote Linus: "If 386BSD had been available when I started on Linux, Linux would probably never had happened.” Though it was designed for Intel 80386 microprocessors, there's already instructions for launching it on the hosted hardware virtualization service Qemu. There you have it! Go grab the new hotness that is 386BSD and run it in 2016! Or perhaps you want FreeBSD 11, but to each their own. *** Progress of the OpenBSD Limited Edition Signed CD set (http://undeadly.org/cgi?action=article&sid=20160929230557&mode=expanded) An update from a story last week! We mentioned the “very” limited edition OpenBSD 6.0 signed CD sets that had gone up for Auction on Ebay. (With proceeds to support for Foundation) As of today, here's where we stand: CD set #1 (Sep 29th + 5 days) sold for $4200 (http://www.ebay.com/itm/-/331985953783) CD set #2 (Oct 4th + 3 days) sold for $3000 (http://www.ebay.com/itm/-/331990536246) CD set #3 (Oct 8th + 3 days) sold for $817 (http://www.ebay.com/itm/-/331994217419) CD set #4 (Oct 11th + 3 days) is currently up for bidding (http://www.ebay.com/itm/-/331997031152) There you have it! The 4th set is almost wrapped up bidding, and the 5th and last set is not far behind. Be sure to grab your piece of BSD history before its gone! PROTOTYPE FreeBSD Jail/ZFS based implementation of the Application Container Specification (https://github.com/3ofcoins/jetpack) “Jetpack is an experimental and incomplete implementation of the App Container Specification for FreeBSD. It uses jails as isolation mechanism, and ZFS for layered storage.” “This document uses some language used in Rocket, the reference implementation of the App Container Specification. While the documentation will be expanded in the future, currently you need to be familiar at least with Rocket's README to understand everything.” + A standard with multiple implementations, that allow substitution of components, such as FreeBSD Jails instead of docker/lxc etc, and ZFS instead of overlayfs etc, is very exciting Microsoft's Forgotten Unix-based Operating System (https://fossbytes.com/xenix-history-microsoft-unix-operating-system/) Do you remember the good old days. You know, when Microsoft was the driving force behind UNIX? Wait, what did you say you may be thinking? It's true, and lets sit back and let FossBytes tell us a tale of what once was reality. The story begins sometime in the late 70's: Turning back the pages to the late 1970's, Microsoft entered into an agreement with AT&T Corporation to license Unix from AT&T. While the company didn't sell the OS to public, it licensed it to other OEM vendors like Intel, SCO, and Tandy. As Microsoft had to face legal trouble due to “Unix” name, the company renamed it and came up with its own Unix distribution. So, AT&T licensed Unix to Redmond that was passed on to other OEMs as Xenix. It's interesting to recall a time when Microsoft enabled people to run Unix — an operating system originally designed for large and multiuser systems — on a microcomputer. Even though it came first, Unix was probably more powerful than MS-DOS. So whatever happened to this microsoft-flavored UNIX you may ask? Sadly it was ditched for DOS due to $REASONS: In early 1980's, IBM was looking for an OS to power its PC. As IBM didn't want to maintain any ties with the recently split AT&T, Xenix was automatically rejected. To fulfill, the tech giant's demand, Microsoft bought 86-DOS from Seattle Computer Products and managed to convince IBM to use it in their systems. Slowly, Microsoft started losing interest in Xenix and traded the full rights of Xenix with SCO, a Xenix partner company. The company filed bankruptcy in 2007 before taking the Xenix legacy to the 21st century in the form of Open Server, previously known as SCO Unix and SCO Open Desktop. An interesting chapter in UNIX history to be sure, and funny enough may come full-circle someday with Microsoft beginning to show interest in UNIX and BSD once again. *** Beastie Bits Ohio LinuxFest 2016 wrap-up (http://blather.michaelwlucas.com/archives/2791) Learn X in Y minutes Where X=zfs (https://learnxinyminutes.com/docs/zfs/) Add touchscreen support for the official 7" RPi touch display (https://svnweb.freebsd.org/base?view=revision&revision=306430) 64-bit U-Boot on Raspberry Pi 3 (https://kernelnomicon.org/?p=682) SNIA SDC 2016 Recap: Michael Dexter (https://www.ixsystems.com/blog/snia-sdc-2016-recap-michael-dexter/) OpenZFS: Stronger than ever (https://www.ixsystems.com/blog/openzfs-devsummit-2016/) Accurate, Traceable, and Verifiable Time Synchronization for World Financial Markets (http://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.023.pdf) ON HOLY WARS AND A PLEA FOR PEACE (https://www.ietf.org/rfc/ien/ien137.txt) Feedback/Questions Morgan - Zero-Filling an VM (http://pastebin.com/CYcqmW7P) Charlie - ZFS Bit-Rot (http://pastebin.com/12mNW57h) Matias - TrueOS / Launchd (http://pastebin.com/NfYWt2cu) Dale - DO Feedback (http://pastebin.com/UvKh2WcF) James - DO / FreeBSD Locks? (http://pastebin.com/0cdMc88U) ***

This week on BSDNow, Allan is back from his UK trip and we'll get to hear his thoughts on the developer summit. That plus all the This episode was brought to you by Headlines FreeBSD 11.0-RC1 Available (https://lists.freebsd.org/pipermail/freebsd-stable/2016-August/085277.html) FreeBSD is marching onwards to 11.0, and with it the first RC1 was released. In addition to the usual amd64 architectures, you may want to give it a whirl on your various ARM boards as well, as it includes images for the following systems: 11.0-RC1 amd64 GENERIC 11.0-RC1 i386 GENERIC 11.0-RC1 powerpc GENERIC 11.0-RC1 powerpc64 GENERIC64 11.0-RC1 sparc64 GENERIC 11.0-RC1 armv6 BANANAPI 11.0-RC1 armv6 BEAGLEBONE 11.0-RC1 armv6 CUBIEBOARD 11.0-RC1 armv6 CUBIEBOARD2 11.0-RC1 armv6 CUBOX-HUMMINGBOARD 11.0-RC1 armv6 GUMSTIX 11.0-RC1 armv6 RPI-B 11.0-RC1 armv6 RPI2 11.0-RC1 armv6 PANDABOARD 11.0-RC1 armv6 WANDBOARD 11.0-RC1 aarch64 GENERIC For those wondering the list of changes between this and BETA4, we have that as well: A NULL pointer dereference in IPSEC has been fixed. Support for SSH Protocol 1 has been removed. OpenSSH DSA keys have been disabled by default. Users upgrading from prior FreeBSD versions are urged to update their SSH keys to RSA or ECDSA keys before upgrading to 11.0-RC1. PCI-e hotplug on bridges with power controllers has been disabled. A loader tunable (hw.pci.enablepciehp) to disable PCI-e HotPlug has been added. A VESA panic on suspend has been fixed. Google Compute Engine image publication has been fixed. An AES-ICM heap corruption typo bug has been fixed. A regression in pf.conf while parsing the 'interval' keyword has been fixed. A ZFS/VFS deadlock has been fixed. RC2 is delayed while some issues are sorted out (https://lists.freebsd.org/pipermail/freebsd-stable/2016-August/085323.html) RC2 is looming large, but was pushed back a few days while the following bugs are sorted out: Issue with IPv6 UDP traffic being sent from wrong MAC address Layer2 violation with IPv6 *** OpenBSD just added initial support for the RaspberryPi 2 and 3 devices (https://marc.info/?l=openbsd-cvs&m=147059203101111&w=2) It's a good time to be an ARM and BSD enthusiast. In addition to all the ARM images in FreeBSD 11.0, we also have word that initial support for RPi2 and RPi3 has started to land in OpenBSD. Mark Kettenis has posted the following with his Commit: Initial support for Raspberry Pi 2/3. All the hard work done by patrick@, I just cleaned things up a bit. Any bugs introduced in that process are entirely mine. This doesn't work yet. But when it does, you'll need recent firmware from the Raspberry Pi Foundation git repository at: https://github.com/raspberrypi/firmware The device tree for the Raspberry Pi is somewhat in flux as bits and pieces to support the Raspberry Pi 2 and 3 are committed to the mainline Linux kernel.“ + Exciting news! We will of course keep you informed as to when we have images to play with. Running OpenBSD / PF on a RPi does sound intriguing. drm-4.8-rc2 tagged in drm-next (https://lists.freebsd.org/pipermail/freebsd-x11/2016-August/017840.html) Remember when FreeBSD lagged so far behind in Graphics support? Well, those days are rapidly coming to an end. Matt Macy has posted an update to the FreeBSD X11 list with news of his DRM branch being caught up all the way to Linux 4.8-RC2 now. This is a huge accomplishment, with Matt commenting: As of this moment sys/dev/drm in the drm-next tree is sync with https://github.com/torvalds/linux drivers/gpu/drm (albeit only for the subset of drivers that FreeBSD supports - i915, radeon, and amdgpu). I feel this is a bit of a milestone as it means that it is possible that in the future graphics support on FreeBSD could proceed in lockstep with Linux. For those who want to try out the latest support, you can build from his branch at the following GitHub location: (https://github.com/FreeBSDDesktop/freebsd-base-graphics) Or, if compiling isn't your thing, TrueOS (The re-branded PC-BSD) will be releasing the a new ISO based upon his update to Linux 4.7 in the coming days, with 4.8-RC2 to follow in the next week or two. *** Installing FreeBSD for Raspberry Pi (https://www.freebsdfoundation.org/freebsd/how-to-guides/installing-freebsd-for-raspberry-pi/) People have been running FreeBSD on various RPi devices for a while now, however there are still a lot of people who probably need a hand to get boot-strapped on their RPi system. The FreeBSD foundation has put together a nice tutorial which walks even the most novice user through getting FreeBSD up and running. In particular this could become a good way for students or other FreeBSD newcomers to try out the OS on a relatively low-cost platform outside of a VM. The tutorial starts of with a check-list of the specific items you'll need to get started, for RPi 1 (a/b) or RPi 2 hardware. From there, instructions on how to get the downloaded images onto a sdcard are provided, including Mac and Windows image burning details. With this done, it's really only a matter of plugging in your device to be presented with your new RPi + FreeBSD system. The most important details (the default username/password) at also provided, so don't skim too quickly. *** Interview - Drew Gurkowski Foundation Intern: First time FreeBSD User and Writing Tutorials *** News Roundup FreeBSD's ipfw gets a NAT64 implementation (https://svnweb.freebsd.org/base?view=revision&revision=304046) A new feature has been added to FreeBSD's native firewall, ipfw2 The new loadable module implements stateless and stateful NAT64 “Stateless translation is appropriate when a NAT64 translator is used in front of IPv4-only servers to allow them to be reached by remote IPv6-only clients.” With this setup, you map specific IPv6 addresses to the corresponding IPv4 address, allowing IPv4 only servers to be reachable on the v6 network. “Stateful translation is suitable for deployment at the client side or at the service provider, allowing IPv6-only client hosts to reach remote IPv4-only nodes.” This configuration allows many IPv6 only clients to reach the “legacy” internet. The FreeBSD cluster has been waiting for this feature for a while, because they have limited IP addresses, but many service jails that require access to services like GitHub that are not IPv6 enabled. The work was sponsored by Yandex, the Russian search engine and long time FreeBSD user Example configurations for both types are included in the commit message If you would find this feature useful, please take the time to set it up and document the steps and contribute that to the FreeBSD Handbook. *** Update on using LLVM's lld linker in the FreeBSD base system (https://lists.freebsd.org/pipermail/freebsd-toolchain/2016-August/002240.html) Ed Maste has written a lengthy update on the progress being made towards using LLVM's lld linker as a replacement for GNU's ‘ld'. Ed starts off by giving us some of the potential benefits of using lld vs the 2.17.50 ‘ld' version FreeBSD currently uses: AArch64 (arm64) support Link Time Optimization (LTO) New ABI support Other linker optimization Much faster link times Maintained code base Ed also gives us an update on several of the major blockers: Since the last update in March several lld developers have implemented much of the missing functionality. The main blockers were symbol version support and expression evaluation in the linker script expression parser. Both are now nearly complete“ A detailed plan was also articulated in respect to switching over: Update lld along with the Clang/LLVM 3.9 update that dim@ is working on. Add the bmake build infrastructure, installing as /usr/bin/ld.lld on the same architectures that use Clang (amd64, arm, arm64, i386). I don't think there's a need for a WITH_LLD src.conf knob, but will add one if desired. Update lld again (most likely to a snapshot from upstream SVN) once it is able to link an unmodified FreeBSD kernel. Modify the boot loader and kernel builds to avoid using features not implemented by lld. Introduce a WITHLLDAS_LD knob to have /usr/bin/ld be a ld.lld hardlink instead of /usr/bin/ld.bfd. Request ports exp-runs and issue a call for testing with 3rd party software. Fix issues found during this process. Switch /usr/bin/ld to ld.lld by default in head for the Clang-using architectures. Add a WITHOUTLLDAS_LD knob to switch back to GNU ld. *** How to install FreeBSD with ZFS filesystem on DigitalOcean (https://github.com/fxlv/docs/blob/master/freebsd/freebsd-with-zfs-digitalocean.md) I know we've mentioned using FreeBSD + ZFS on digital ocean in the past, but today we have a nice HowTo by Kaspars Mickevics (fxlv) on GitHub. Before getting started, kaspars mentions some pre-reqs. First up he recommends starting with a Minimum of 2GB of RAM. (The $20/mo droplet). This is to ensure you have plenty of cushion to avoid running out of memory during the process. It is possible to use ZFS with less, but depending on your desired workload this does make sense. From there, checking out “mfsBSD” is discussed, along with details on how to make it suitable for a DO installation. (Mostly just disabling DHCP for the network device) For good measure ‘pkg-static' is also included. With that done, using mfsBSD you will create a tar file, which is then extracted on top of the running system. After rebooting, you will be able to run “bsdinstall” and proceed to installing / formatting your disk with ZFS as normal. A good tutorial, something I may need to do here in the near future. User manages to get OpenBSD and FreeBSD working with Libreboot (https://lists.nongnu.org/archive/html/libreboot/2016-08/msg00058.html) In a short drive-by post to the Libreboot mailing list Piotr Kubaj gives a quick notice that he managed to get OpenBSD and FreeBSD both booting. > I know GNU people don't like BSD, so let me make it quick :) > > > I've succeeded in booting FreeBSD 11.0-RC1 using txt mode on my X200 > with the newest Libreboot. > > To get installer to boot, I used: > kfreebsd (usb0,gpt3)/boot/kernel/kernel > set FreeBSD.vfs.mountfrom=ufs:/dev/da1p3 > boot > > I didn't try to install yet. > The trick looks relatively simple (looks like GRUB), manually loading the kernel with ‘kfreebsd' and then setting the vfs.root.mountfrom variable to find the USB stick. In an update he also mentions booting OpenBSD with ‘kopenbsd' instead of ‘kfreebsd' (again GRUB syntax) Now somebody will need to test installation of the system (he didn't) and see what other issues may crop up in running BSD on a free BIOS. *** Beastie Bits: The ACPICA (ACPI Component Architecture) coding language AML now in DragonFly BSD (http://lists.dragonflybsd.org/pipermail/commits/2016-July/624192.html) Release announcement for 4.3BSD Tahoe from 1988 (https://groups.google.com/forum/#!topic/comp.sys.tahoe/50ManvdM1-s) Feedback/Questions Mike - Jail Uptime (http://pastebin.com/FLpybL6D) Greg - Router Hardware (http://pastebin.com/RGuayhB3) Kristof writes in (http://pastebin.com/NT4zmHiG) Ty - Updates and Logs (http://pastebin.com/CtetZdFg) Benjamin - MTA Bug (http://pastebin.com/Qq3VbQG2) ***

Today on the show, we are going to be chatting with Michael Dexter about a variety of topics, but of course including bhyve! That plus This episode was brought to you by Headlines NetBSD Introduction (https://bsdmag.org/netbsd_intr/) We start off today's episode with a great new NetBSD article! Siju Oommen George has written an article for BSDMag, which provides a great overview of NetBSD's beginnings and what it is today. Of course you can't start an article about NetBSD without mentioning where the name came from: “The four founders of the NetBSD project, Chris Demetriou, Theo de Raadt, Adam Glass, and Charles Hannum, felt that a more open development model would benefit the project: one centered on portable, clean and correct code. They aimed to produce a unified, multi-platform, production-quality, BSD-based operating system. The name “NetBSD” was suggested by de Raadt, based on the importance and growth of networks, such as the Internet at that time, the distributed and collaborative nature of its development.” From there NetBSD has expanded, and keeping in line with its motto “Of course it runs NetBSD” it has grown to over 57 hardware platforms, including “IA-32, Alpha, PowerPC,SPARC, Raspberry pi 2, SPARC64 and Zaurus” From there topics such as pkgsrc, SMP, embedded and of course virtualization are all covered, which gives the reader a good overview of what to expect in the modern NetBSD today. Lastly, in addition to mentioning some of the vendors using NetBSD in a variety of ways, including Point-Of-Sale systems, routers and thin-clients, you may not have known about the research teams which deploy NetBSD: NASA Lewis Research Center – Satellite Networks and Architectures Branch use NetBSD almost exclusively in their investigation of TCP for use in satellite networks. KAME project – A research group for implementing IPv6, IPsec and other recent TCP/IP related technologies into BSD UNIX kernels, under BSD license. NEC Europe Ltd. established the Network Laboratories in Heidelberg, Germany in 1997, as NEC's third research facility in Europe. The Heidelberg labs focus on software-oriented research and development for the next generation Internet. SAMS-II Project – Space Acceleration Measurement System II. NASA will be measuring the microgravity environment on the International Space Station using a distributed system, consisting of NetBSD.“ My condolences, you're now the maintainer of a popular open source project (https://runcommand.io/2016/06/26/my-condolences-youre-now-the-maintainer-of-a-popular-open-source-project/) A presentation from a Wordpress conference, about what it is like to be the maintainer of a popular open source project The presentation covers the basics: Open Source is more than just the license, it is about community and involvement The difference between Maintainers and Contributors It covers some of the reasons people do not open up their code, and other common problems people run into: “I'm embarrassed by my code” (Hint: so is everyone else, post it anyway, it is the best way to learn) “I'm discouraged that I can't finish releases on time” “I'm overwhelmed by the PR backlog” “I'm frustrated when issues turn into flamewars” “I'm overcommitted on my open source involvement” “I feel all alone” Each of those points is met with advice and possible solutions So, there you have it. Open up your code, or join an existing project and help maintain it *** FreeBSD Committer Allan Jude Discusses the Advantages of FreeBSD and His Role in Keeping Millions of Servers Running (http://www.hostingadvice.com/blog/freebsd-project-under-the-hood/) An interesting twist on our normal news-stories today, we have an article featuring our very own Allan Jude, talking about why FreeBSD and the advantages of working on an open-source project. “When Allan started his own company hosting websites for video streaming, FreeBSD was the only operating system he had previously used with other hosts. Based on his experience and comfort with it, he trusted the system with the future of his budding business.A decade later, the former-SysAdmin went to a conference focused on the open-source operating system, where he ran into some of the folks on its documentation team. “They inspired me,” he told our team in a recent chat. He began writing documentation but soon wanted to contribute improvements beyond the docs.Today, Allan sits as a FreeBSD Project Committer. It's rare that you get to chat with someone involved with a massive-scale open-source project like this — rare and awesome.” From there Allan goes into some of the reasons “Why” FreeBSD, starting with Code Organization being well-maintained and documented: “The FreeBSD Project functions like an extremely well-organized world all its own. Allan explained the environment: “There's a documentation page that explains how the file system's laid out and everything has a place and it always goes in that place.”” + In addition, Allan gives us some insight into his work to bring Boot-Environments to the loader, and other reasons why FreeBSD “just makes sense” + In summary Allan wraps it up quite nicely: “An important take-away is that you don't have to be a major developer with tons of experience to make a difference in the project,” Allan said — and the difference that devs like Allan are making is incredible. If you too want to submit the commit that contributes to the project relied on by millions of web servers, there are plenty of ways to get involved! We're especially talking to SysAdmins here, as Allan noted that they are the main users of FreeBSD. “Having more SysAdmins involved in the actual build of the system means we can offer the tools they're looking for — designed the way a SysAdmin would want them designed, not necessarily the way a developer would think makes the most sense” A guide to saving electricity and time with poudriere and bhyve (http://justinholcomb.me/blog/2016/07/03/poudriere-in-bhyve-and-bare-metal.html) “This article goes over running poudriere to built packages for a Raspberry Pi with the interesting twist of running it both as a bhyve guest and then switching to running on bare metal via Fiber Channel via ctld by sharing the same ZFS volume.” “Firstly, poudriere can build packages for different architectures such as ARM. This can save hours of build time compared to building ports from said ARM device.” “Secondly, let's say a person has an always-on device (NAS) running FreeBSD. To save power, this device has a CPU with a low clock-rate and low core count. This low clock-rate and core count is great for saving power but terrible for processor intensive application such as poudriere. Let's say a person also has another physical server with fast processors and a high CPU count but draws nearly twice the power and a fan noise to match.” “To get the best of both worlds, the goal is to build the packages on the fast physical server, power it down, and then start the same ZFS volume in a bhyve environment to serve packages from the always-on device.” The tutorial walks through setting up ‘ahost', the always on machine, ‘fhost' the fast but noisy build machine, and a raspberry pi It also includes creating a zvol, configuring iSCSI over fibre channel and exporting the zvol, booting an iSCSI volume in bhyve, plus installing and setting up poudriere This it configures booting over fibre channel, and cross-building armv6 (raspberry pi) packages on the fast build machine Then the fast machine is shut down, and the zvol is booted in bhyve on the NAS Everything you need to know to make a hybrid physical/virtual machine The same setup could also work to run the same bhyve VM from either ahost or fhost bhyve does not yet support live migration, but when it does, having common network storage like the zvol will be an important part of that *** Interview - Michael Dexter - editor@callfortesting.org (mailto:editor@callfortesting.org) / @michaeldexter (https://twitter.com/michaeldexter) The RoloDexter *** iXSystems Children's Minnesota Star Studio Chooses iXsystems' TrueNAS Storage (https://www.youtube.com/watch?v=FFbdQ_05e-0) *** News Roundup FreeBSD Foundation June 2016 Update (https://www.freebsdfoundation.org/wp-content/uploads/2016/06/FreeBSD-Foundation-June-2016-Update.pdf) The FreeBSD Foundation's June newsletter is out Make sure you submit the FreeBSD Community Survey (https://www.surveymonkey.com/r/freebsd2016) by July 7th: In addition to the opening message from the executive director of the foundation, the update includes details to sponsored work on the FreeBSD VM system, reports from a number of conferences the Foundation attended, including BSDCan The results of the foundation's yearly board meeting People the foundation recognized for their contributions to FreeBSD at BSDCan And an introduction to their new “Getting Started with FreeBSD” project *** [How-To] Building the FreeBSD OS from scratch (http://www.all-nettools.com/forum/showthread.php?34422-Building-the-FreeBSD-OS-from-scratch) A tutorial over at the All-NetTools.com forums that walks through building FreeBSD from scratch I am not sure why anyone would want to build Xorg from source, but you can It covers everything in quite a bit of detail, from the installation process through adding Xorg and a window manager from source It also includes tweaking some device node permissions for easier operation as a non-root user, and configuring the firewall *** Window Systems Should Be Transparent (http://doc.cat-v.org/bell_labs/transparent_wsys/) + Rob Pike of AT&T Labs writes about why Window Systems should be transparent This is an old paper (undated, but I think from the late 80s), but may contain some timeless insights “UNIX window systems are unsatisfactory. Because they are cumbersome and complicated, they are unsuitable companions for an operating system that is appreciated for its technical elegance” “A good interface should clarify the view, not obscure it” “Mux is one window system that is popular and therefore worth studying as an example of good design. (It is not commercially important because it runs only on obsolete hardware.) This paper uses mux as a case study to illustrate some principles that can help keep a user interface simple, comfortable, and unobtrusive. When designing their products, the purveyors of commercial window systems should keep these principles in mind.” There are not many commercial window systems anymore, but “open source” was not really a big thing when this paper was written *** Roger Faulkner, of Solaris fame passed away (http://permalink.gmane.org/gmane.comp.standards.posix.austin.general/12877) “RIP Roger Faulkner: creator of the One and True /proc, slayer of the M-to-N threading model -- and the godfather of post-AT&T Unix” @bcantrill: Another great Roger Faulkner story (https://twitter.com/bcantrill/status/750442169807171584) The story of how pgrep -w saved a monitor -- if not a life (https://news.ycombinator.com/item?id=4306515) @bcantrill: With Roger Faulkner, Tim led an engineering coup inside Sun that saved Solaris circa 2.5 (https://twitter.com/bcantrill/status/750442169807171584) *** Beastie Bits: Developer Ed Maste is requesting information from those who are users of libvgl. (https://lists.freebsd.org/pipermail/freebsd-stable/2016-June/084843.html) HEADS UP: DragonFly 4.5 world reneeds rebuilding (http://lists.dragonflybsd.org/pipermail/users/2016-June/249748.html) Chris Buechler is leaving the pfSense project, the entire community thanks you for your many years of service (https://blog.pfsense.org/?p=2095) GhostBSD 10.3-BETA1 now available (http://ghostbsd.org/10.3_BETA1) DragonFlyBSD adds nvmectl (http://lists.dragonflybsd.org/pipermail/commits/2016-June/500671.html) OPNsense 16.1.18 released (https://opnsense.org/opnsense-16-1-18-released/) bhyve_graphics hit CURRENT (https://svnweb.freebsd.org/base?view=revision&revision=302332) BUG Update FreeBSD Central Twitter account looking for a new owner (https://twitter.com/freebsdcentral/status/750053703420350465) NYCBUG meeting : Meet the Smallest BSDs: RetroBSD and LiteBSD, Brian Callahan (http://lists.nycbug.org/pipermail/talk/2016-July/016732.html) NYCBUG install fest @ HOPE (http://lists.nycbug.org/pipermail/talk/2016-June/016694.html) SemiBUG is looking for presentations for September and beyond (http://lists.nycbug.org/pipermail/semibug/2016-June/000107.html) Caleb Cooper is giving a talk on Crytpo at KnoxBUG on July 26th (http://knoxbug.org/content/2016-07-26) Feedback/Questions Leif - ZFS xfer (http://pastebin.com/vvASr64P) Zach - Python3 (http://pastebin.com/SznQHq7n) Dave - Versioning (http://pastebin.com/qkpjKEr0) David - Encrypted Disk Images (http://pastebin.com/yr7BUmv2) Eli - TLF in all the wrong places (http://pastebin.com/xby81NvC) ***

This week on BSDNow - It's getting close to christmas and the This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines n2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20151208172029) tedu@ worked on rebound, malloc hardening, removing legacy code “I don't usually get too involved with the network stack, but sometimes you find yourself at a network hackathon and have to go with the flow. With many developers working in the same area, it can be hard to find an appropriate project, but fortunately there are a few dusty corners in networking land that can be swept up without too much disturbance to others.” “IPv6 is the future of networking. IPv6 has also been the future of networking for 20 years. As a result, a number of features have been proposed, implemented, then obsoleted, but the corresponding code never quite gets deleted. The IPsec stack has followed a somewhat similar trajectory” “I read through various networking headers in search of features that would normally be exposed to userland, but were instead guarded by ifdef _KERNEL. This identified a number of options for setsockopt() that had been officially retired from the API, but the kernel code retained to provide ABI compatibility during a transition period. That transition occurred more than a decade ago. Binary programs from that era no longer run for many other reasons, and so we can delete support. It's only a small improvement, but it gradually reduces the amount of code that needs to be reviewed when making larger more important changes” Ifconfig txpower got similar treatment, as no modern WiFi driver supports it Support for Ethernet Trailers, RFC 893 (https://tools.ietf.org/html/rfc893), enabled zero copy networking on a VAX with 512 byte hardware pages, the feature was removed even before OpenBSD was founded, but the ifconfig option was still in place Alexandr Nedvedicky (sashan@) worked on MP-Safe PF (http://undeadly.org/cgi?action=article&sid=20151207143819) “I'd like to thank Reyk for hackroom and showing us a Christmas market. It was also my pleasure to meet Mr. Henning in person. Speaking of Henning, let's switch to PF hacking.” “mpi@ came with patch (sent to priv. list only currently), which adds a new lock for PF. It's called PF big lock. The big PF lock essentially establishes a safe playground for PF hackers. The lock currently covers all pftest() function. The pftest() function parts will be gradually unlocked as the work will progress. To make PF big lock safe few more details must be sorted out. The first of them is to avoid recursive calls to pftest(). The pftest() could get entered recursively, when packet hits block rule with return-* action. This is no longer the case as ipsend() functions got introduced (committed change has been discussed privately). Packets sent on behalf of kernel are dispatched using softnet task queue now. We still have to sort out pfroute() functions. The other thing we need to sort out with respect to PF big lock is reference counting for statekey, which gets attached to mbuf. Patch has been sent to hackers, waiting for OK too. The plan is to commit reference counting sometimes next year after CVS will be unlocked. There is one more patch at tech@ waiting for OK. It brings OpenBSD and Solaris PF closer to each other by one tiny little step.” *** ACM Queue: Challenges of Memory Management on Modern NUMA System (http://queue.acm.org/detail.cfm?id=2852078) “Modern server-class systems are typically built as several multicore chips put together in a single system. Each chip has a local DRAM (dynamic random-access memory) module; together they are referred to as a node. Nodes are connected via a high-speed interconnect, and the system is fully coherent. This means that, transparently to the programmer, a core can issue requests to its node's local memory as well as to the memories of other nodes. The key distinction is that remote requests will take longer, because they are subject to longer wire delays and may have to jump several hops as they traverse the interconnect. The latency of memory-access times is hence non-uniform, because it depends on where the request originates and where it is destined to go. Such systems are referred to as NUMA (non-uniform memory access).” So, depending what core a program is running on, it will have different throughput and latency to specific banks of memory. Therefore, it is usually optimal to try to allocate memory from the bank of ram connected to the CPU that the program is running on, and to keep that program running on that same CPU, rather than moving it around There are a number of different NUMA strategies, including: Fixed, memory is always allocated from a specific bank of memory First Touch, which means that memory is allocated from the bank connected to the CPU that the application is running on when it requests the memory, which can increase performance if the application remains on that same CPU, and the load is balanced optimally Round Robin or Interleave, where memory is allocated evenly, each allocation coming from the next bank of memory so that all banks are used. This method can provide more uniform performance, because it ensures that all memory accesses have the same change to be local vs remote. If even performance is required, this method can be better than something more focused on locality, but that might fail and result in remote access AutoNUMA, A kernel task routinely iterates through the allocated memory of each process and tallies the number of memory pages on each node for that process. It also clears the present bit on the pages, which will force the CPU to stop and enter the page-fault handler when the page is next accessed. In the page-fault handler it records which node and thread is trying to access the page before setting the present bit and allowing execution to continue. Pages that are accessed from remote nodes are put into a queue to be migrated to that node. After a page has already been migrated once, though, future migrations require two recorded accesses from a remote node, which is designed to prevent excessive migrations (known as page bouncing). The paper also introduces a new strategy: Carrefour is a memory-placement algorithm for NUMA systems that focuses on traffic management: placing memory so as to minimize congestion on interconnect links or memory controllers. Trying to strike a balance between locality, and ensuring that the interconnect between a specific pair of CPUs does not become congested, which can make remote accesses even slower Carrefour uses three primary techniques: Memory collocation, Moving memory to a different node so that accesses will likely be local. Replication, Copying memory to several nodes so that threads from each node can access it locally (useful for read-only and read-mostly data). Interleaving, Moving memory such that it is distributed evenly among all nodes. FreeBSD is slowly gaining NUMA capabilities, and currently supports: fixed, round-robin, first-touch. Additionally, it also supports fixed-rr, and first-touch-rr, where if the memory allocation fails, because the fixed domain or first-touch domain is full, it falls back to round-robin. For more information, see numa(4) and numa_setaffinity(2) on 11-CURRENT *** Is that Linux? No it is PC-BSD (http://fossforce.com/2015/12/linux-no-pc-bsd/) Larry Cafiero continues to make some news about his switch to PC-BSD from Linux. This time in an blog post titled “Is that Linux? No, its PC-BSD” he describes an experience out and about where he was asked what is running on his laptop, and was unable for the first time in 9 years to answer, it's Linux. The blog then goes on to mention his experience up to now running PC-BSD, how the learning curve was fairly easy coming from a Linux background. He mentions that he has noticed an uptick in performance on the system, no specific benchmarks but this “Linux was fast enough on this machine. But in street racing parlance, with PC-BSD I'm burning rubber in all four gears.” The only major nits he mentions is having trouble getting a font to switch in FireFox, and not knowing how to enable GRUB quiet mode. (I'll have to add a knob back for that) *** Dual booting OS X and OpenBSD with full disk encryption (https://gist.github.com/jcs/5573685) New GPT and UEFI support allow OpenBSD to co-exist with Mac OS X without the need for Boot Camp Assistant or Hybrid MBRs This tutorial walks the read through the steps of installing OpenBSD side-by-side with Mac OS X First the HFS+ partition is shrunk to make room for a new OpenBSD partition Then the OpenBSD installer is run, and the available free space is setup as an encrypted softraid The OpenBSD installer will add itself to the EFI partition Rename the boot loader installed by OpenBSD and replace it with rEFInd, so you will get a boot menu allowing you to select between OpenBSD and OS X *** Interview - Paul Goyette - pgoyette@netbsd.org (mailto:pgoyette@netbsd.org) NetBSD Testing and Modularity *** iXsystems iXsystems Wins Press and Industry Analyst Accolades in Best in Biz Awards 2015 (http://www.virtual-strategy.com/2015/12/08/ixsystems-wins-press-and-industry-analyst-accolades-best-biz-awards-2015) *** News Roundup HOWTO: L2TP/IPSec with OpenBSD (https://www.geeklan.co.uk/?p=2019) *BSD contributor Sevan Janiyan provides an update on setting up a road-warrior VPN This first article walks through setting up the OpenBSD server side, and followup articles will cover configuring various client systems to connect to it The previous tutorial on this configuration is from 2012, and things have improved greatly since then, and is much easier to set up now The tutorial includes PF rules, npppd configuration, and how to enable isakmpd and ipsec L2TP/IPSec is chosen because most operating systems, including Windows, OS X, iOS, and Android, include a native L2TP client, rather than requiring some additional software to be installed *** DragonFly 4.4 Released (http://www.dragonflybsd.org/release44/) DragonFly BSD has made its 4.4 release official this week! A lot of big changes, but some of the highlights Radeon / i915 DRM support for up to Linux Kernel 3.18 Proper collation support for named locales, shared back to FreeBSD 11-CURRENT Regex Support using TRE “As a consequence of the locale upgrades, the original regex library had to be forced into POSIX (single-byte) mode always. The support for multi-byte characters just wasn't there. ” …. “TRE is faster, more capable, and supports multibyte characters, so it's a nice addition to this release.” Other noteworthy, iwm(4) driver, CPU power-saving improvements, import ipfw from FreeBSD (named ipfw3) An interesting tidbit is switching to the Gold linker (http://bsd.slashdot.org/story/15/12/04/2351241/dragonflybsd-44-switches-to-the-gold-linker-by-default) *** Guide to install Ajenti on Nginx with SSL on FreeBSD 10.2 (http://linoxide.com/linux-how-to/install-ajenti-nginx-ssl-freebsd-10-2/) Looking for a webmin-like interface to control your FreeBSD box? Enter Ajenti, and today we have a walkthrough posted on how to get it setup on a FreeBSD 10.2 system. The walkthrough is mostly straightforward, you'll need a FreeBSD box with root, and will need to install several packages / ports initially. Because there is no native package (yet), it guides you through using python's PIP installer to fetch and get Ajenti running. The author links to some pre-built rc.d scripts and other helpful config files on GitHub, which will further assist in the process of making it run on FreeBSD. Ajenti by itself may not be the best to serve publically, so it also provides instructions on how to protect the connection by serving it through nginx / SSL, a must-have if you plan on using this over unsecure networks. *** BSDCan 2016 CFP is up! (http://www.bsdcan.org/2016/papers.php) BSDCan is the biggest North American BSD conference, and my personal favourite The call for papers is now out, and I would like to see more first-time submitters this year If you do anything interesting with or on a BSD, please write a proposal Are the machines you run BSD on bigger or smaller than what most people have? Tell us about it Are you running a big farm that does something interesting? Is your university research using BSD? Do you have an idea for a great new subsystem or utility? Have you suffered through some horrible ordeal? Make sure the rest of us know the best way out when it happens to us. Did you build a radar that runs NetBSD? A telescope controlled by FreeBSD? Have you run an ISP at the north pole using Jails? Do you run a usergroup and have tips to share? Have you combined the features and tools of a BSD in a new and interesting way? Don't have a talk to give? Teach a tutorial! The conference will arrange your air travel and hotel, and you'll get to spend a few great days with the best community on earth Michael W. Lucas's post about the 2015 proposals and rejections (http://blather.michaelwlucas.com/archives/2325) *** Beastie Bits OpenBSD's lightweight web server now in FreeBSD's ports tree (http://www.freshports.org/www/obhttpd/) Stephen Bourne's NYCBUG talk is online (https://www.youtube.com/watch?v=FI_bZhV7wpI) Looking for owner to FreeBSDWiki (http://freebsdwiki.net/index.php/Main_Page) HOWTO: OpenBSD Mail Server (http://frozen-geek.net/openbsd-email-server-1/) A new magic getopt library (http://www.daemonology.net/blog/2015-12-06-magic-getopt.html) PXE boot OpenBSD from OpenWRT (http://uggedal.com/journal/pxe-boot-openbsd-from-openwrt/) Supporting the OpenBSD project (http://permalink.gmane.org/gmane.os.openbsd.misc/227054) Feedback/Questions Zachary - FreeBSD Jails (http://slexy.org/view/s20pbRLRRz) Robert - Iocage help! (http://slexy.org/view/s2jGy34fy2) Kjell - Server Management (http://slexy.org/view/s20Ht8JfpL) Brian - NAS Setup (http://slexy.org/view/s2GYtvd7hU) Mike - Radius Followup (http://slexy.org/view/s21EVs6aUg) Laszlo - Best Stocking Ever (http://slexy.org/view/s205zZiJCv) ***

Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you. This episode was brought to you by Headlines EdgeRouter Lite, meet OpenBSD (http://www.tedunangst.com/flak/post/OpenBSD-on-ERL) The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8) Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware More discussion can be found on Hacker News (https://news.ycombinator.com/item?id=10079210) and various (https://www.reddit.com/r/openbsd/comments/3hgf2c) other (https://www.marc.info/?t=143974140500001&r=1&w=2) places (https://lobste.rs/s/acz9bu/openbsd_on_edgerouter_lite) One thing to note (https://www.marc.info/?l=openbsd-misc&m=143991822827285&w=2) about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) *** Design and Implementation of the FreeBSD Operating System interview (http://www.infoq.com/articles/freebsd-design-implementation-review) For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points." Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics *** Path list parameter in OpenBSD tame (https://www.marc.info/?l=openbsd-cvs&m=144027474117290&w=2) We've mentioned OpenBSD's relatively new "tame (https://marc.info/?l=openbsd-tech&m=143725996614627&w=2)" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9 More discussion can be found on Reddit (https://www.reddit.com/r/openbsd/comments/3i2lk7) and Hacker News (https://news.ycombinator.com/item?id=10104886) *** FreeBSD & PC-BSD 10.2-RELEASE (https://www.freebsd.org/releases/10.2R/announce.html) The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13 New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail Check the full release notes (https://www.freebsd.org/releases/10.2R/relnotes.html) for the rest of the details and changes PC-BSD also followed with their 10.2-RELEASE (http://blog.pcbsd.org/2015/08/pc-bsd-10-2-release-now-available), sporting a few more additional features *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) OpenSSH: phasing out broken crypto, default cipher changes News Roundup NetBSD at Open Source Conference Shimane (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/22/msg000692.html) We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another This time they had NetBSD running on some Sony NWS devices (MIPS-based) JavaStations (https://en.wikipedia.org/wiki/JavaStation) were also on display - something we haven't ever seen before (made between 1996-2000) *** BAFUG videos (https://www.youtube.com/watch?v=-XF20nitI90) The Bay Area FreeBSD users group has been uploading some videos of their recent meetings Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts In a second video (https://www.youtube.com/watch?v=49sPYHh473U), Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X" In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc) People should record presentations at their BSD users groups and send them to us *** L2TP over IPSEC on OpenBSD (http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients) If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic This guide specifically covers L2TP, using npppd and pre-shared keys Server setup, client setup, firewall configuration and routing-related settings are all covered in detail *** Reliable bare metal with TrueOS (http://www.tubsta.com/2015/08/reliable-bare-metal-server-using-trueosfreebsd) Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution Most importantly, he also covers how to keep everything redundant and deal with hard drives failing The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are *** Kernel W^X on i386 (https://www.marc.info/?l=openbsd-cvs&m=144047868127049&w=2) We mentioned some big W^X kernel changes in OpenBSD a while back (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2), but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now) Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well Check out our interview with Mike (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction) for some more background info on memory protections like W^X *** Feedback/Questions Markus writes in (http://slexy.org/view/s2iGoeYMyb) Sean writes in (http://slexy.org/view/s21bIFfmUS) Theo writes in (http://slexy.org/view/s21Hjm8Tsa) ***

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up. This episode was brought to you by Headlines FreeBSD on Olimex RT5350F-OLinuXino (https://www.bidouilliste.com/blog/2015/07/22/FreeBSD-on-Olimex-RT5350F-OLinuXino) If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it) It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment In part two of the series (https://www.bidouilliste.com/blog/2015/07/24/FreeBSD-on-Olimex-RT5350F-OLinuXino-Part-2), he talks about the GPIO and how you can configure it Part three is still in the works, so check the site later on for further progress and info *** The modern OpenBSD home router (https://www.azabani.com/2015/08/06/modern-openbsd-home-router.html) In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway (http://www.bsdnow.tv/tutorials/openbsd-router) for his home network "It's no secret that most consumer routers ship with software that's flaky at best, and prohibitively insecure at worst" Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless This guide also covers PPP and IPv6, in case you have those requirements In a similar but unrelated series (http://jaytongarnett.blogspot.com/2015/07/openbsd-router-bt-home-hub-5-replacement.html), another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge He also has a separate post (http://jaytongarnett.blogspot.com/2015/08/openbsd-l2tpipsec-vpn-works-with.html) for setting up an IPSEC VPN on the router *** NetBSD at Open Source Conference 2015 Kansai (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/10/msg000691.html) The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it And what conference would be complete without an LED-powered towel *** OpenSSH 7.0 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034289.html) The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now If you're using an older configuration file, the "without-password" option still works, so no change is required You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications Various bug fixes and documentation improvements are also included Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled *** Interview - Peter Toth - peter.toth198@gmail.com (mailto:peter.toth198@gmail.com) / @pannonp (https://twitter.com/pannonp) Containment with iocage (https://github.com/iocage/iocage) News Roundup More c2k15 reports (http://undeadly.org/cgi?action=article&sid=20150809105132) A few more hackathon reports from c2k15 in Calgary are still slowly trickling in Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things) He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging Renato Westphal sent in a report (http://undeadly.org/cgi?action=article&sid=20150811171006) of his very first hackathon He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network Philip Guenther also wrote in (http://undeadly.org/cgi?action=article&sid=20150809165912), getting some very technical and low-level stuff done at the hackathon His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well *** FreeBSD jails, the hard way (https://clinta.github.io/freebsd-jails-the-hard-way) As you learned from our interview this week, there's quite a selection of tools available to manage your jails This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf Unlike with iocage, ZFS isn't actually a requirement for this method If you are using it, though, you can make use of snapshots for making template jails *** OpenSSH hardware tokens (http://www.tancsa.com/mdtblog/?p=73) We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server? This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too *** LibreSSL 2.2.2 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2-relnotes.txt) The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well *** Feedback/Questions James writes in (http://slexy.org/view/s216lrsVVd) Stuart writes in (http://slexy.org/view/s20uGUHWLr) ***

Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Out with the old, in with the less (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions" "Instead of trying to fix known bugs, we're trying to fix unknown bugs. It's not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs." In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver." In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness) He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it." Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it (https://marc.info/?l=openbsd-ports&m=143481227122523&w=2), called "doas" There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing (http://www.openbsd.org/papers/pruning.html)" talk is good complementary reading material *** More OpenZFS and BSDCan videos (https://www.youtube.com/channel/UC0IK6Y4Go2KtRueHDiQcxow/videos) We mentioned last week (http://www.bsdnow.tv/episodes/2015_06_24-bitrot_group_therapy) that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more Matt Ahrens did a Q&A session (https://www.youtube.com/watch?v=I6fXZ_6OT5c) and talked about ZFS send and receive (https://www.youtube.com/watch?v=iY44jPMvxog), as well as giving an overview of OpenZFS (https://www.youtube.com/watch?v=RQlMDmnty80) George Wilson talked about a performance retrospective (https://www.youtube.com/watch?v=KBI6rRGUv4E) Toshiba (https://www.youtube.com/watch?v=sSi47-k78IM), Syneto (https://www.youtube.com/watch?v=Hhje5KEF5cE) and HGST (https://www.youtube.com/watch?v=aKgxXipss8k) also gave some talks about their companies and how they're using ZFS As for BSDCan, more of their BSD presentations have been uploaded too... Ryan Stone, PCI SR-IOV on FreeBSD (https://www.youtube.com/watch?v=INeMd-i5jzM) George Neville-Neil, Measure Twice, Code Once (https://www.youtube.com/watch?v=LE4wMsP7zeA) Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD (https://www.youtube.com/watch?v=qNYXqpJiFN0) Warner Losh, I/O Scheduling in CAM (https://www.youtube.com/watch?v=3WqOLolj5EU) Kirk McKusick, An Introduction to the Implementation of ZFS (https://www.youtube.com/watch?v=l-RCLgLxuSc) Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support (https://www.youtube.com/watch?v=zZXvjhWcg_4) Baptiste Daroussin, Packaging FreeBSD's (https://www.youtube.com/watch?v=Br6izhH5P1I) base system (https://www.youtube.com/watch?v=v7px6ktoDAI) Matt Ahrens, New OpenZFS features supporting remote replication (https://www.youtube.com/watch?v=UOX7WDAjqso) Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities (https://www.youtube.com/watch?v=SVdF84x1EdA) The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here (http://www.bsdcan.org/2015/audio/mandoc.mp3), and the slides are here (http://www.openbsd.org/papers/bsdcan15-mandoc.pdf) *** SMP steroids for PF (https://www.marc.info/?l=openbsd-tech&m=143526329006942&w=2) An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review Attached to the mail was what may be the beginnings of making native PF SMP-aware Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle The initial response (https://www.marc.info/?l=openbsd-tech&m=143532243322281&w=2) has been quite positive though, with some back and forth (https://www.marc.info/?l=openbsd-tech&m=143532963824548&w=2) between developers and the submitter For now, let's be patient and see what happens *** DragonFly 4.2.0 released (http://www.dragonflybsd.org/release42/) DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page (http://www.dragonflybsd.com/docs/docs/newhandbook/mta/) about configuring it They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement There was also some hacker news discussion (https://news.ycombinator.com/item?id=9797932) you can check out, as well as upgrade instructions (http://lists.dragonflybsd.org/pipermail/users/2015-June/207801.html) *** OpenSMTPD 5.7.1 released (https://opensmtpd.org/announces/release-5.7.1.txt) The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default The long-awaited filter API is now enabled by default, though still considered slightly experimental Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones) Many more small additions and bugfixes were made, so check the changelog for the full list Starting with 5.7.1, releases are now cryptographically (https://twitter.com/OpenSMTPD/status/613257722574839808) signed (https://www.opensmtpd.org/archives/opensmtpd-5.7.1.sum.sig) to ensure integrity This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server (https://twitter.com/OpenSMTPD/status/608399272447471616) with thousands of emails per second, even offering prizes (https://twitter.com/OpenSMTPD/status/608235180839567360) to whoever can DDoS them the hardest OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately Let's all encourage (mailto:feedback@bsdnow.tv) Kris to stop procrastinating on switching from Postfix *** Interview - Jun Ebihara (蛯原純) - jun@netbsd.org (mailto:jun@netbsd.org) / @ebijun (https://twitter.com/ebijun) Lesser-known CPU architectures, embedded NetBSD devices News Roundup FreeBSD foundation at BSDCan (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-steven-douglas.html) The FreeBSD foundation has posted a few BSDCan summaries on their blog The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people." He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily Their second (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-ahmed-kamal.html) trip report is from Ahmed Kamal, who flew in all the way from Egypt A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD There are also two more wrap-ups from Zbigniew Bodek (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-zbigniew-bodek.html) and Vsevolod Stakhov (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-vsevolod-stakhov.html), so you've got plenty to read *** OpenBSD from a veteran Linux user perspective (http://cfenollosa.com/blog/openbsd-from-a-veteran-linux-user-perspective.html) In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time "For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration." The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless." He also goes through some of the basics, installing and updating software, following different branches It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." *** FreeBSD on the desktop, am I crazy (http://sysconfig.org.uk/freebsd-on-the-desktop-am-i-crazy.html) Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think." With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too *** OpenIKED and Cisco CSR 1000v IPSEC (https://www.netflask.net/ipsec-ikev2-cisco-csr1000v-openiked/) This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be *** HardenedBSD improves stack randomization (https://github.com/HardenedBSD/hardenedBSD/commit/bd5cecb4dc7947a5e214fc100834399b4bffdee8) The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well They're now stacking the new on top of the old as well, with the goal being even more entropy This change triggered an ABI and API incompatibility, so their major version has been bumped *** OpenSSH 6.9 released (https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-July/000121.html) The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments One very notable change is that the default cipher has changed as of this release The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits Many small bugs fixes and improvements were also made, so check the announcement for everything else The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon *** Feedback/Questions Brad writes in (http://slexy.org/view/s2Ws6Y2rZy) Mason writes in (http://slexy.org/view/s21GvZ5xbs) Jochen writes in (http://slexy.org/view/s209TrPK4e) Simon writes in (http://slexy.org/view/s21TQjUjxv) ***

This week, we'll be talking to Henning Brauer about OpenNTPD and its recently revived portable version. After that, we'll be discussing different ways to securely tunnel your traffic: specifically OpenVPN, IPSEC, SSH and Tor. All that and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Strange timer bug in FreeBSD 11 (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054295.html) Peter Wemm (http://www.bsdnow.tv/episodes/2014_09_24-beastly_infrastructure) wrote in to the FreeBSD -CURRENT mailing list with an interesting observation Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap Peter disagreed and gave some background (https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054320.html), offering a different patch to fix (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067827.html) the issue and detect it early (https://lists.freebsd.org/pipermail/svn-src-head/2015-February/067828.html) if it happens again Ultimately, the problem was traced back to an issue with a recent clang import It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down *** An OpenBSD mail server (http://technoquarter.blogspot.com/p/series.html) There's been a recent influx of blog posts about building a BSD mail server for some reason In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd That means this is more of a "complete solution" - right down to what the end users see The series is split up into categories so it's very easy to follow along step-by-step *** How DragonFlyBSD uses git (http://lists.dragonflybsd.org/pipermail/users/2015-January/207421.html) DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code In a series (http://lists.dragonflybsd.org/pipermail/users/2015-January/207422.html) of posts (http://lists.dragonflybsd.org/pipermail/users/2015-January/207424.html), Matthew Dillon (the project lead) details their internal setup They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access) The maintainers of the server are the only ones with shell access available He also details how a cron job syncs from the master to a public box that anyone can check out code from It would be interesting to hear about how other BSD projects manage their master source repository *** Why not try PCBSD? (http://www.itwire.com/business-it-news/open-source/66900-fed-up-with-systemd-and-linux?-why-not-try-pc-bsd) ITwire, another more mainstream tech site, published a recent article about switching to PCBSD They interview a guy named Kris that we've never heard of before In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD." If you have some friends who complain to you about systemd all the time, this might be a good article to show them *** Interview - Henning Brauer - henning@openbsd.org (mailto:henning@openbsd.org) / @henningbrauer (https://twitter.com/henningbrauer) OpenNTPD (http://openntpd.org/) and its portable variant News Roundup Authenticated time in OpenNTPD (https://www.marc.info/?l=openbsd-tech&m=142356166731390&w=2) We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already While at the hackathon, some developers came up with an alternate way (https://www.marc.info/?l=openbsd-cvs&m=142355043928397&w=2) to get authenticated NTP responses You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header It's not intended to be a direct time source, just a constraint to keep things within reason If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid Henning (https://www.marc.info/?l=openbsd-tech&m=142363215730069&w=2) and Theo (https://www.marc.info/?l=openbsd-tech&m=142363400330522&w=2) also weigh in to give some of the backstory on the idea Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) *** NetBSD at Open Source Conference 2015 Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/08/msg000678.html) It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them This time the conferences were in Oita and Hamanako (https://mail-index.netbsd.org/netbsd-advocacy/2015/02/11/msg000679.html), Japan Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices As always, they took lots of pictures from the event of NetBSD on all these weird machines *** Poudriere in a jail (http://www.tobeannounced.org/2015/02/poudriere-in-a-jail/) A common question we get about our poudriere tutorial (http://www.bsdnow.tv/tutorials/poudriere) is "how do I run it in a jail?" - this blog post is about exactly that It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic *** Bruteblock, another way to stop bruteforce (http://easyos.net/articles/bsd/freebsd/bruteblock_protection_against_bruteforce_attacks_in_ssh) We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services It can also work directly with IPFW, which is a plus if you're using that as your firewall Add a few lines to your syslog.conf and bruteblock will get executed automatically The rest of the article takes you through the different settings you can configure for blocking *** New iwm(4) driver and cross-polination (https://www.marc.info/?l=openbsd-cvs&m=142325218626853&w=2) The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads) NetBSD wasted no time in porting it over (https://mail-index.netbsd.org/source-changes/2015/02/07/msg062979.html), giving a bit of interesting backstory According to Antti Kantee (http://www.bsdnow.tv/episodes/2013_10_23-a_brief_intorduction), "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace" Both projects would appreciate further testing if you have the hardware and can provide useful bug reports Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code *** PCBSD current images (http://blog.pcbsd.org/2015/02/pc-bsd-11-0-current-images-now-available/) The first PCBSD -CURRENT images should be available this weekend This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2E4NbJwzs) Richard writes in (http://slexy.org/view/s2FkxcSYKy) Charlie writes in (http://slexy.org/view/s217EgA1JC) Ben writes in (http://slexy.org/view/s21vlCbGDt) *** Mailing List Gold A systematic effort (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00360.html) GCC's lunch (https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00457.html) Hopes and dreams (https://marc.info/?l=openbsd-cvs&m=142331891908776&w=2) *** Discussion Comparison of ways to securely tunnel your traffic OpenVPN (https://openvpn.net/index.php/open-source.html), OpenBSD IKED (http://www.openiked.org/), FreeBSD IPSEC (https://www.freebsd.org/doc/handbook/ipsec.html), OpenSSH (http://www.openssh.com/), Tor (https://www.torproject.org/) ***

This week on the show, we'll be talking with Paul Schenkeveld, chairman of the EuroBSDCon foundation. He tells us about his experiences running BSD conferences and how regular users can get involved too. We've also got answers to all your emails and the latest news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSD presentation videos (https://www.meetbsd.com/) The MeetBSD video uploading spree continues with a few more talks, maybe this'll be the last batch Corey Vixie, Web Apps in Embedded BSD (https://www.youtube.com/watch?v=Pbks12Mqpp8) Allan Jude, UCL config (https://www.youtube.com/watch?v=TjP86iWsEzQ) Kip Macy, iflib (https://www.youtube.com/watch?v=P4FRPKj7F80) While we're on the topic of conferences, AsiaBSDCon's CFP was extended (https://twitter.com/asiabsdcon/status/538352055245492226) by one week This year's ruBSD (https://events.yandex.ru/events/yagosti/rubsd14/) will be on December 13th in Moscow Also, the BSDCan call for papers (http://lists.bsdcan.org/pipermail/bsdcan-announce/2014-December/000135.html) is out, and the event will be in June next year Lastly, according to Rick Miller, "A potential vBSDcon 2015 event is being explored though a decision has yet to be made." *** BSD-powered digital library in Africa (http://peercorpsglobal.org/nzegas-digital-library-becomes-a-reality/) You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently) The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it *** pfSense 2.2 status update (https://blog.pfsense.org/?p=1486) With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update 2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc All these things have taken more time than previously expected The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release *** Recommended hardware threads (https://www.reddit.com/r/BSD/comments/2n8wrg/bsd_on_mini_itx/) A few threads on caught our attention this week, all about hardware recommendations for BSD setups In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS Everyone gave some good recommendations for low power, Atom-based systems The second thread (https://www.marc.info/?t=141694918800006&r=1&w=2) started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third (https://www.reddit.com/r/homelab/comments/24m6tj/) and fourth (https://www.reddit.com/r/PFSENSE/comments/2nblgp/) threads confirming this If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read *** Interview - Paul Schenkeveld - freebsd@psconsult.nl (mailto:freebsd@psconsult.nl) Running a BSD conference News Roundup From Linux to FreeBSD - for reals (https://www.reddit.com/r/freebsd/comments/2nqa60/) Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now) After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition In the comments, a lot of new switchers offer some advice and reading material If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way *** Running FreeBSD as a Xen Dom0 (http://wiki.xenproject.org/wiki/FreeBSD_Dom0) Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features) The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet *** HardenedBSD updates and changes (http://hardenedbsd.org/article/shawn-webb/2014-11-18/aout-and-null-mapping-support-removal) a.out is the old executable format for Unix The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968 FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0 A restriction against NULL mapping was introduced in FreeBSD 7 (https://www.freebsd.org/security/advisories/FreeBSD-EN-09:05.null.asc) and enabled by default in FreeBSD 8 However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode' Package building update: more consistent repo, no more i386 packages (http://hardenedbsd.org/article/shawn-webb/2014-11-30/package-building-infrastructure-maintenance) *** Feedback/Questions Boris writes in (http://slexy.org/view/s2kVPKICqj) Alex writes in (http://slexy.org/view/s21Fic4dZC) (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check) Chris writes in (http://slexy.org/view/s2zk1Tvfe9) Robert writes in (http://slexy.org/view/s22alvJ4mu) Jake writes in (http://slexy.org/view/s203YMc2zL) *** Mailing List Gold Real world authpf use (https://www.marc.info/?t=141711266800001&r=1&w=2) The (https://svnweb.freebsd.org/ports/head/UPDATING?r1=373564&r2=373563&pathrev=373564) great (https://lists.freebsd.org/pipermail/freebsd-ports/2014-November/096788.html) perl (https://lists.freebsd.org/pipermail/freebsd-ports/2014-November/096799.html) event (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010146.html) of (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010149.html) 2014 (https://lists.freebsd.org/pipermail/freebsd-perl/2014-November/010167.html) ***

Coming up on the show this week, we've got an interview with Brendan Gregg of Netflix. He's got a lot to say about performance tuning and benchmarks, and even some pretty funny stories about how people have done them incorrectly. As always, this week's news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Even more BSD presentation videos (https://www.meetbsd.com/) More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week Robert Ryan, At the Heart of the Digital Economy (https://www.youtube.com/watch?v=Rc9k1xEepWU) FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives (https://www.youtube.com/watch?v=d1C6DELK7fc) Richard Yao, libzfs_core and ioctl stabilization (https://www.youtube.com/watch?v=PIC0dwLRBZU) OpenZFS, Company lightning talks (https://www.youtube.com/watch?v=LmbI7F7XTTc) OpenZFS, Hackathon Presentation and Awards (https://www.youtube.com/watch?v=gPbVPwScMGk) Pavel Zakharov, Fast File Cloning (https://www.youtube.com/watch?v=_lGOAZFXra8) Rick Reed, Half a billion unsuspecting FreeBSD users (https://www.youtube.com/watch?v=TneLO5TdW_M) Alex Reece & Matt Ahrens, Device Removal (https://www.youtube.com/watch?v=Xs6MsJ9kKKE) Chris Side, Channel Programs (https://www.youtube.com/watch?v=RMTxyqcomPA) David Maxwell, The Unix command pipeline (https://www.youtube.com/watch?v=CZHEZHK4jRc) Be sure to check out the giant list of videos from last week's episode (http://www.bsdnow.tv/episodes/2014_11_19-rump_kernels_revisited) if you haven't seen them already *** NetBSD on a Cobalt Qube 2 (http://www.jarredcapellman.com/2014/3/9/NetBSD-and-a-Cobalt-Qube-2) The Cobalt Qube was a very expensive networking appliance around 2000 In 2014, you can apparently get one of these MIPS-based machines for about forty bucks This blog post details getting NetBSD installed and set up on the rare relic of our networking past If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you Lots of great pictures of the hardware too *** OpenBSD vs. AFL (https://www.marc.info/?l=openbsd-cvs&w=2&r=1&s=afl&q=b) In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree (https://twitter.com/damienmiller/status/534156368391831552) with a fuzzer If you're not familiar, fuzzing (https://en.wikipedia.org/wiki/Fuzz_testing) is a semi-automated way to test programs for crashes and potential security problems The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/), in particular, has provided some interesting results across various open source projects recently So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) and a few other things (https://www.marc.info/?l=openbsd-cvs&m=141646270127039&w=2) AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself *** GNOME 3 hits the FreeBSD ports tree (https://svnweb.freebsd.org/ports?view=revision&revision=372768) While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD Be sure to check the commit message and /usr/ports/UPDATING (http://www.bsdnow.tv/tutorials/ports) if you're upgrading from GNOME 2 You might also want to go back and listen to our interview (http://www.bsdnow.tv/episodes/2014_02_26-port_authority) with Joe Marcus Clark about GNOME's portability *** Interview - Brendan Gregg - bgregg@netflix.com (mailto:bgregg@netflix.com) / @brendangregg (https://twitter.com/brendangregg) Performance tuning, benchmarks, debugging News Roundup DragonFlyBSD 4.0 released (http://www.dragonflybsd.org/release40/) A new major version of DragonFly, 4.0.1, was just recently announced This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes *** Can we talk about FreeBSD vs Linux (https://news.ycombinator.com/item?id=8645443) Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy *** OpenBSD IPSEC tunnel guide (http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/) If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts Though the article itself is a few years old, it mostly still applies to the latest stuff today All the tools used are in the OpenBSD base system, so that's pretty handy too *** DragonFly starts work on IPFW2 (http://www.dragonflybsd.org/docs/ipfw2/) DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3") Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap (http://www.dragonflybsd.org/docs/ipfw2/#index6h1) page with some planned additions The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first Expect that sometime next year, once he's made some progress *** Feedback/Questions Michael writes in (http://slexy.org/view/s2NYgVifXN) Samael writes in (http://slexy.org/view/s21X02saI3) Steven writes in (http://slexy.org/view/s21Dj7zImH) Remy writes in (http://slexy.org/view/s218lXg38C) Michael writes in (http://slexy.org/view/s20SEuKlaH) ***

This week on the show, we sat down with John-Mark Gurney to talk about modernizing FreeBSD's IPSEC stack. We'll learn what he's adding, what needed to be fixed and how we'll benefit from the changes. As always, answers to your emails and all of this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSD panel at Phoenix LUG (https://www.youtube.com/watch?v=3AOF7fm-TJ0) The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy It was a good "real world" example of things potential switchers are curious to know about They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea *** Book of PF signed copy auction (http://bsdly.blogspot.com/2014/10/the-book-of-pf-3rd-edition-is-here.html) Peter Hansteen (who we've had on the show (http://www.bsdnow.tv/episodes/2014_04_30-puffy_firewall)) is auctioning off the first signed copy of the new Book of PF All the profits from the sale will go to the OpenBSD Foundation (http://www.openbsd.org/donations.html) The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences) If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause Michael Lucas (http://www.bsdnow.tv/episodes/2013_11_06-year_of_the_bsd_desktop) has challenged Peter (https://www.marc.info/?l=openbsd-misc&m=141429413908567&w=2) to raise more for the foundation than his last book selling - let's see who wins Pause the episode, go bid on it (http://www.ebay.com/itm/321563281902) and then come back! *** FreeBSD Foundation goes to EuroBSDCon (http://freebsdfoundation.blogspot.com/2014/10/freebsd-foundation-goes-to-eurobsdcon.html) Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report They also sponsored four other developers to go The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD" They also have a second report (http://freebsdfoundation.blogspot.com/2014/10/eurobsdcon-trip-report-kamil-czekirda.html) from Kamil Czekirda A total of $2000 was raised at the conference *** OpenBSD 5.6 released (http://www.openbsd.org/56.html) Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6 It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial (http://www.bsdnow.tv/tutorials/fde) for that) ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) and from BIND to Unbound Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions As always, 5.6 comes with its own song and artwork (http://www.openbsd.org/lyrics.html#56) - the theme this time was obviously LibreSSL Be sure to check the full changelog (http://www.openbsd.org/plus56.html) (it's huge) and pick up a CD or tshirt (http://www.openbsd.org/orders.html) to support their efforts If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely Here are some cool images of the set (https://imgur.com/a/5PtFe) After you do your installation or upgrade (http://www.openbsd.org/faq/upgrade56.html), don't forget to head over to the errata page (http://www.openbsd.org/errata56.html) and apply any patches listed there *** Interview - John-Mark Gurney - jmg@freebsd.org (mailto:jmg@freebsd.org) / @encthenet (https://twitter.com/encthenet) Updating FreeBSD's IPSEC stack News Roundup Clang in DragonFly BSD (https://www.dragonflydigest.com/2014/10/22/14942.html) As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64 Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using *** reallocarray(): integer overflow detection for free (http://lteo.net/blog/2014/10/28/reallocarray-in-openbsd-integer-overflow-detection-for-free/) One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()" It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost Theo and a few other developers have already started (https://secure.freshbsd.org/search?project=openbsd&q=reallocarray) a mass audit of the entire source tree, replacing many instances with this new feature OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too *** Switching from Linux blog (http://bothsidesofthence.tumblr.com/) A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome) So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far It'll be an ongoing series, so we may check back in with him again later on *** Owncloud in a FreeNAS jail (https://www.youtube.com/watch?v=z6VQwOl4wE4) One of the most common emails we get is about running Owncloud in FreeNAS Now, finally, someone made a video on how to do just that, and it's even jailed A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend If you're looking for an easy way to back up and sync your files, this might be worth a watch *** Feedback/Questions Ernõ writes in (http://slexy.org/view/s2XEsQdggZ) David writes in (http://slexy.org/view/s21EizH2aR) Kamil writes in (http://slexy.org/view/s24SAJ5im6) Torsten writes in (http://slexy.org/view/s20ABZe0RD) Dominik writes in (http://slexy.org/view/s208jQs9c6) *** Mailing List Gold That's not our IP (https://mail-index.netbsd.org/source-changes/2014/10/17/msg059564.html) Is this thing on? (https://lists.freebsd.org/pipermail/freebsd-acpi/2014-June/008644.html) ***

It's our one year anniversary episode, and we'll be talking with Reyk Floeter about the new OpenBSD webserver - why it was created and where it's going. After that, we'll show you the ins and outs of DragonFly's HAMMER FS. Answers to viewer-submitted questions and the latest headlines, on a very special BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD foundation's new IPSEC project (http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html) The FreeBSD foundation, along with Netgate, is sponsoring some new work on the IPSEC code With bandwidth in the 10-40 gigabit per second range, the IPSEC stack needs to be brought up to modern standards in terms of encryption and performance This new work will add AES-CTR and AES-GCM modes to FreeBSD's implementation, borrowing some code from OpenBSD The updated stack will also support AES-NI for hardware-based encryption speed ups It's expected to be completed by the end of September, and will also be in pfSense 2.2 *** NetBSD at Shimane Open Source Conference 2014 (http://mail-index.netbsd.org/netbsd-advocacy/2014/08/31/msg000667.html) The Japanese NetBSD users group held a NetBSD booth at the Open Source Conference 2014 in Shimane on August 23 One of the developers has gathered a bunch of pictures from the event and wrote a fairly lengthy summary They had NetBSD running on all sorts of devices, from Raspberry Pis to Sun Java Stations Some visitors said that NetBSD had the most chaotic booth at the conference *** pfSense 2.1.5 released (https://blog.pfsense.org/?p=1401) A new version of the pfSense 2.1 branch is out Mostly a security-focused release, including three web UI fixes and the most recent OpenSSL fix (which FreeBSD has still not patched (https://lists.freebsd.org/pipermail/freebsd-security/2014-August/007875.html) in -RELEASE after nearly a month) It also includes many other bug fixes, check the blog post for the full list *** Systems, Science and FreeBSD (http://msrvideo.vo.msecnd.net/rmcvideos/227133/dl/227133.mp4) Our friend George Neville-Neil (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates) gave a presentation at Microsoft Research It's mainly about using FreeBSD as a platform for research, inside and outside of universities The talk describes the OS and its features, ports, developer community, documentation, who uses BSD and much more *** Interview - Reyk Floeter - reyk@openbsd.org (mailto:reyk@openbsd.org) / @reykfloeter (https://twitter.com/reykfloeter) OpenBSD's HTTP daemon Tutorial A crash course on HAMMER FS (http://www.bsdnow.tv/tutorials/hammer) News Roundup OpenBSD's rcctl tool usage (http://brynet.biz.tm/article-rcctl.html) OpenBSD recently got a new tool (http://undeadly.org/cgi?action=article&sid=20140820090351) for managing /etc/rc.conf.local in -current Similar to FreeBSD's "sysrc" tool, it eliminates the need to manually edit rc.conf.local to enable or disable services This blog post - from a BSD Now viewer - shows the typical usage of the new tool to alter the startup services It won't make it to 5.6, but will be in 5.7 (next May) *** pfSense mini-roundup (http://mateh.id.au/2014/08/stream-netflix-chromecast-using-pfsense/) We found five interesting pfSense articles throughout the week and wanted to quickly mention them The first item in our pfSense mini-roundup details how you can stream Netflix to in non-US countries using a "smart" DNS service The second post (http://theosquest.com/2014/08/28/ipv6-with-comcast-and-pfsense/) talks about setting ip IPv6, in particular if Comcast is your ISP The third one (http://news.softpedia.com/news/PfSense-2-1-5-Is-Free-and-Powerful-FreeBSD-based-Firewall-Operating-System-457097.shtml) features pfSense on Softpedia, a more mainstream tech site The fourth post (http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/) describes how to filter HTTPS traffic with Squid and pfSense The last article (http://pfsensesetup.com/vpn-tunneling-with-tinc/) describes setting up a VPN using the "tinc (https://en.wikipedia.org/wiki/Tinc_%28protocol%29)" daemon and pfSense It seems to be lesser known, compared to things like OpenVPN or SSH tunnels, so it's interesting to read about This pfSense HQ website seems to have lots of other cool pfSense items, check it out *** OpenBSD's new buffer cache (http://www.tedunangst.com/flak/post/2Q-buffer-cache-algorithm) OpenBSD has traditionally used the tried-and-true LRU algorithm for buffer cache, but it has a few problems Ted Unangst (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) has just switched to a new algorithm in -current, partially based on 2Q, and details some of his work Initial tests show positive results in terms of cache responsiveness Check the post for all the fine details *** BSDTalk episode 244 (http://bsdtalk.blogspot.com/2014/08/bsdtalk244-lumina-desktop-environment.html) Another new BSDTalk is up and, this time around, Will Backman (http://www.bsdnow.tv/episodes/2014_03_05-bsd_now_vs_bsdtalk) interviews Ken Moore, the developer of the new BSD desktop environment They discuss the history of development, differences between it and other DEs, lots of topics If you're more of a visual person, fear not, because... We'll have Ken on next week, including a full "virtual walkthrough" of Lumina and its applications *** Feedback/Questions Ghislain writes in (http://slexy.org/view/s21G3KL6lv) Raynold writes in (http://slexy.org/view/s21USZdk2D) Van writes in (http://slexy.org/view/s2IWAfkDfX) Sean writes in (http://slexy.org/view/s2OBhezoDV) Stefan writes in (http://slexy.org/view/s22h9RhXUy) ***

We're back from BSDCan! This week on the show we'll be chatting with Brian Callahan and Aaron Bieber about forming a local BSD users group. We'll get to hear their experiences of running one and maybe encourage some of you to start your own! After that, we've got a tutorial on the basics of NetBSD's package manager, pkgsrc. Answers to your emails and the latest headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD 11 goals and discussion (http://blather.michaelwlucas.com/archives/2053) Something that actually happened at BSDCan this year... During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more There's also some notes from the devsummit virtualization session (http://blather.michaelwlucas.com/archives/2060), mostly talking about bhyve Lastly, he also provides some notes about ports and packages (http://blather.michaelwlucas.com/archives/2065) and where they're going *** An SSH honeypot with OpenBSD and Kippo (http://securit.se/2014/05/how-to-install-kippo-ssh-honeypot-on-openbsd-5-5-with-chroot/) Everyone loves messing with script kiddies, right? This blog post introduces Kippo (https://code.google.com/p/kippo/), an SSH honeypot tool, and how to use it in combination with OpenBSD It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely You can use this to get new 0day exploits or find weaknesses in your systems OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications *** NetBSD foundation financial report (https://www.netbsd.org/foundation/reports/financial/2013.html) The NetBSD foundation has posted their 2013 financial report It's a very "no nonsense" page, pretty much only the hard numbers In 2013, they got $26,000 of income in donations The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else Be sure to donate to whichever BSDs you like and use! *** Building a fully-encrypted NAS with OpenBSD (http://www.geektechnique.org/projectlab/796/how-to-build-a-fully-encrypted-nas-on-openbsd.html) Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing This article takes a look at the OpenBSD side and explains how (http://www.geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto.html) to build a NAS with security in mind The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! *** Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org (mailto:admin@lists.nycbug.org) & admin@cobug.org (mailto:admin@cobug.org) Forming a local BSD Users Group Tutorial The basics of pkgsrc (http://www.bsdnow.tv/tutorials/pkgsrc) News Roundup FreeBSD periodic mails vs. monitoring (http://deranfangvomende.wordpress.com/2014/05/11/freebsd-periodic-mails-vs-monitoring/) If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them From bad SSH logins to Zabbix alerts, it all adds up quickly It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers *** Doing cool stuff with OpenBSD routing domains (http://www.skogsrud.net/?p=44) A blog post from our viewer and regular emailer, Kjell-Aleksander! He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project This is where OpenBSD routing domains and pf come in to save the day The blog post goes through the process with all the network details you could ever dream of He even named his networking equipment... after us (http://i.imgur.com/penYQFP.jpg) *** LibreSSL, the good and the bad (http://insanecoding.blogspot.com/2014/04/libressl-good-and-bad.html) We're all probably familiar with OpenBSD's fork of OpenSSL at this point However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk" This article talks about some of the cryptographic development challenges involved with maintaining such a massive project You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility *** PCBSD weekly digest (http://blog.pcbsd.org/2014/05/weekly-feature-digest-28-photos-of-the-new-appcafe-re-design/) Lots going on in PCBSD land this week, AppCafe has been redesigned The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update In the more recent post (http://blog.pcbsd.org/2014/05/weekly-feature-digest-29-pbing/), there's some further explanation of the PBI system and the reason for the transition It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion *** Feedback/Questions Antonio writes in (http://slexy.org/view/s2UbEhgjce) Daniel writes in (http://slexy.org/view/s21XU0y3JP) Sean writes in (http://slexy.org/view/s2QQtuawFl) tsyn writes in (http://slexy.org/view/s20XrT5Q8U) Chris writes in (http://slexy.org/view/s2ayZ1nsdv) ***