Podcasts about iptables

Honeypot Iptables Maintenance and DShield-SIEM Logging In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes https://isc.sans.edu/diary/Honeypot%20Iptables%20Maintenance%20and%20DShield-SIEM%20Logging/31876 XRPL.js Compromised An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx Cisco Equipment Affected by Erlang/OTP SSH Vulnerability Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

We reveal how we turned our humble LAN into a public server farm, all while keeping our IP address under wraps and our ISP blissfully unaware.Sponsored By:Core Contributor Membership: Take $1 a month of your membership for a lifetime!Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:

Alex goes head-to-head with budget VPS providers, which gets us into a classic debate. Plus we sit down with Adam Morales from Unraid to get the inside scoop on recent changes and exciting upcoming features.

In this episode we interviewed Priyanka Saggu, Kubernetes v1.29 release lead and SIG ContribEx Tech Lead. We spoke about the release, the new features and enhancements, and more.   Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod   News of the week Kyverno completes third-party security audit Google Deepmind Introduction to Gemini Google launches Gemini - The Verge Linux Foundation Newsletter: November 2023 High Performance Software Foundation (HPSF) Founding Announcement App Defense Alliance joins Joint Development Foundation under the Linux Foundation Open Source Summit North America 2023 CFP (closes January 14, 2024) Links from the interview Kubernetes v1.29 release information page on k8s.dev Removals, Deprecations, and Major Changes in Kubernetes 1.29 Release Blog - Kubernetes v1.29: Mandala Breaking changes KEP 2395: Removing In-Tree Cloud Providers (SIG Cloud Provider, Beta) Kubernetes v1.28 on the Kubernetes Podcast from Google - discussion of removal of in-tree storage plug-ins Major Changes KEP 1287: In-Place Update of Pod Resources (SIG Node, Alpha) Support in-place Pod vertical scaling in VPA KEP 753: Sidecar Containers (SIG Node, Beta)   Stable KEP 3299: KMS v2 Improvements OR KMSv2 (SIG Auth) SIG Etcd on the Kubernetes Podcast from Google KEP 2485: ReadWriteOncePod PersistentVolume Access Mode (SIG Storage, SIG Scheduling) KEP 727: Kubelet Resource Metrics Endpoint (SIG Instrumentation) “The Kubelet Summary API is a source of both Resource and Monitoring Metrics. Because of it's dual purpose, it does a poor job of both.” Beta KEP 2799: Reduction of Secret-based Service Account Tokens (SIG Auth) Alpha KEP 3866: nftables kube-proxy backend (SIG Network) [KCSNA 2023] Iptables the end of an era - Dan Winship, Antonio Ojea   Links from the post-interview chat   Kaslin's blog about “Out of Tree” Kubernetes In this episode we interviewed Priyanka Saggu, Kubernetes v1.29 release lead and SIG ContribEx Tech Lead. We spoke about the release, the new features and enhancements, and more.   Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod   News of the week Kyverno completes third-party security audit Google Deepmind Introduction to Gemini Google launches Gemini - The Verge Linux Foundation Newsletter: November 2023 High Performance Software Foundation (HPSF) Founding Announcement App Defense Alliance joins Joint Development Foundation under the Linux Foundation Open Source Summit North America 2023 CFP (closes January 14, 2024) Links from the interview Kubernetes v1.29 release information page on k8s.dev Removals, Deprecations, and Major Changes in Kubernetes 1.29 Release Blog - Kubernetes v1.29: Mandala Breaking changes KEP 2395: Removing In-Tree Cloud Providers (SIG Cloud Provider, Beta) Kubernetes v1.28 on the Kubernetes Podcast from Google - discussion of removal of in-tree storage plug-ins Major Changes KEP 1287: In-Place Update of Pod Resources (SIG Node, Alpha) Support in-place Pod vertical scaling in VPA KEP 753: Sidecar Containers (SIG Node, Beta)   Stable KEP 3299: KMS v2 Improvements OR KMSv2 (SIG Auth) SIG Etcd on the Kubernetes Podcast from Google KEP 2485: ReadWriteOncePod PersistentVolume Access Mode (SIG Storage, SIG Scheduling) KEP 727: Kubelet Resource Metrics Endpoint (SIG Instrumentation) “The Kubelet Summary API is a source of both Resource and Monitoring Metrics. Because of it's dual purpose, it does a poor job of both.” Beta KEP 2799: Reduction of Secret-based Service Account Tokens (SIG Auth) Alpha KEP 3866: nftables kube-proxy backend (SIG Network) [KCSNA 2023] Iptables the end of an era - Dan Winship, Antonio Ojea   Links from the post-interview chat Kaslin's blog about “Out of Tree” Kubernetes

A high-profile Linux kernel network flaw, we put JFS on a death watch, and break down the controversial Firefox update this week.

A high-profile Linux kernel network flaw, we put JFS on a death watch, and break down the controversial Firefox update this week.

The Linux Foundation takes a victory lap, Google kills another community-loved project, and key moments from the Linux Plumbers Conference.

The Linux Foundation takes a victory lap, Google kills another community-loved project, and key moments from the Linux Plumbers Conference.

We try out what might be the most fun Linux distribution around. It started as a laugh, but now we're in love. Plus, the reunion road trip hits a bump, some community news, feedback, picks, and more. Special Guest: Brent Gervais.

We share our favorite networking trick of all time, and then chat with the blokes behind a new WireGuard-powered service. Plus our reaction to RMS's return to the FSF, some big project updates, picks, and more! Special Guests: Dalton Durst and Daniel Fore.

Kubernetes na raça! O Kubicast teve o prazer de entrevistar o Marcelo Andrade - gênio do Linux, da administração de sistemas e herói da resistência OPS frente à opressão dos DEVs - para falar sobre os desafios de administrar Kubernetes on-premise. Marcelo nos levou a conhecer um universo que funciona sem API para pedir máquinas nem portal para criar auto-scaling. Tudo ali é programado à mão por gente como a gente. ===== LINKS comentados no podcast: João Morais - Mestre do HAProxy Ingress - https://github.com/jcmoraisjr/haproxy-ingress; Flatcar Linux - https://www.flatcar-linux.org/; Matchbox (coreOS) - https://github.com/poseidon/matchbox/tree/v0.7.0; Iptables vs IPVS - https://www.projectcalico.org/comparing-kube-proxy-modes-iptables-or-ipvs/; Hashicorp new products com Linuxtips - https://www.youtube.com/linuxtips e Learn Hashicorp - https://learn.hashicorp.com/. ===== Para enviar comentários, críticas e sugestões, escreva para @GetupCloud no Twitter. ===== Até o próximo programa!

Carl Perry provides an in depth look at the history of Linux networking configuration leading up to IP Tables and NF Tables. BONUS Space Geeking at the end.

Tempesta FW is an open source hybrid of an HTTPS accelerator and a firewall aiming to accelerate web resources and protect them against DDoS and web attacks. The project is built into the Linux TCP/IP stack to provide performance comparable with the kernel bypass approaches (e.g. using DPDK), but still be well-integrated with the native Linux networking tools. We'll talk about Tempesta FW integration with IPtables/nftables to filter network traffic on all the layers and other tools to protect agains layer 7 DDoS and web attacks.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/psw669

Tempesta FW is an open source hybrid of an HTTPS accelerator and a firewall aiming to accelerate web resources and protect them against DDoS and web attacks. The project is built into the Linux TCP/IP stack to provide performance comparable with the kernel bypass approaches (e.g. using DPDK), but still be well-integrated with the native Linux networking tools. We'll talk about Tempesta FW integration with IPtables/nftables to filter network traffic on all the layers and other tools to protect agains layer 7 DDoS and web attacks.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/psw669

The Raspberry Pi might be getting a small software fix that makes a big performance improvement. Plus, we attempt to combine two internet connections with Linux live from the woods! Chapters: 0:00 Pre-Show 1:07 Intro 1:55 SPONSOR: A Cloud Guru 2:35 Lenovo Linux Laptops 11:21 Raspberry Pi Storage Speedup 13:31 SPONSOR: Linode 17:45 Linux Unplugged Core Contributors 18:58 Fedora 33 Bug-a-Thon 20:55 Using Two Internet Connections in Linux 25:11 Policy Routing 28:32 Net-ISP-Balance 31:46 Diving into Policy Routing 33:42 Speedify 39:35 Feedback 40:32 Pick: tunshell 43:16 Outro 45:46 Post-Show Special Guests: Alan Pope, Brent Gervais, Drew DeVore, and Neal Gompa.

Fedora Project Leader Matthew Miller joins us to discuss Lenovo shipping ThinkPads loaded with Fedora, and our review of the new 32 release. Plus Ubuntu's Director of Desktop Martin Wimpress covers the details everyone missed in 20.04. Special Guests: Martin Wimpress, Matthew Miller, and Neal Gompa.

Chegamos ao terceiro dia de Kubecon, e você que nos ouve já pode ver que a CNCF está fazendo um ótimo trabalho compartilhando os conteúdos gravados aqui: YoutubeNossos destaques do dia são:Windows containersNot there yetNo pod evictionUpdates / node patching: far from goodUpgrade de OS, licence typeImage must match with the OS VersionObservability PrometheusDoing things Prometheus can’t do with PrometheusUma ferramenta é tão boa quanto o domínio que você tem dela e domínio requer tempo, dedicação.Alertmanager Slack PlaygroundQuay open sourcedCiliunAdeus ao Iptables e Netfilter, olá a redes cloud native do futuro.Link para slidesPinterest CI/CDUm roadmap até chegarem num destino minimamente viável e que ainda tem um caminho à frente!Link para slidesMetal cubeKubernetes native metal host management Link para slidesPor hoje é só, até a próxima e não se esqueça de compartilhar! #kubicastOuça em seu player favorito: Spotify, Overcast, Itunes ou RadioPublic.

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. It is a CNI plugin that offers layer 7 features typically seen with a service mesh. On this week’s podcast, Thomas Graf (one of the maintainers of Cilium and co-founder of Isovalent) discusses the recent 1.6 release, some of the security questions/concerns around eBPF, and the future roadmap for the project. Why listen to this podcast: * Cilium brings eBPF to the Cloud Native World. It works across both layer 4 and a layer 7. While it started as a pure eBPF plugin, they discovered that just caring about ports was not enough from a security perspective. * Cilium went 1.0 about a year and a half ago. 1.6 is the most featured-packed release of Cilium yet. Today, it has around 100 contributors. * While Cilium can make it much easier to manage IPTables, Cilium overlaps with a service mesh in that it can do things like understand application protocols, HTTP routes, or even restrict access to specific tables in data stores. * Cilium provides both in kernel and sidecar deployments. For sidecar deployments, it can work with Envoy to switch between kernel space and userspace code. The focus is on flexibility, performance, and low overhead. * BPF (Berkeley Packet Filter) was initial designed to do filtering on data links. eBPF has the same roots but it’s now used for system call filtering, tracing, sandbox, etc. It’s grown to be a general-purpose programming language to extend the Linux kernel. * Cilium has a multi-cluster feature built-in. The 1.6 release can run in a kube-proxy free configuration. It allows fine-grain network policies to run across multiple clusters without the use of IPTables. * Cilium offers on-the-wire encryption using in-kernel encryption technology that enables mTLS across all traffic in your service fleet. The encryption is completely transparent to the application. * eBPF has been used in all production environments at Facebook since May 2017. It’s been used at places like Netflix, Google, and Reddit. There are a lot of companies who have an interest in eBPF being secure and production-ready, so there’s a lot of attention focused on fixing and resolving and security issues that arise. * 1.6 also released KVstore-free operation, socket-based load balancing, CNI chaining, Native AWS ENI mode, enhancements to transparent encryption, and more. * The plans for 1.17 is to keep raising up the stack into the socket level (to offer things like load balancing and transparent encryption at scale) and likely offering deeper security features such as process-aware security policies for internal pod traffic. More on this: Quick scan our curated show notes on InfoQ https://bit.ly/2HCGnLa You can also subscribe to the InfoQ newsletter to receive weekly updates on the hottest topics from professional software development. bit.ly/24x3IVq Subscribe: www.youtube.com/infoq Like InfoQ on Facebook: bit.ly/2jmlyG8 Follow on Twitter: twitter.com/InfoQ Follow on LinkedIn: www.linkedin.com/company/infoq Check the landing page on InfoQ: https://bit.ly/2HCGnLa

Will there ever be another "big" Linux distro, or has that time passed? Plus two popular Linux desktop apps see a big upgrade, and Wes explains to Chris why he should care a lot more about cgroups. Special Guests: Brent Gervais and Neal Gompa.

Join Jim and Wes as they battle bufferbloat, latency spikes, and network hogs with some of their favorite tools for traffic shaping, firewalling, and QoS. Plus the importance of sane defaults and why netdata belongs on every system.

Michael Hausenblas talks with host Kim Carter about topics covered in Michael’s ebook Container Networking, such as single vs. multi-host container networking, orchestration, Kubernetes, service discovery, and many more. Michael and Kim also discuss the roles that IPTables plays, how the allocation of IP addresses is handled, along with the assignment of ports. Overlay networks are covered along with topics such as the open Container Network Interface (CNI).

Michael Hausenblas talks with host Kim Carter about topics covered in Michael’s ebook Container Networking, such as single vs. multi-host container networking, orchestration, Kubernetes, service discovery, and many more. Michael and Kim also discuss the roles that IPTables plays, how the allocation of IP addresses is handled, along with the assignment of ports. Overlay networks […]

E temos mais um Fate Masters. Um pouco menos Fate e mais Master nesse podcast. Hoje vamos falar sobre pesquisa e preparação de uma aventura: o que levar em conta, como pesquisar, a importância do realismo e das informações corretas na manutenção da suspensão de descrença e do clima do cenário, como levar em consideração fontes, pedindo ajuda e como utilizar tudo isso no final da conta em sua mesa, na hora que você for colocar as coisas para andar. Damos dicas de o que buscar, onde buscar, como escrever suas aventuras e como utilizar tudo a sua disposição, inclusive com ferramentas online para consulta e agregar informações. Pedimos desculpa pelos problemas de áudio. Tivemos alguns problemas de captação e edição. Como dica não citada: Despreparado, Nunca! pela Pensamento Coletivo. Por fim, uma errata: quando o Mr. Mickey menciona que o New York Giants era chamado de New York Highlanders, na verdade era o New York Yankees Lembrem-se: qualquer dúvidas, críticas, sugestões e opiniões você pode enviar na comunidade do Google+ do Fate Masters, na comunidade do Facebook do Fate (com a hashtag #fatemasters), e pelo email fatemasterspodcast@gmail.com Além disso, temos agora nosso Espaço no Google Space para você ouvinte comentar, trocar idéias, sugerir pautas e tudo mais. Link para o programa em MP3 Participantes: Fábio Emilio Costa Rafael Sant’Anna Meyer Luiz Cavalheiro Duração: 73min Cronologia do Podcast: 00:00:11 - Abertura 00:01:29 - “Mecânica ou Regras? O que é mais importante?” 00:10:56 - Onde e como começar a buscar informações? - use as referências indicadas no seu cenário e procure fóruns adequados (com a etiqueta adequada) 00:24:48 - Se prepare, pesquise e passe o que você já sabe… Mesmo que seja apenas o que você obteve no Google 00:27:40 - Uma pessoa que você segue por motivos aleatórios pode ser a chave para obter informações! 00:34:22 - “Imagens, Imagens…“ Sempre bom ter imagens 00:36:50 - Como usar as informações obtidas anteriormente para montar suas aventuras 00:42:49 - Evite generalizações idiotas! Histórias são contadas sobre ótica e possuem viés! 00:48:01 - Dicas para armazenar esse conteúdo 00:50:30 - Juntando tudo para Narrar sua aventura! Trocando imagens e gerenciando informações de maneira tecnológica… E como isso não funciona em Horror. 00:57:39 - As vantagens de ter tudo preparado previamente e carregado em seu celular (ou pasta) 00:59:34 - Não ABUSE de espaço ou se SUPER-PREPARE! 01:03:33 - Narrativa e Jogo tem importância igual… 01:05:35 - Considerações Finais… E nada disso é lavrado em pedra! Links Relacionados: Coleção Vagalume New York Yankees Os Karas Classeur StackEdit Mindomo Arxiv NoteHub Tom Swift Goonies Crise dos Mísseis de Cuba EpubBooks Projeto Gutenberg Neuromancer Monalisa overdrive Reconhecimento de Padrões Ghost in the Shell Akira Blade Runner Mass Effect A Máquina Diferencial (Gibson) Heinlein Enigma do Horizonte Sur La Lune Fairy Tales Anne Rice Snow Drop Como editar textos em Markdown IPTables Comitê de Atividades Anti-Americanas Macartismo Rage across the Amazon Dom Casmurro Turtl Evernote Google Keep Google Spaces Dropbox Caravanserai FateSRD Sobre Outline Netiqueta Como Fazer Perguntas Inteligentes Link para a comunidade do Google+ do Fate Masters Comente esse post no site do Fate Masters! Assine no iTunes Trilha Sonora do Podcast: Ambient Pills por Zeropage Ambient Pills Update por Zeropage

This week on BSDNow, Allan is currently at EuroBSDCon! However due to the magic of video (or time travel), you still get a new episode. (You're Welcome!). Stay tuned This episode was brought to you by Headlines Performance Improvements for FreeBSD Kernel Debugging (http://backtrace.io/blog/blog/2016/08/25/improving-freebsd-kernel-debugging/) “We previously explored FreeBSD userspace coredumps (http://backtrace.io/blog/blog/2015/10/03/whats-a-coredump). Backtrace's debugging platform supports FreeBSD kernel coredumps too, and their traces share many features. They are constructed somewhat differently, and in the process of adding support for them, we found a way to improve performance for automated programs accessing them.” “A kernel core is typically only generated in exceptional circumstances. Unlike userspace processes, kernel routines cannot fault without sacrificing the machine's availability. This means things like page faults and illegal instructions inside the kernel stop the machine, instead of just one process. At that point, in most cases, it is only usable enough to inspect its state in a debugger, or to generate a core file.” No one likes it when this happens. This is why backtrace.io is focused on being able to figure out why it is happening “A FreeBSD kernel core file can be formatted in several different ways. This depends on which type of dump was performed. Full core dumps are ELF files, similar in structure to userspace core files. However, as RAM size grew, this became more difficult to manage. In 2006, FreeBSD introduced minidumps, which are much smaller without making the core file useless. This has been the default dump type since FreeBSD 6.0.” The article goes into detail on the minidump format, and some basic debugging techniques “Libkvm will first determine whether the virtual address lies within the kernel or direct maps. If it lies in the kernel map, libkvm will consult the page table pages to discover the corresponding physical address. If it lies in the direct map, it can simply mask off the direct map base address. If neither of these applies, the address is illegal. This process is encapsulated by vatopa, or “virtual address to physical address”. Once the physical address is determined, libkvm consults the core file's bitmap to figure out where in the core file it is located.” “minidumps include a sparse bitmap indicating the pages that are included. These pages are dumped sequentially in the last section. Because they are sparse in a not entirely predictable way, figuring the offset into the dump for a particular physical address cannot be reduced to a trivial formula.” The article goes into detail about how lookups against this map are slow, and how they were improved “For typical manual debugger use, the impact of this change isn't noticeable, which is probably why the hash table implementation has been in use for 10 years. However, for any automated debugging process, the extra latency adds up quickly.” “On a sample 8GB kernel core file (generated on a 128GB server), crashinfo improves from 44 seconds to 9 seconds, and uses 30% less memory” “Backtrace began shipping a version of this performance improvement in ptrace in February 2016. This enables us to also offer significantly faster tracing of FreeBSD kernel cores to customers running current and older releases of FreeBSD. On July 17, 2016, our work improving libkvm scaling was committed to FreeBSD/head. It will ship with FreeBSD 12.0.” *** OpenBSD gunzip pipeline tightening (https://www.mail-archive.com/tech@openbsd.org/msg34035.html) OpenBSD has rethought the way they handle package signing Changing from: 1/ fetch data -> 2/ uncompress it -> 3/ check signature -> 4/ process data To: 1/ fetch data -> 2/ check signature -> 3/ uncompress -> 4/ process data “The solution is to move the signature outside of the gzip header” “Now, Since step 1/ is privsep, as long as step 2 is airtight, 3/ and 4/are no longer vulnerable” Guidelines: small, self-contained code to parse simple gzip headers signify-style signature in the gzip comment. Contains checksums of 64K blocks of the compressed archive don't even think about passing the original gzip header through use as a pipeline step: does not need to download full archive to use it, and never ever pass any data to the gunzip part before it's been verified. “Note that afaik we haven't had any hole in our gunzipping process. Well… waiting for an accident to happen is not how we do things. Hopefully, this should prevent future mishaps.” *** OpenVPN On FreeBSD 10.3 (http://ramsdenj.com/2016/07/25/openvpn-on-freebsd-10_3.html) “While trying to setup OpenVPN, I noticed there was no up-to-date information with correct instructions. OpenVPN uses EasyRSA to setup keys, it has recently been changed in version 3. As a result of this, the old steps to configure OpenVPN are no longer correct. I went through the process of setting up a VPN using OpenVPN on FreeBSD 10.3.” I know FreeBSD developer Adrian Chadd complained about this exact problem when he was trying to setup a VPN before attending DEFCON The tutorial walks through the basic steps: Install the needed software Configure EasyRSA Create a CA Generate keys and DH params OpenVPN Server Config OpenVPN Client Config Starting the daemon It even finishes off with bonus instructions on Port Forwarding, Firewalls, and Dynamic DNS *** lsop (https://github.com/606u/lsop) LSOP is the tool a bunch of users have been asking for “a FreeBSD utility to list all processes running with outdated binaries or shared libraries” How does it work? “lsop iterates over all running processes and looks through memory-mapped files with read + execute access; then it checks if those files are still available or have been modified/deleted.” How would you use it? After installing an system update (that doesn't require a reboot to update the kernel), or upgrade your packages, you still need to know which daemons need to be restarted to use the patched libraries and binaries This tool gives you that list Thanks to Bogdan Boyadzhiev for writing this much needed tool *** News Roundup OpenBSD 2016 Fundraising Campaign (http://www.openbsdfoundation.org/campaign2016.html) The OpenBSD fund-raising campaign has given us a status update on the state of 2016. They start by giving us a re-cap of previous years: “2015 was a good year for the foundation financially, with one platinum, one gold, four silver and 3 bronze donors providing half of our total donations. 680 individuals making smaller contributions provided the other half. While the total was down significantly after 2014's blockbuster year, we again exceeded our goal.” As of Sept 5th, they were at approx $115k out of a total goal of 250k. If you are an OpenBSD user, remember to contribute before the end of the year. Small amounts help, and the money of course goes to great causes such as hackathons and running the OpenBSD infrastructure. Update firewall Bad Countries (https://github.com/KaiLoi/update-fw-BC) Network and Systems admins know, sometimes when all else fails you need to break out the HUGE ban-hammer. In this case sometimes entire countries get put on the excrement list until the attacks stop. We have a handy GitHub project today, which will assist you in doing exactly that, enter update-fw-BC. (Update firewall by country) This perl script may be your savior when dealing with instances that require major brute force. It specifically works with IPFW, PF and IPTABLES, which will allow it to run across a variety of BSD's or even Linux. It will ingest a list of IP's that you feed it (perhaps from another tool such as sshguard) and determine what block the IP belongs to, and match according to country. Detailed setup instructions for the various firewalls are included, and some instructions for FreeBSD, although using it on OpenBSD or other $BSD should also be easy to adapt. *** More utilities via moreutils (https://distrowatch.com/weekly.php?issue=20160822#tips) In most BSDs, the “core” set of utilities and commands are just part of the base system, but on Linux, they are usually provided by the “coreutils” package. However, on Linux and now FreeBSD, there is a “moreutils” package, that provides a number of interesting additional basic utilities, including: chronic: Run a task via crontab, and only generate output if the task fails combine: binary AND two text files together, only displaying lines that are in both files errno: look up the text description of a specific error number ifdata: parse out specific information from ifconfig ifne: if-not-empty, only run a command if the output of the pipe is not blank isutf8: determine if a file or stdin contains utf8 lckdo: execute a command with a lock held, to prevent a second copy from spawning mispipe: return the exit code of the first command in a pipe chain, rather than the last parallel: run multiple jobs at once pee: tee standard input to multiple pipes sponge: write standard input to a file, allows you to overwrite a file in place: sort file | sponge file ts: add a timestamp to each line of standard input vidir: edit a directory in vi, great for bulk renames vipe: insert vi into a pipe, edit the content before it is passed to the next command zrun: uncompress the arguments before passing them. Like gzless and friends, but for any command Just goes to show the power of the original UNIX philosophy, chaining together a bunch of small useful tools to do really powerful things *** OpenBSD: SNI support added to libtls, httpd in –current (http://undeadly.org/cgi?action=article&sid=20160823100144) libtls, LibreSSL's improved API to replace the OpenSSL standard, now has a set of functions to implement SNI (Server Name Indication) Until a few years ago, each different SSL/TLS enabled website required a unique IP address, because typical HTTP Virtual Hosting (differentiating which content to serve based on the Host header in the HTTP request), didn't work because the request was encrypted. Finally the TLS standard was updated to include the hostname of the site the user is requesting in the TLS handshake, so the server can return the corresponding certificate, and multiple TLS enabled websites can be hosted on a single IP address The new API includes the ability to provide additional keypairs (via tlsconfigaddkeypair{file,mem}()) And allow the server to determine what servername the client requested viatlsconnservername() This is much easier to use, and therefore safer and less error prone, than the OpenSSL API The libtls API is used in a number of OpenBSD tools, including the httpd *** Beastie Bits Shawn Webb of HardenedBSD joins the OPNSense Core Team (https://opnsense.org/new-core-team-member/) How to install 2.11 BSD on a (simulated) PDP11 (http://vak.ru/doku.php/proj/pdp11/211bsd) OpenBSD Puffy needlepoint pixelart (https://nemessica.tintagel.pl/blog/OpenBSD-Puffy/) PulseAudio has been removed from dports (DragonFly BSD) (http://lists.dragonflybsd.org/pipermail/users/2016-August/313010.html) pfSense 2.4 pre-alpha available for testing, based on FreeBSD 11.0 (https://blog.pfsense.org/?p=2118) Call for Testing - Bhyve HDA Sound Emulation (https://lists.freebsd.org/pipermail/freebsd-virtualization/2016-September/004700.html) *** Feedback/Questions Matthew - ZFS Hole Birth (http://pastebin.com/CrZiDAF0) Hunter - systemd-mount (http://pastebin.com/GztjY4wz) Anonymous - Cool'n'quiet (http://pastebin.com/gG4j4RCi) Nathan - Datacenter (http://pastebin.com/9XgPzMM9) Chuck - OpenBSD w/DO (http://pastebin.com/FM2xYcxh) ***

We're back again! On this week's packed show, we've got one of the biggest tutorials we've done in a while. It's an in-depth look at PF, OpenBSD's firewall, with some practical examples and different use cases. We'll also be talking to Peter Hansteen about the new edition of "The Book of PF." Of course, we've got news and answers to your emails too, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines ALTQ removed from PF (http://undeadly.org/cgi?action=article&sid=20140419151959) Kicking off our big PF episode... The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. *** FreeBSD Quarterly Status Report (https://www.freebsd.org/news/status/report-2014-01-2014-03.html) The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team LOTS of details and LOTS of topics to cover, give it a read *** OpenBSD's OpenSSL rewrite continues with m2k14 (http://undeadly.org/cgi?action=article&sid=20140417184158) A mini OpenBSD hackathon (http://www.openbsd.org/hackathons.html) begins in Morocco, Africa You can follow the changes in the -current CVS log (http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/), but a lot of work (http://undeadly.org/cgi?action=article&sid=20140418063443) is mainly going towards the OpenSSL cleaning We've got two trip (http://undeadly.org/cgi?action=article&sid=20140429121423) reports (http://undeadly.org/cgi?action=article&sid=20140425115340) so far, hopefully we'll have some more to show you in a future episode You can see some of the more interesting quotes (http://opensslrampage.org/) from the tear-down or see everything (http://freshbsd.org/commit/openbsd/e5136d69ece4682e6167c8f4a8122270236898bf) Apparently (http://undeadly.org/cgi?action=article&sid=20140423045847) they are going to call the fork "LibreSSL (https://news.ycombinator.com/item?id=7623789)" .... What were the OpenSSL developers thinking (http://freshbsd.org/commit/openbsd/e5136d69ece4682e6167c8f4a8122270236898bf)? The RSA private key was used to seed the entropy! We also got some mainstream news coverage (http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/) and another post from Ted (http://www.tedunangst.com/flak/post/origins-of-libressl) about the history of the fork Definitely consider donating to the OpenBSD foundation (http://www.openbsdfoundation.org/donations.html), this fork will benefit all the other BSDs too *** NetBSD 6.1.4 and 6.0.5 released (https://blog.netbsd.org/tnf/entry/netbsd_6_1_4_and) New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes The main update is - of course - the heartbleed vulnerability Also includes fixes for other security issues and even a kernel panic... on Atari Patch your Ataris right now, this is serious business *** Interview - Peter Hansteen - peter@bsdly.net (mailto:peter@bsdly.net) / @pitrh (https://twitter.com/pitrh) The Book of PF: 3rd edition Tutorial BSD Firewalls: PF (http://www.bsdnow.tv/tutorials/pf) News Roundup New Xorg now the default in FreeBSD (https://svnweb.freebsd.org/ports?view=revision&revision=351411) For quite a while now, FreeBSD has had two versions of X11 in ports The older, stable version was the default, but you could install a newer one by having "WITHNEWXORG" in /etc/make.conf They've finally made the switch for 10-STABLE and 9-STABLE Check this wiki page (https://wiki.freebsd.org/Graphics) for more info *** GSoC-accepted BSD projects (https://www.google-melange.com/gsoc/org2/google/gsoc2014/openbsdfoundation) The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon The FreeBSD list (https://www.google-melange.com/gsoc/org2/google/gsoc2014/freebsd) was also posted Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more Good luck to all the students participating, hopefully they become full time BSD users *** Complexity of FreeBSD VFS using ZFS as an example (http://www.hybridcluster.com/blog/complexity-freebsd-vfs-using-zfs-example-part-2/) HybridCluster posted the second part of their VFS and ZFS series This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy Of course, also watch episode 24 (http://www.bsdnow.tv/episodes/2014_02_12-the_cluster_the_cloud) for our interview with HybridCluster - they do really interesting stuff *** PCBSD weekly digest (http://blog.pcbsd.org/2014/04/weekly-feature-digest-26-the-lumina-project-and-preload/) Preload has been ported over, it's a daemon that prefetches applications PCBSD is developing their own desktop environment, Lumina (there's also an FAQ (http://blog.pcbsd.org/2014/04/quick-lumina-desktop-faq/)) It's still in active development, but you can try it out by installing from ports We'll be showing a live demo of it in a few weeks (when development settles down a bit) Some kid in Australia subjects his poor mother to being on camera (https://www.youtube.com/watch?v=ETxhbf3-z18) while she tries out PCBSD and gives her impressions of it ***