This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
Be your own VPN provider with OpenBSD
We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"The VPN provider might also be slow to apply security patches, putting you and the rest of the users at riskWith this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSDIt covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN***
FreeBSD vs Gentoo comparison
People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing softwareThis article takes that notion and goes much more in-depth, with lots more comparisons between the two systemsThe author mentions that the installers are very different, ports and portage have many subtle differences and a few other thingsIf you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more***
Kernel WX in OpenBSD
WX, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking nameIt's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same timeThis helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previouslyDoing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a whileMore technical details can be found in some recent CVS commits***
Building an IPFW-based router
We've covered building routers with PF many times before, but what about IPFW?A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-basedIn this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewallHe covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bitIf you're an IPFW fan and are thinking about putting together a new router, give this post a read***
Interview - Jos Schellevis -
[email protected] / @opnsense
News Roundup
On profiling HTTP
Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testingFaced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking toolsAccording to him, it's "not very pretty"He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole processYou can check out his new code on Github right now***
Using divert(4) to reduce attacks
We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're runningPF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't workThe Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be maliciousConsider setting this up to reduce the attack spam in your logs if you run public services***
ChaCha20 patchset for GELI
A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption systemThere are also some benchmarks that look pretty good in terms of performanceCurrently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet***
PCBSD update system enhancements
The PCBSD update utility has gotten an update itself, now supporting automatic upgradesYou can choose what parts of your system you want to let it automatically handle (packages, security updates)The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionalityThere's also a new graphical frontend available for it***
Feedback/Questions
Mat writes inChris writes inAndy writes inBeau writes in Kutay writes in***
Mailing List Gold
Wait, a real one?What's that glowing...***
View all episodes
