We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it. We also have all this week's news and answer to your emails, on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
Using OpenBGPD to distribute pf table updates
For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addressesThis post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and informationIt begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration filesOpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version***
Mounting removable media with autofs
The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs toolIt's written by one of the autofs developers, and he details his work on creating and using the utility"The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drivesIt ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happenThere's also some more advanced bonus material on GEOM classes and all the more technical details***
The Tor Browser on BSD
The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the sourceJust tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost It has, however, only been released for Windows, OS X and Linux - no BSD version"[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got startedIf you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved)***
OpenSSH 6.8 released
Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readabilityThis release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprintsExperimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keysYou can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soonSpeaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers***
NetBSD at AsiaBSDCon
The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expectIt covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" sessionThere was a grand total of 34 different NetBSD gadgets on display at the event***
Interview - Lawrence Teo -
[email protected] / @lteo
News Roundup
HardenedBSD introduces Integriforce
A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel levelBy doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromisedHardenedBSD has introduced a similar mechanism into their "secadm" utilityYou can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warningThey're looking for some more extensive testing of this new feature***
More s2k15 hackathon reports
A couple more Australian hackathon reports have poured in since the last timeThe first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recentlyHe worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related thingsAlso on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandocTed Unangst also sent in a report to detail what he hacked on at the eventWith a strong focus on improving SMP scalability, he tackled the virtual memory layerHis goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities***
DragonFly 4.0.4 and IPFW3
DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixesThere was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this versionShortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision)***
NetBSD gets Raspberry Pi 2 support
NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi boardThere are -current snapshots available for download, and multiprocessor support is also on the wayThe NetBSD wiki page about the Raspberry Pi also has some more information and an installation guideThe usual Hacker News discussion on the subjectIf anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it***
OpenIKED as a VPN gateway
In our first discussion segment, we talked about a few different ways to tunnel your trafficWhile we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suiteThis article should help fill that gap - it walks you through the complete IKED setupFrom creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all***
Feedback/Questions
Gary writes inRobert writes inJoris writes inMike writes inAnders writes in***
Mailing List Gold
Can you hear me nowHe must be GNU hereI've seen some...***
View all episodes
