Coming up this time on the show, we'll be chatting with Lee Sharp. He's recently revived the m0n0wall codebase, now known as SmallWall, and we'll find out what the future holds for this new addition to the BSD family. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
BSDCan and pkgsrcCon videos
Even more BSDCan 2015 videos are slowly but surely making their way to the internetNigel Williams, Multipath TCP for FreeBSDStephen Bourne, Early days of Unix and design of shJohn Criswell, Protecting FreeBSD with Secure Virtual ArchitectureShany Michaely, Expanding RDMA capability over Ethernet in FreeBSDJohn-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCryptoSevan Janiyan, Adventures in building open source softwareAnd finally, the BSDCan 2015 closingSome videos from this year's pkgsrcCon are also starting to appear onlineSevan Janiyan, A year of pkgsrc 2014 - 2015Pierre Pronchery, pkgsrc meets pkg-ngJonathan Perkin, pkgsrc at JoyentJörg Sonnenberger, pkg_install script frameworkBenny Siegert, New Features in BulkTrackerThis is the first time we've ever seen recordings from the conference - hopefully they continue this trend***
OPNsense 15.7 released
The OPNsense team has released version 15.7, almost exactly six months after their initial debutIn addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy serverTaking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment neededVarious third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes includedShortly afterwards, 15.7.1 was released with a few more small fixes***
NetBSD at Open Source Conference 2015 Okinawa
If you liked last week's episode then you'll probably know what to expect with this oneThe NetBSD users group of Japan hit another open source conference, this time in OkinawaThis time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last weekWe'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con?***
OpenBSD BGP and VRFs
"VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodnessWith multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of themThe idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issuesCombining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail hereThe BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts***
Interview - Lee Sharp -
[email protected]SmallWall, a continuation of m0n0wall
News Roundup
Solaris adopts more BSD goodies
We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixesThey recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewallsDarren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" forkGoing forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after thatThe article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the twoIn a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libcWith an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?Look forward to the upcoming "Solaris Now" podcast (not really)***
EuroBSDCon 2015 talks and tutorials
This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been publishedThe list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with usIt even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of courseThere are also a few tutorials planned for the event, some you've probably seen already and some you haven'tRegistration for the event will be opening very soon (likely this week or next)***
Using ZFS replication to improve offsite backups
If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the dataThis article covers doing just that, but with a focus on making use of the replication capabilityIt'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did itSteps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transferData integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of themOne thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important***
Block encryption in OpenBSD
We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive dataThis blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystemIt goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage deviceThe encrypted container method offers the advantage of being a bit more portable across installations than other ways***
Docker hits FreeBSD ports
The inevitable has happened, and an early FreeBSD port of docker is finally here Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don'tThere was also some Hacker News discussion on the topic***
Microsoft donates to OpenSSH
We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turnWith their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsorThey've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this***
Feedback/Questions
Joe writes inMike writes inRandy writes inTony writes inKevin writes in***