Episode 97

Big Network, SmallWall

Download Subscribe
00:00:00
/
01:18:20
RSS Feed Download (53.8 MB) Link with Timestamp

July 8th, 2015

1 hr 18 mins 20 secs

Link with Timestamp

Download MP3 (53.8 MB)

Your Hosts
Tags
docker replication zfs containers encryption lite edgerouter pcengines soekris alix apu mini-itx router pfsense opnsense m0n0wall smallwall interview bsd guide howto tutorial pcbsd dragonflybsd netbsd openbsd freebsd

About this Episode

Coming up this time on the show, we'll be chatting with Lee Sharp. He's recently revived the m0n0wall codebase, now known as SmallWall, and we'll find out what the future holds for this new addition to the BSD family. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Headlines

BSDCan and pkgsrcCon videos

OPNsense 15.7 released

  • The OPNsense team has released version 15.7, almost exactly six months after their initial debut
  • In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
  • Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
  • The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
  • Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
  • Shortly afterwards, 15.7.1 was released with a few more small fixes ***

NetBSD at Open Source Conference 2015 Okinawa

  • If you liked last week's episode then you'll probably know what to expect with this one
  • The NetBSD users group of Japan hit another open source conference, this time in Okinawa
  • This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
  • We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? ***

OpenBSD BGP and VRFs

  • "VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
  • This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
  • With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
  • The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
  • Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
  • The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts ***

Interview - Lee Sharp - lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

  • We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
  • They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
  • Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
  • Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
  • The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
  • In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
  • With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
  • Look forward to the upcoming "Solaris Now" podcast (not really) ***

EuroBSDCon 2015 talks and tutorials

  • This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
  • The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
  • It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
  • There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
  • Registration for the event will be opening very soon (likely this week or next) ***

Using ZFS replication to improve offsite backups

  • If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
  • This article covers doing just that, but with a focus on making use of the replication capability
  • It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
  • Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
  • Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
  • One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important ***

Block encryption in OpenBSD

  • We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
  • This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
  • It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
  • The encrypted container method offers the advantage of being a bit more portable across installations than other ways ***

Docker hits FreeBSD ports

  • The inevitable has happened, and an early FreeBSD port of docker is finally here
  • Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
  • There was also some Hacker News discussion on the topic ***

Microsoft donates to OpenSSH

  • We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
  • With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
  • They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this ***

Feedback/Questions