35: Puffy Firewall

We're back again! On this week's packed show, we've got one of the biggest tutorials we've done in a while. It's an in-depth look at PF, OpenBSD's firewall, with some practical examples and different use cases. We'll also be talking to Peter Hansteen about the new edition of "The Book of PF." Of course, we've got news and answers to your emails too, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines ALTQ removed from PF Kicking off our big PF episode... The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. *** FreeBSD Quarterly Status Report The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team LOTS of details and LOTS of topics to cover, give it a read *** OpenBSD's OpenSSL rewrite continues with m2k14 A mini OpenBSD hackathon begins in Morocco, Africa You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning We've got two trip reports so far, hopefully we'll have some more to show you in a future episode You can see some of the more interesting quotes from the tear-down or see everything Apparently they are going to call the fork "LibreSSL" .... What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy! We also got some mainstream news coverage and another post from Ted about the history of the fork Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too *** NetBSD 6.1.4 and 6.0.5 released New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes The main update is - of course - the heartbleed vulnerability Also includes fixes for other security issues and even a kernel panic... on Atari Patch your Ataris right now, this is serious business *** Interview - Peter Hansteen - [email protected] / @pitrh The Book of PF: 3rd edition Tutorial BSD Firewalls: PF News Roundup New Xorg now the default in FreeBSD For quite a while now, FreeBSD has had two versions of X11 in ports The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf They've finally made the switch for 10-STABLE and 9-STABLE Check this wiki page for more info *** GSoC-accepted BSD projects The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon The FreeBSD list was also posted Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more Good luck to all the students participating, hopefully they become full time BSD users *** Complexity of FreeBSD VFS using ZFS as an example HybridCluster posted the second part of their VFS and ZFS series This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff *** PCBSD weekly digest Preload has been ported over, it's a daemon that prefetches applications PCBSD is developing their own desktop environment, Lumina (there's also an FAQ) It's still in active development, but you can try it out by installing from ports We'll be showing a live demo of it in a few weeks (when development settles down a bit) Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***