BSDStammtisch Wien 0x0A 2018-12-11

Next meeting 🗓

Tuesday, 2018-12-11, 19:00 (CET)

Location 🗺

Caution, not our usual location at TU-Wien! SBA Research Favoritenstraße 16, 1st floor

Reachable via public transport: U1, N66, Taubstummengasse and 3 minutes walk. (Directly at exit Taubstummengasse/Floragasse)

Thanks to SBA Research for hosting us!

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Current CPU vulnerabilites
    • You may have heard of Spectre and Meltdown, and maybe others as well.
  • Got a topic you'd like to present on? Please do!

  • Please present your topic!

  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards (on location)

Shownotes 📝

Please help with keeping minutes during the meeting! They help others to read up afterwards.
Pad for collaborative note taking

BSDStammtisch Wien 0x09 2018-11-13

Past meeting 🗓

Tuesday, 2018-11-13, 20:00 (CET) - Caution, an hour later than usual due to limitations in room availability!

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • FreeBSD 10.4 EOL
  • FreeBSD 12 upcoming
  • Book: Absolute FreeBSD, 3rd edition, by Michael W. Lucas
  • BSD powered high-availability gummibaerlampchen talking to hardware using BSD and one-wire and some random hacks
  • Got a topic you'd like to present on? Please do!

  • [FreeBSD 10.4-RELEASE] reached End of Life Status on 2018-10-31.

  • FreeBSD 12 is coming (At BETA 4 at the time of this writing.)
  • Book: Absolute FreeBSD, 3rd edition (No Starch Press), by [Michael W. Lucas](https://www.tiltedwindmillpress.com
  • BSD powered high-availability gummibärlämpchen talking to hardware using BSD and one-wire and some random hacks OneWire is a serial like protocol that requires two wires and is designed for up to three wires. With a USB to OneWire Adapter you can control the relays which turn on and off the bears. Goal is to run RTEMS on a GRiSP Board which is used to run Erlang applications on a realtime operating system. The GRiSP board sports a FreeBSD network stack, so networking is stable and performant.

There's also Jenkins integration for the “Red Bear alert”.

  • Geek and Poke Webcomic on Best of both worlds regarding statically typed languages. In General Geek and Poke is recommended reading for any sysadmin or developer.

Build your own Gummibear Server!

Inspired? Have a look at more Blinkenlights projects!

BSDStammtisch Wien 0x08 2018-10-09

Past meeting 🗓

Tuesday, 2018-10-09, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • DNS
  • DNS hosters
  • Problems with modern DNS resource records

Shownotes 📝

Reports and News

  • What has happened since the last BSDStammtisch?

Sascha:

Lost in Name Resolution

Desire for a little more independence. Already running your own web- and mail servers, why not run your own resolver?

Observation: People know DNS, but they don't run their own DNS infrastructure.

Want to run your own Webserver? There's a million tutorials and a few even have moderately sane defaults.

Easy beginnings: Run a public resolver! (Uhm, maybe better not!)

Unbound

dns/unbound because, why not usually works fairly well usually sane by default Supports DNS-over-TLS It's made for that, except when it's not.

As usual, running unbound in a FreeBSD/HardenedBSD jail. Sane for services that are reachable from the internet.

Set sane defaults: Do not allow to query Adresses in your internal jail range. Port 853/udp+tcp is used for DNS-over-TLS. (Port not known by /etc/services in FreeBSD 11.2.)

Anchor file, contains DNSSec root public key files, so unbound can verify DNSSec answers.

On small DNS instances, with only a few users you'll already get 20-30% cache hits. The more users you have, the better that cache rate gets.

Using DNS-over-TLS is a mixed bag. Nobody expects DNS queries or any udp traffic on port 853. It's blocked on many networks, especially Cafés and hotels, even by many ISPs.

Many networks even don't allow or expect TCP traffic on port 53, even though that is mandatory by RFC and even absolutely necessary for some query types. Even fewer allow port 853.

TCP connections are often limited per timeframe. (For exampe UPC WiFree sends you RSTs when you exceed their limit.)

TCP queries requires you to use a forwarder because your system stub resolver can't speak TCP.

unbound is completely retarded as a forwarder and opens a new tcp connection for every query in the resolving process. (#WTFMoments)

  • We still need a UDP resolver as fallback.
  • We need smarter intermediates that handle failover for upstream DNS servers more geacefully and sane.
Traffic amplification attacks:

DNS amplification attacks are the only ones that DNSSec aware EDNS0 queries you'll see on udp. DNSSec signed queries are larger after all.

That's not the fault of DNS. Some ISPs allow udp packets with faked source addresses.

Not unique to DNS. Turning off UDP is not really an option. Smart rate-limiting of DNS queries would be great. unbound is not smart

Possible solution: - DNSdist is available in FreeBSD ports: dns/dnsdist/

Open Questions: how to properly handle certificate verification fr DNS-over-TLS in an on-demand manner? Which resolver actually does any of this?

How to get ISPs, and public WiFi to support DNS-over-TLS in their local caching resolvers and allow port 853 queries?

what about bttorrent? https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity/

Optimal DNS Slave server: dns/nsd

A brief overview of DNSSEC:

Signing zones in DNSSEC requires a KSK (Key-Signing-Key), which should be held offline as well as a ZSK (Zone-Signing-Key), which is used to sign your zone. The public key parts of both Keys are present in the DNSKEY records of a signed zone. Both of these keys can be generated with the help of the ldns-utils package, which also provides commands for zone signing. So it's easy to sign your zone. But: Many DNS providers don't support DS (Delegation signer) records, which need to be present in the (signed) parent zone and contain a hash of the public KSK part.

unbound ]guide for DNS and DNS-over TLS](https://calomel.org/unbound_dns.html) with config samples

BSDStammtisch Wien 0x07 2018-09-11

Past meeting 🗓

Tuesday, 2018-09-11, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Shownotes

Reports and News

  • What has happened since the last BSDStammtisch?

Topics

  • NAT64/DNS64
  • OpenZFS Developer Summit 2018 Re-Live
  • MRMCD 2018 happend
  • EuroBSDcon coming up
  • BalcCon coming up
  • Running SPF:Sender Rewriting Scheme on your MTA?
  • Recommended DNS Providers that support CAA, TLSA and DNSSec? Are there any in Austria?
  • Hetzner Cloud bietet nun OpenBSD und FreeBSD Installations.ISOs für VMs an.

  • DMARC Analyse Tools und Services

  • https://domainaware.github.io/parsedmarc/
  • https://www.dmarcanalyzer.com/
  • https://www.fraudmarc.com/
  • https://dmarcian.com/

Show and Tell

NAT64/DNS64

Mixing Jails with RFC1918 addresses and public IPs is kind of painful. Jail source IP selection seems to be broken in FreeBSD, so why not skip the binat config for pf(8) for external IPs and skip legacy IP for jails completely? Internal jail communication will be done via IPv6 only.

Damit wird dann 6-to-4 Adressmapping gemacht und das geht mit DNS64. Existierende IPv6 Adressen funktionieren wie gewohnt, wenn nur ein A record für einen Hostnamen existiert, werden die 32bit der IPv4 Adresse in die letzen 32bit des eigenen IPv6 Prefixes hineingeschrieben.

FreeBSD Jails die nur noch IPv6 haben, sind durchaus problematisch. Sendmail und unbound starten ohne IPv4 nicht da sie zwar auf loopback binden, aber nur 127.0.0.1, also das IPv4 loopback. Wenn bei beiden Daemons auch ein listen auf ::1 (IPv6 loopback) konfiguriert wird, funktioniert es auch.

NAT64 erlaubt uns dann Routing von gemappten IPv4 über IPv6 zu konfigurieren. In ipfw (leider nicht in pf(8)) kann NAT64 konfiguriert werden.

Drinks and Food afterwards

Chit chat, food and drinks afterwards.

BSDStammtisch Wien 0x06 2018-07-10

Past meeting 🗓

Tuesday, 2018-07-10, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • ZFS boot-environments and beadm(8)
  • #oneWeekOneTool collective self-paced learning
  • tmux(1), a terminal multiplexer
  • Enough rope to shoot yourself in the foot with ZFS compression and freebsd-update(8)
  • Spectre and Meltdown mitigations with microcode deployments
  • Please present your topic!
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes

Reports and News

  • What has happened since the last BSDStammtisch?

Mixed Topics:

ZFS boot-environments and beadm(8)

Install the package sysutils/beadm to use ZFS boot environments. You can then easily create, list and switch among your boot environments.
beadm list shows you a list of the currently available environments you could boot from. The currently active system you're booted from is marked with N. The one you will be using after a reboot is marked R.

http://callfortesting.org/bhyve-boot-environments/

  • name: freebsd-update | push /root/freebsd-update.sh script

/root/freebsd-update.sh

#!/bin/sh -e
# ansible managed
/bin/freebsd-version -ku
export PAGER="/bin/cat -bu"
cd /etc
test -d .git || git init .
git add -A
git commit --allow-empty -am `freebsd-version -ku | sort -r |head -1`-update
zfs snapshot -r zroot@`date -u +%Y%m%d-%H%M`:`freebsd-version -ku | sort -r |head -1`-update
beadm create `freebsd-version -ku | sort -r |head -1`-update
/usr/sbin/freebsd-update --not-running-from-cron fetch install || /usr/bin/true
echo OK freebsd-update complete
echo OK List Boot Environments
beadm list
echo now run "pkg update" and confirm that the changes/reinstall/updates
echo are as expected. Once that has completed, sacrifice a goat and reboot.
#oneWeekOneTool collective self-paced learning
tmux(1), a terminal multiplexer

After one week playing with tmux I dared to publish my tmux config

Enough rope to shoot yourself in the foot with ZFS compression and freebsd-update(8)

Don't try to set your zroot ZFS pool to gzip-9 compression and the try to trick your freebsd-update to update a 11.1-STABLE to 11.1-RELEASE. BSD Loader will fail to load the kernel from the gzip-9 compress zpool.

  • Spectre and Meltdown mitigations with microcode deployments

Show and Tell

  • #oneWeekOneTool - An effort to encourage self-paced learning of the tools, applications and services you use a lot.
  • IPMI, Lights out Management, Out of band management
    • Supermicro iKVM, has severe problems with keyboard input, independent of your keyboard locale, even with the on-screen HTML keyboard. You may help yourself to enter a - by using the number-block, or starting any path with ..<tab to trigger autocompletion.
  • There actually is an iOS App for SUPERMICRO IPMI which works surprisingly good. Typing is uncomfortable, but reliable.
  • HP ILO exposes a semi-secret URL which you can use to connect with some VNC clients. host:port and Display must be set to 2.
  • Spectre and Meltdown mitigations, does have a performance hit, turning off Hyperthreading may actually improve your performance since there\'s less cache to invalidate
  • ZFS snapshot management and replication tools
  • sysutils/znapzend

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

Drinks and Food afterwards

Chit chat and drinks at Fachschaft Informatik fterwards.

BSDStammtisch Wien 0x05 2018-06-12

Next meeting 🗓

Tuesday, 2018-06-12, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Please present your topic!
  • pkg(8) and ports best practices, tips and tricks
  • how to package software for OpenBSD and FreeBSD
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes

Reports and News

  • What has happened since the last BSDStammtisch?

Main Topic:

  • packages, ports, tips and tricks and what to avoid

  • https://hackmd.io/s/HkwIhv6x7 via dch@

  • A minimal port example

  • Interesting things to put into your /etc/make.conf

    • Autoaccept these licenses: LICENSES_ACCEPTED+= MIT BSD3CLAUS APACHe20 LGPLV3 BSD2CLAUSE MPL
    • Never build Kerberos support (for example in ftp/curl) OPTIONS_UNSET = GSSAPI_BASE
  • EuroBSDCon 2018-09-22..23 in Bucureşti – România

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

FreeNAS
  • Handy utility to identify and mark drives in a chassis. (Like blink the RED LED on them to mark a dead drive to be swapped out for a new one.)
    • For LSI/Avago HBAs or RAID controllers:
    • SAS2 controllers: /usr/local/bin/sas2ircu
    • SAS3 controllers: /usr/local/bin/sas3ircu

Books

  • A philospohy of software design (John Ousterhout) ISBN13: 9781732102200

Drinks and Food afterwards

Chit chat, food and drinks afterwards.

BSDStammtisch Wien 0x04 2018-05-08

Past meeting 🗓

Tuesday, 2018-05-08, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Main Topic: pf(4) routing domains

  • pf(4) and routing domains in OpenBSD
OpenBSD, pf and routing

This will apply to OpenBSD pf(4), if you want to do the same on FreeBSD, you'll likely have to chang the syntax somewhat since FreeBSD uses an older version of pf which has a different syntax.

pf is available on OpenBSD, FreeBSD, macOS, NetBSD. It's the standard packet filter, which controls packets.

Rulesets are always evaluated from top to bottom. The last rule that matches that designates the packet's destiny.

OpenBSD by default blocks the _pbuild user used to compile ports from accessing the network to ensure that ports always build even when there is no network available. Violations to that rule are always logged.

scrubbing means that fragmented packets are reassembled and TTL is enforced. It should be on at all times, though it's not required on endpoints, opposed to firewalls and routers.

Port numbers can be taken as a name as long as it exists in /etc/services and protocols as well as long as they exist in /etc/protocols.

Unlike other packet filters pf ist stateful by default. pf by default doesn't care about the IP version. When restricting a rule with an explicit IPv4 address, pf is smart enough to know that this rule can not apply to IPv6 and vice-versa.

With block or pass only the last rule is used. When using a match rule, the action is always taken, for example log. A match rule gives a packet a marker, it doesn't yet decide if the packet itself is accepted or rejected by a later rule.

quick changes the way how rules are evaluated. When a quick rule matches, it's executed immediately and no more rules get evaluated.

Rules may be restricted to ingress (in) or egress (out) traffic.

Ports can be specified as ranges, though the syntax is sometimes a little awkward.

Interfaces are transparently replaced by their current IP address. You can also dynamically reference the :network, :broadcast or :peer (point-to-point). When using dynamic IPs you can enclose the interface namen in braces like (em0) and the IP of the interface is evaluated at runtime when the rule is evaluated. Otherwise it's IP is replaced when loading he ruleset. This comes in handy with laptops that roam networks.

Lists

{tcp, udp} {http, https} Lists get expanded to a separate rules for each list item, in that order.

Macros

(aka variables) Macros allow abstraction of physical interfaces to %names. Saves a lot of headache when things change and reduces the risk of typos. Makes rules a lot more readable.

Options

skip, skips filtering on an interface (usually used on lo0) set syncookies always|never|adaptive set optimization (optimizes state timeouts) set ruleset-optimization (removes rules that never match)

Inspecting the active ruleset pfctl -s rules Evaluating a ruleset without activating it (syntax checking): pcftl -f /etc/pf.conf -n

NAT und redirection

nat-to for source nat rdr-to for incoming nat binat-to expands to nat-to and rdr-to makes 1:1 mappings. af-to for translation between different addrss families (NAT64) (only on OpenBSD, not available on FreeBSD)

Further topics
  • scrubbing
  • tables (can change during runtime, like lists of IPs, networks, etc. Daemons can build these, like spamd)
  • anchors (apply rulesets under certain conditions)
  • logging (pf logs the rule number that caused the logging)
pf, routing and rdomains

failover and load balancing Two WAN interfaces, one local network. Either for load balancing traffic or failover when one WAN goes down.

Routes and priorities failover is realized with routes of different -priority

multipath Needs to have -mpath option set.

failover typically relies on ifstated to monitor interfaces.

pf can do routing, but doesn't really want to.

routing domains

Routing domains are similar to networking namepsaces in Linux. A routing domains hat is own routes and interfaces assigned to it. By default all interfaces share a single routing domain, the default rdomain r0.

processes can be put into a rdomain and only see its routes, but not any other available routes.

A routing domain is implicitly created by assigning an interface to it. You cannot delete rdomains.

This is reflected in the output of ifconfig.

network config in /etc/hostname.<if> can be made permanent.

/etc/hostname.em1 rdomain 1 dhcp …

pair(4) devices in different rdomains. They're used to connect rdomains to one another. pair interfaces get patched to connect them. ifconfig pair1 patch pair10 ifconfig pair2 patch pair20

It's recommended to always create a loopback adresses inside the rdomains: ifconfig lo1 127.0.0.1 255.0.0.0 rdomain 1 up ifconfig lo2 127.0.0.1 255.0.0.0 rdomain 2 up

The loopback interfaces must have separate names, but each loopback does indeed have its own 127.0.0.1 address. (Unlike FreeBSD jails.)

Pair interfaces are quite new (added in OpenBSD 5.9). Before you had to route these with pf, but pf doesn't want to do routing.

rc.d daemon scripts have rtable/rdomain support via the daemon_rtable caribale. This way you can e.g. start sshd in various rdomains at startup or have specific daemins in certain rdomains.

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a sbook, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

Better Crypto - Applied Crypto Hardening

We're working on updates! BSD testing of settings is welcome! Better Crypto

Grazer Linuxtage

Videos are available online Media CCC

LibreSSL

LibreSSL portable breaks a bunch of ports.
- postfix - mysql 5.7

BSD Hardware monitor

https://github.com/koitsu/bsdhwmon FreeBSD pkg is very outdated. Building from source is easy, just do make. Hardware support is very limited. Basically a bunch of older Supermicro motherboards is supported. (X6-X8, nothing newer.) None of the hardware I have under my control is supported. Maybe in the future.

Drinks and Food afterwards

Chit chat, food and drinks afterwards.

BSDStammtisch Wien 0x03 2018-04-10

Past meeting 🗓

Tuesday, 2018-04-10, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Backups (occasionally…) - A beta version of a talk, and a discussion on how to keep your data safe and secure.
  • Please present your topic!
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes 📝

Reports and News

What has happened since the last BSDStammtisch?

We can haz automated Website builds now!

Thanks to @fredl we now have automated testing and deployment builds for our website. The source is pushed to GitHub. To add content or improve the website, or create a more fancy theme, either fork and send a pull request or hand your public SSH (-t ed25519) key to fredl or MacLemon so you can directly push to our webserver.

Stickers anyone?

Yes, people would like stickers. MacLemon will take care of getting them. You're welcome to donate a few € to the cause.

Main Topic: Backups (occasionally)

A beta version of a talk about how to keep your data save and secure or how to verifiably lose it all. Lessons learned the hard way.
Many bad jokes, old floppies and things to think about when trying to backup data that can actually be restored as well. (Slides will follow after they've been reworked. If they haven't been published by the May meeting, please poke @MacLemon!)

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

NAS4Free on QNAP

Adi brought a small NAS/home-server (QNAP TS251+). OS is NAS4Free, which is FreeBSD based.
Problems I have:
1. Fan speed control is always at maximum which is very annoying. 2. Server and/or HDDs should hibernate when not in use and only power on when server is accessed. 3. Related to today's topic a backup strategy under ZFS for a 2-bay server is needed. One HDD should be able to rollback file versions for 6 months and sychronize itself once per week with the primary disk - rsync.

Mixed backup tools for FreeBSD used by people

Did we miss any tool you like or would recommend? Please add it to the list and talk about it at one of our next meetings in Show and Tell or give a full fledged presentation if you like! Thanks for contributing!

Other things we talked about

Drinks and Food afterwards

Thanks to Fachschaft Informatik for hosting us and providing cold beverages. Thanks for supporting the BSDStammtisch in Wien!

BSDStammtisch Wien 0x02 2018-03-13

Past meeting 🗓

Tuesday, 2018-03-13, 19:00 (CET)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien
Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance)
Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • FreeBSD Jails, jails.conf and jail networking
  • Please present your topic!
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes 📝

Agenda

Reports

  • What has happened since the last BSDStammtisch?
    • We can haz new Logo, already in use on Twitter and Mastodon
    • MacLemon didn't manage to get the website styled in time, sorry for that. It's on the plan for our April meeting.
  • We now have a standard .ics calendar you can subscribe to, so you never miss a meeting! Calendar subscription for BSDStammtisch Wien There are no alerts or reminders in that calendar, we respect the privilege granted by being in your calendar.

Main Topic: Jails, jails.conf and jails networking

Thanks to karu and dch for the huge influx of jail related info in their talks! Thanks to everbody for sharing big and small tips for Show and Tell!

Slides will be made available!

FreeBSD Jails in the Handbook

Jails related commands and files

Focusing on the Jails and networking part that is covered with the base system.

A brief history of Jails:

jails are just chroot on steroids. As they are basically an extension of the chroot function they feel a bit weird at times today.

jails are used as system containers today despite their original use case as single app containers. jails normally should have the securelevel=3 (strongest), except you have a good reason to choose another level. The not-so-sane default is securelevel=-1.

Info on how FreeBSD handles Securelevels

Jail integration for userland tools

Many command line tools are integrated and know about jails. - top(1) - htop(1) - zfs(8) - ps(1) - pkg(8)

Security considerations for networking

A jail picks its first IPv4|IPv6 address to map the loopback IP 127.0.0.1 (or more specifially 127/8) and ::1/128. So the sane way to assign IPs to jails is to first assign a loopback IP on a cloned interface like lo1 and as a secondary IP you assign the public or local (HOST-side-IPv4-LAN) address and IPv6 addresses. That way you make sure to not expose any daemons that bind their management interface to the loopback believing that this interface is not exposed to the public internet.

If you do not set skip on lo1 you can finely control which jail is allowed to talk to which other jail and on which ports.

Managing Jails with zjail(8)

Even easier than ezjail, zjail lays bare the very fabric of FreeBSD jails.
DIY-Jails by dch.

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

Security Testing of Websites:
  • Firefox extension for playing with Content-Security-Policy
  • Chromium|Chrome Extensions for playing with Content-Security-Policy
  • SSLLabs to test the HTTPS of your site and find bugs. For example the BSDStammtisch.at site
  • Check HTTP Security Headers to instruct browsers to activate certain security features. BSDStammtisch Security Headers
  • Generate a good Content Security Policy for your site with the CSP Generator
    • The browser console is your friend to find compatibility problems with different browsers since the do not support all the fancy stuff each.
  • Maintain Wordpress installations from the command line with WP-CLI (not available in ports, but reasonable to install and maintain.)
  • To test your Wordpress site for known vulnerabilities you can use WPScan which is built in Ruby.
Security Testing of XMPP/Jabber Servers (S2S, C2S)
CLI tools
Video recommendations
ZFS
Jail security

Upcoming events (in chronological order)

Past events

Drinks and Food afterwards

Thanks to Fachschaft Informatik for hosting us and providing cold beverages. Thanks for supporting the BSDStammtisch in Wien!

BSDStammtisch Wien 0x01 2018-02-13

Past meeting 🗓

Tuesday, 2018-02-13, 19:00 (CET)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien
Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Automation with Ansible
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI or web services
  • Chit chat and drinks afterwards

Shownotes 📝

Taken by all the awesome people who attended BSDStammtisch.

Agenda

Main Talk

  • Ansible for freeBSD (Luto)
  • we failed hard: https://github.com/criecm/ansible-iocage because the iocage Plugin for Ansible is in need of some attention.
  • Luto is the ansible guy, MacLemon the BSD guy, so they combined their efforts to get stuff (almost) working
  • Time ran away from Luto, so he shows us ansible basics

Ansible basics:

  • Get Ansible Information
  • Read Ansible Documentation
  • Read Ansible on BSD
  • To install Ansible on your FreeBSD controller system you can use the port sysutils/ansible First install Ansible on the machine that pushes the update, the machine to be installed doesn't need anything. Create a file called "inventory" in the directory you want to configure the ansible connection (which basically opens a ssh connection and does awesome stuff with that).

Controller machine needs python (preferably 2, 3 should be also supported by now) Controlled machine also needs some kind of python (versions don't need to match)

FreeBSD has no python installed by default, so you need to install this yourself on the controlled machine and tell ansible where to find it there (as ansible comes from the Linux world and BSD puts python in another place).

Ansible configuration files are written in YAML

There is an Ansible module for ZFS which you can use to create datasets, change ZFS properties.

Food and Drinks afterwards:

  • We ended up at Fachschaft Informatik who serve Mate and Kozel (beer) and ordered Pizza together. Many thanks to Astra for hosting us and organizing a room so we could meet!