BSDStammtisch Wien 0x05 2018-06-12

Next meeting 🗓

Tuesday, 2018-06-12, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Please present your topic!
  • pkg(8) and ports best practices, tips and tricks
  • how to package software for OpenBSD and FreeBSD
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes

Reports and News

  • What has happened since the last BSDStammtisch?

Main Topic:

  • packages, ports, tips and tricks and what to avoid

  • https://hackmd.io/s/HkwIhv6x7 via dch@

  • A minimal port example

  • Interesting things to put into your /etc/make.conf

    • Autoaccept these licenses: LICENSES_ACCEPTED+= MIT BSD3CLAUS APACHe20 LGPLV3 BSD2CLAUSE MPL
    • Never build Kerberos support (for example in ftp/curl) OPTIONS_UNSET = GSSAPI_BASE

  • EuroBSDCon 2018-09-22..23 in Bucureşti – România

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

FreeNAS
  • Handy utility to identify and mark drives in a chassis. (Like blink the RED LED on them to mark a dead drive to be swapped out for a new one.)
    • For LSI/Avago HBAs or RAID controllers:
    • SAS2 controllers: /usr/local/bin/sas2ircu
    • SAS3 controllers: /usr/local/bin/sas3ircu

Books

  • A philospohy of software design (John Ousterhout) ISBN13: 9781732102200

Drinks and Food afterwards

Chit chat, food and drinks afterwards.

BSDStammtisch Wien 0x04 2018-05-08

Past meeting 🗓

Tuesday, 2018-05-08, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Main Topic: pf(4) routing domains

  • pf(4) and routing domains in OpenBSD
OpenBSD, pf and routing

This will apply to OpenBSD pf(4), if you want to do the same on FreeBSD, you'll likely have to chang the syntax somewhat since FreeBSD uses an older version of pf which has a different syntax.

pf is available on OpenBSD, FreeBSD, macOS, NetBSD. It's the standard packet filter, which controls packets.

Rulesets are always evaluated from top to bottom. The last rule that matches that designates the packet's destiny.

OpenBSD by default blocks the _pbuild user used to compile ports from accessing the network to ensure that ports always build even when there is no network available. Violations to that rule are always logged.

scrubbing means that fragmented packets are reassembled and TTL is enforced. It should be on at all times, though it's not required on endpoints, opposed to firewalls and routers.

Port numbers can be taken as a name as long as it exists in /etc/services and protocols as well as long as they exist in /etc/protocols.

Unlike other packet filters pf ist stateful by default. pf by default doesn't care about the IP version. When restricting a rule with an explicit IPv4 address, pf is smart enough to know that this rule can not apply to IPv6 and vice-versa.

With block or pass only the last rule is used. When using a match rule, the action is always taken, for example log. A match rule gives a packet a marker, it doesn't yet decide if the packet itself is accepted or rejected by a later rule.

quick changes the way how rules are evaluated. When a quick rule matches, it's executed immediately and no more rules get evaluated.

Rules may be restricted to ingress (in) or egress (out) traffic.

Ports can be specified as ranges, though the syntax is sometimes a little awkward.

Interfaces are transparently replaced by their current IP address. You can also dynamically reference the :network, :broadcast or :peer (point-to-point). When using dynamic IPs you can enclose the interface namen in braces like (em0) and the IP of the interface is evaluated at runtime when the rule is evaluated. Otherwise it's IP is replaced when loading he ruleset. This comes in handy with laptops that roam networks.

Lists

{tcp, udp} {http, https} Lists get expanded to a separate rules for each list item, in that order.

Macros

(aka variables) Macros allow abstraction of physical interfaces to %names. Saves a lot of headache when things change and reduces the risk of typos. Makes rules a lot more readable.

Options

skip, skips filtering on an interface (usually used on lo0) set syncookies always|never|adaptive set optimization (optimizes state timeouts) set ruleset-optimization (removes rules that never match)

Inspecting the active ruleset pfctl -s rules Evaluating a ruleset without activating it (syntax checking): pcftl -f /etc/pf.conf -n

NAT und redirection

nat-to for source nat rdr-to for incoming nat binat-to expands to nat-to and rdr-to makes 1:1 mappings. af-to for translation between different addrss families (NAT64) (only on OpenBSD, not available on FreeBSD)

Further topics
  • scrubbing
  • tables (can change during runtime, like lists of IPs, networks, etc. Daemons can build these, like spamd)
  • anchors (apply rulesets under certain conditions)
  • logging (pf logs the rule number that caused the logging)
pf, routing and rdomains

failover and load balancing Two WAN interfaces, one local network. Either for load balancing traffic or failover when one WAN goes down.

Routes and priorities failover is realized with routes of different -priority

multipath Needs to have -mpath option set.

failover typically relies on ifstated to monitor interfaces.

pf can do routing, but doesn't really want to.

routing domains

Routing domains are similar to networking namepsaces in Linux. A routing domains hat is own routes and interfaces assigned to it. By default all interfaces share a single routing domain, the default rdomain r0.

processes can be put into a rdomain and only see its routes, but not any other available routes.

A routing domain is implicitly created by assigning an interface to it. You cannot delete rdomains.

This is reflected in the output of ifconfig.

network config in /etc/hostname.<if> can be made permanent.

/etc/hostname.em1 rdomain 1 dhcp …

pair(4) devices in different rdomains. They're used to connect rdomains to one another. pair interfaces get patched to connect them. ifconfig pair1 patch pair10 ifconfig pair2 patch pair20

It's recommended to always create a loopback adresses inside the rdomains: ifconfig lo1 127.0.0.1 255.0.0.0 rdomain 1 up ifconfig lo2 127.0.0.1 255.0.0.0 rdomain 2 up

The loopback interfaces must have separate names, but each loopback does indeed have its own 127.0.0.1 address. (Unlike FreeBSD jails.)

Pair interfaces are quite new (added in OpenBSD 5.9). Before you had to route these with pf, but pf doesn't want to do routing.

rc.d daemon scripts have rtable/rdomain support via the daemon_rtable caribale. This way you can e.g. start sshd in various rdomains at startup or have specific daemins in certain rdomains.

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a sbook, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

Better Crypto - Applied Crypto Hardening

We're working on updates! BSD testing of settings is welcome! Better Crypto

Grazer Linuxtage

Videos are available online Media CCC

LibreSSL

LibreSSL portable breaks a bunch of ports.
- postfix - mysql 5.7

BSD Hardware monitor

https://github.com/koitsu/bsdhwmon FreeBSD pkg is very outdated. Building from source is easy, just do make. Hardware support is very limited. Basically a bunch of older Supermicro motherboards is supported. (X6-X8, nothing newer.) None of the hardware I have under my control is supported. Maybe in the future.

Drinks and Food afterwards

Chit chat, food and drinks afterwards.

BSDStammtisch Wien 0x03 2018-04-10

Past meeting 🗓

Tuesday, 2018-04-10, 19:00 (CEST)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Backups (occasionally…) - A beta version of a talk, and a discussion on how to keep your data safe and secure.
  • Please present your topic!
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes 📝

Reports and News

What has happened since the last BSDStammtisch?

We can haz automated Website builds now!

Thanks to @fredl we now have automated testing and deployment builds for our website. The source is pushed to GitHub. To add content or improve the website, or create a more fancy theme, either fork and send a pull request or hand your public SSH (-t ed25519) key to fredl or MacLemon so you can directly push to our webserver.

Stickers anyone?

Yes, people would like stickers. MacLemon will take care of getting them. You're welcome to donate a few € to the cause.

Main Topic: Backups (occasionally)

A beta version of a talk about how to keep your data save and secure or how to verifiably lose it all. Lessons learned the hard way.
Many bad jokes, old floppies and things to think about when trying to backup data that can actually be restored as well. (Slides will follow after they've been reworked. If they haven't been published by the May meeting, please poke @MacLemon!)

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

NAS4Free on QNAP

Adi brought a small NAS/home-server (QNAP TS251+). OS is NAS4Free, which is FreeBSD based.
Problems I have:
1. Fan speed control is always at maximum which is very annoying. 2. Server and/or HDDs should hibernate when not in use and only power on when server is accessed. 3. Related to today's topic a backup strategy under ZFS for a 2-bay server is needed. One HDD should be able to rollback file versions for 6 months and sychronize itself once per week with the primary disk - rsync.

Mixed backup tools for FreeBSD used by people

Did we miss any tool you like or would recommend? Please add it to the list and talk about it at one of our next meetings in Show and Tell or give a full fledged presentation if you like! Thanks for contributing!

Other things we talked about

Drinks and Food afterwards

Thanks to Fachschaft Informatik for hosting us and providing cold beverages. Thanks for supporting the BSDStammtisch in Wien!

BSDStammtisch Wien 0x02 2018-03-13

Past meeting 🗓

Tuesday, 2018-03-13, 19:00 (CET)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien
Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance)
Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • FreeBSD Jails, jails.conf and jail networking
  • Please present your topic!
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI, web services, that chocolate chip cookie recipe, a book or conference recording, anything goes. No need to prepare anything.
  • Chit chat, food and drinks afterwards

Shownotes 📝

Agenda

Reports

  • What has happened since the last BSDStammtisch?
    • We can haz new Logo, already in use on Twitter and Mastodon
    • MacLemon didn't manage to get the website styled in time, sorry for that. It's on the plan for our April meeting.
  • We now have a standard .ics calendar you can subscribe to, so you never miss a meeting! Calendar subscription for BSDStammtisch Wien There are no alerts or reminders in that calendar, we respect the privilege granted by being in your calendar.

Main Topic: Jails, jails.conf and jails networking

Thanks to karu and dch for the huge influx of jail related info in their talks! Thanks to everbody for sharing big and small tips for Show and Tell!

Slides will be made available!

FreeBSD Jails in the Handbook

Jails related commands and files

Focusing on the Jails and networking part that is covered with the base system.

A brief history of Jails:

jails are just chroot on steroids. As they are basically an extension of the chroot function they feel a bit weird at times today.

jails are used as system containers today despite their original use case as single app containers. jails normally should have the securelevel=3 (strongest), except you have a good reason to choose another level. The not-so-sane default is securelevel=-1.

Info on how FreeBSD handles Securelevels

Jail integration for userland tools

Many command line tools are integrated and know about jails. - top(1) - htop(1) - zfs(8) - ps(1) - pkg(8)

Security considerations for networking

A jail picks its first IPv4|IPv6 address to map the loopback IP 127.0.0.1 (or more specifially 127/8) and ::1/128. So the sane way to assign IPs to jails is to first assign a loopback IP on a cloned interface like lo1 and as a secondary IP you assign the public or local (HOST-side-IPv4-LAN) address and IPv6 addresses. That way you make sure to not expose any daemons that bind their management interface to the loopback believing that this interface is not exposed to the public internet.

If you do not set skip on lo1 you can finely control which jail is allowed to talk to which other jail and on which ports.

Managing Jails with zjail(8)

Even easier than ezjail, zjail lays bare the very fabric of FreeBSD jails.
DIY-Jails by dch.

Show and Tell

Short introductions to tools you like, or that solve a problem for you. This can be anything from GUI, CLI to Webservices, a book, a podcast or conference recording you'd like to recommend or a recipe for chocolate chip cookies. Mmmhhmmmm Cookies! 🍪 No need phor a phanphy prphentaishn.

Security Testing of Websites:
  • Firefox extension for playing with Content-Security-Policy
  • Chromium|Chrome Extensions for playing with Content-Security-Policy
  • SSLLabs to test the HTTPS of your site and find bugs. For example the BSDStammtisch.at site
  • Check HTTP Security Headers to instruct browsers to activate certain security features. BSDStammtisch Security Headers
  • Generate a good Content Security Policy for your site with the CSP Generator
    • The browser console is your friend to find compatibility problems with different browsers since the do not support all the fancy stuff each.
  • Maintain Wordpress installations from the command line with WP-CLI (not available in ports, but reasonable to install and maintain.)
  • To test your Wordpress site for known vulnerabilities you can use WPScan which is built in Ruby.
Security Testing of XMPP/Jabber Servers (S2S, C2S)
CLI tools
Video recommendations
ZFS
Jail security

Upcoming events (in chronological order)

Past events

Drinks and Food afterwards

Thanks to Fachschaft Informatik for hosting us and providing cold beverages. Thanks for supporting the BSDStammtisch in Wien!

BSDStammtisch Wien 0x01 2018-02-13

Past meeting 🗓

Tuesday, 2018-02-13, 19:00 (CET)

Location 🗺

Seminarraum Technische Informatik, Operngasse 9, 1040 Wien
Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Automation with Ansible
  • Show and Tell
    • Show us your quick tips and tricks, the tools you use or recently discovered, be it CLI, GUI or web services
  • Chit chat and drinks afterwards

Shownotes 📝

Taken by all the awesome people who attended BSDStammtisch.

Agenda

Main Talk

  • Ansible for freeBSD (Luto)
  • we failed hard: https://github.com/criecm/ansible-iocage because the iocage Plugin for Ansible is in need of some attention.
  • Luto is the ansible guy, MacLemon the BSD guy, so they combined their efforts to get stuff (almost) working
  • Time ran away from Luto, so he shows us ansible basics

Ansible basics:

  • Get Ansible Information
  • Read Ansible Documentation
  • Read Ansible on BSD
  • To install Ansible on your FreeBSD controller system you can use the port sysutils/ansible First install Ansible on the machine that pushes the update, the machine to be installed doesn't need anything. Create a file called "inventory" in the directory you want to configure the ansible connection (which basically opens a ssh connection and does awesome stuff with that).

Controller machine needs python (preferably 2, 3 should be also supported by now) Controlled machine also needs some kind of python (versions don't need to match)

FreeBSD has no python installed by default, so you need to install this yourself on the controlled machine and tell ansible where to find it there (as ansible comes from the Linux world and BSD puts python in another place).

Ansible configuration files are written in YAML

There is an Ansible module for ZFS which you can use to create datasets, change ZFS properties.

Food and Drinks afterwards:

  • We ended up at Fachschaft Informatik who serve Mate and Kozel (beer) and ordered Pizza together. Many thanks to Astra for hosting us and organizing a room so we could meet!

BSDStammtisch Wien 0x00 2018-01-09

Past meeting 🗓

Tuesday, 2018-01-00, 19:00 (CET)

Location 🗺

Lernraum Technische Informatik, Paniglgasse / Argentinierstraße, 1040 Wien
Public Transport: U1, U2, U4 Karlsplatz, Bus 59A Bärenmühldurchgang, Nightline N60, N62, N66, N71, Tram 2 (within reasonable walking distance) Bicycle parking: Just around the corner

Attendance 🎟

Free for all people interested in learning or discussing about all things BSD! You are welcome!

Topics

  • Founding efforts for a monthly meeting of BSD enthusiasts, beginners and experts
  • Chit chat and drinks afterwards

Shownotes 📝

  • Emphasis on inclusion, diversity, respect: Be excellent to each other!
  • Find a name (We recycle the dormant BSDStammtisch)
  • New A pointers to host a new website.
  • Bridge existing Matrix room and IRC channel.
  • Find a matching Twitter/Mastodon (Mastodon: @bsdstammtisch@bsd.network, Twitter: @BSDStammtisch) handle
  • Find a matching Github handle and make it an organisation BSDStammtisch
  • Get to know people
  • Collect ideas, suggest topics
  • Find volonteers to help with organisation and prepare topics
  • Found a person to design a nice logo (Columbia19)
  • Calendar of the meetings one can subscribe to.
  • Do we need a mailinglist and if so, where could that be hosted?

Food and Drinks afterwards