Submit your real world pf.conf

As some of you may know, fwbuilder.org is a cross-platform, graphical firewall management utility that supports iptables, ASA, PIX, FWSM, Cisco router access lists, pf, ipfw, ipfilter, and HP ProCurve ACL firewalls. Vadim Kurland and Mike Horn, the lead fwbuilder developers, have begun work on providing complete pf.conf import functionality, the last piece that was missing to provide 100% pf support. This work is a direct result of several customers expressing interest in the addition of pf configuration import and they expect the work to be completed by this summer.

In order for them to be confident that as many permutations as possible are covered, they are looking for BSD users who can share their real world pf.conf files. The configs need to contain valid IP addresses, but users can sanitize the configs by globally replacing “real” IP addresses with “fake” IP addresses.  Users who are concerned about privacy can encrypt their file with Vadim’s public PGP key:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8B08DC58.

You can send your pf.conf file(s) to configs at netcitadel dot com. They will also be looking for testers as the work nears completion. Please help spread the word through social media and by posting to other mailing lists that may be interested.

Google SoC 2011 FreeBSD Accepted Projects

FreeBSD Google summer of codeGoogle has announced today that the following FreeBSD related projects have been accepted for the annual Google Summer of Code (2011).

With 17 approved projects, FreeBSD is one of the Top 10 supported projects.

  1. Path-based file system MAC policy (Alan Alvarez)
  2. Implement TCP UTO (Catalin Nicutar)
  3. Replacing the old regex implementation (Gábor Kövesdán)
  4. Capsicum application adaptation and core libraries (Ilya Bakulin)
  5. Finish porting FUSE to FreeBSD (Ilya Putsikau)
  6. FreeBSD/arm port to NXP LPC32x0 (Jakub Klama)
  7. pkgng: Implementation of sub-commands to convert .rpm and .deb to pkgng package format (Joffrey Lassignardie)
  8. Implement the RPS/RFS in FreeBSD (Kazuya GODA)
  9. FreeBSD port of NetworkManager (Kulakov Anton)
  10. Testing temporal properties of FreeBSD with Temporally Enhanced Security Logic Assertions (Mateusz Kocielski)
  11. Extending Capsicum for Common System Services (Nathan Dautenhahn)
  12. Disk device error counters (Oleksandr)
  13. Multiqueue BPF support and other BPF features (Takuya ASADA)
  14. SMB (smbfs) infrastructure work (Walter Artica)
  15. Multibyte Encoding Support in Nvi (Zhihao Yuan)
  16. (Re)implement the BFS scheduler in FreeBSD (rudot)
  17. Adding DWARF2 Call Frame Information (xxp)

Well done, to everyone who got in.

FreeBSD Security Advisory (mountd)

The FreeBSD Security Team has identified a security bug in mountd.

I. Background

The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call.

II. Problem Description

While parsing the exports(5) table, a network mask in the form of “-network=netname/prefixlength” results in an incorrect network mask being computed if the prefix length is not a multiple of 8.

For example, specifying the ACL for an export as “-network 192.0.2.0/23″ would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.

III. Impact

When using a prefix length which is not multiple of 8, access would be granted to the wrong client systems.

For a workaround and solution, check out the security advisory: FreeBSD Security Advisory (mountd)

FreeBSD Quarterly Status Report (Jan – Mar 2011)

FreeBSD’s quarterly status report for 2011 Q1 is now available. This report covers FreeBSD related projects between January and April 2011. During this quarter, developers focused on releasing FreeBSD 7.4 and 8.2, which were released in February 2011. Currently, the project is starting to work on the next major version, 9.0.

It’s good to see so much activity, projects and contribution to FreeBSD, most of which is done by dedicated volunteers.

From the table of contents:

Projects

FreeBSD Team Reports

Network Infrastructure

Kernel

Documentation

Architectures

Ports

Miscellaneous

Google Summer of Code

Link: FreeBSD Quarterly Status Report (Jan – Mar 2011)

Upcoming FreeBSD Events: BSDCan, GSoC 2011

As most of you will be aware, BSDCan is one of the major annual BSD conferences, and Google sponsors development of the 5 big BSD’s each year in the Summer of Code. More info with regards to these events below.

BSDCan 2011

BSD Talk has a 15 minutes interview with Dan Langille, the organiser of BSDCan 2011, wherein they chat about the upcoming BSDCan conference: BSDTalk 203 – BSDCan and PGCon with Dan Langille

The FreeBSD Foundation will be providing a limited number of travel grants to individuals requesting assistance. Please fill out and submit the (PDF) Travel Grant Request Application by April 15, 2011 to apply for this grant.

This program is open to FreeBSD developers of all sorts (kernel hackers, documentation authors, bugbusters, system administrators, etc). In some cases we are also able to fund non-developers, such as active community members and FreeBSD advocates. Read further

Google Summer of Code 2011

Google Announces Summer of Code Accepted Projects
Google has announced the accepted projects list for its 2011 Google Summer of Code (GSOC) Program. Accepted Projects can be viewed on this page. FreeBSD is among them. If you want to take part, check out the FreeBSD GSoC ideas page.

Grazer Linuxtag 2011

FH Joanneum Graz, Graz, Austria  -

The Grazer Linuxtag is a one day event (09 April 2011, FH Joanneum Graz, Graz, Austria) on Linux and free software in general. Besides a FreeBSD booth and the possibility to take the BSDA certification exam there will also be a BSD Bootcamp with live workshops covering different FreeBSD topics. More information can be found here.

 

Finds of the day: Daemon oggcast and howtobsd.com

Whilst serving and checking out a few links today, I came across the following sites that you may be interested in too:

Daemon & Penguin oggcast.

The latest podcast is about GhostBSD 2.0 which was released last week (Released: GhostBSD 2.0):

In episode number 17, I go over a recent install of GhostBSD 2.0 which now has a home on my laptop. It happens to be one of the easiest installs so far. You end up with a fully configured FreeBSD running Gnome as the desktop. The GhostBSD team are doing a great job, so give it a try and you will be up and running in no time (Listen)

II howtobsd.comSimple way to understanding FreeBSD

This site has been around since October 2009 but I only stumbled upon it today. As the name suggests, you can find there many useful commands and howtos, e.g:

  • Create a SVN repository
  • Monitoring FreeBSD servers with Munin
  • Installing Ruby on Rails on FreeBSD
  • freebsd geom mirror howto
  • How to move FreeBSD system from one hdd to another
  • Backup freebsd howto with fsbackup

sysinstall is no longer FreeBSD’s default installer

Nathan Whitehorn has committed the last changes in order to replace FreeBSD’s sysinstall with bsdinstall.

I just committed (r219641) changes that make the release infrastructure (src/release/Makefile) use bsdinstall by default instead of sysinstall on install media. A big thank you is in order to everyone who provided advice, criticism, and testing for this project over the last few months!

Along with sysinstall, the original sysinstall build stuff has been preserved (now usr/src/release/Makefile.sysinstall) and will continue to be for the lifetime of the 9.x release series, although it will not be used by default. This change modifies the process of building releases somewhat, so I’ll outline changes that people who run snapshot buildbots will have to make below, and some next steps planned with the installer.

The merge between PC-BSD’s pc-sysinstall and bsdinstall(bsdinstall and pc-install to merge) is yet to be completed

Read the whole of Nathan’s head’s up: http://lists.freebsd.org/pipermail/freebsd-arch/2011-March/011170.html

Ground Labs announces support for FreeBSD

Ground Labs, a global leader in the development of security and auditing software for the payment card industry, recently announced the introduction of native support for FreeBSD within its cardholder data discovery products for PCI compliance.

“Our goal is to provide support for all major operating systems that are used to store, transmit or process cardholder data. FreeBSD is used in mission-critical environments worldwide. It is therefore a perfect addition to our portfolio of supported platforms.”

said Stephen Cavey, director of corporate development for Ground Labs.

Many large organisations, including large web hosting providers rely on FreeBSD to achieve high levels of uptime.

“FreeBSD is known for being a reliable and robust operating system,”  “By offering native support for FreeBSD within our cardholder data discovery products we can enable more organisations to identify non-compliant instances of cardholder data storage and facilitate compliance with PCI DSS 2.0.”

said Peter Duthie, chief architect for Ground Labs.

Ground Labs’ flagship products, Card Recon and Enterprise Recon, previously supported 5 operating systems, including Windows, Linux, Solaris, AIX and HPUX. Card Recon can now be used on FreeBSD systems to perform accurate cardholder data discovery scans.

Enterprise Recon users will also benefit now that Enterprise Recon Node Agents can be deployed on remote FreeBSD systems within larger environments to achieve centralised monitoring and visibility of PCI compliant cardholder data storage practices.

“We’re very pleased to have Ground Labs offer FreeBSD support within its cardholder data discovery products. While FreeBSD is widely deployed throughout the industry, enterprise-grade commercially supported software tools are only just starting to appear. Given the growing importance of the PCI Compliance Standards, Ground Labs products add valuable tools for FreeBSD users, who will benefit from this new level of support.”

said Erwin Lansing, FreeBSD developer and member of the Ports Management team.

FreeBSD versions of Card Recon and Enterprise Recon Node Agents are available at no additional charge for download by existing and new customers.

About Ground Labs

Ground Labs is a global leader in the development of security and auditing software solutions for PCI compliance. Its flagship products, Card Recon and Enterprise Recon, identify and analyze cardholder data storage risks on thousands of computer systems worldwide. Merchants, acquirers and schemes use Ground Labs products to achieve and maintain PCI compliance, while QSAs use those same products to validate compliance and produce accurate reports.

Source