Category: bsd

Posted on

The next FreeBSD book?

BSDCan hasn’t officially started, and I keep getting asked when I will write a third edition of Absolute FreeBSD?

The short answer is: I don’t know.

The slightly longer answer is: it depends in part on you.

The much longer answer is:

FreeBSD has added lots of stuff since Absolute FreeBSD came out in 2007. The big, screaming, basic change is that ZFS is really well-supported, and considered a core feature.

But you can’t install to ZFS. Or to a mirror. Or to any of the other really cool options available on FreeBSD. There’s good stuff there, but new users can’t have it.

There are ways around this. For a new user, they range from ugly to absurd. I had hopes for the new FreeBSD installer, but none of the rumored improvements have reached real users. I could write “To install FreeBSD, install PC-BSD.” But my gut rebels. If you want PC-BSD, install PC-BSD.

If I was to write a big FreeBSD book today, it would have to be “1001 ways to install FreeBSD.” It would cover getting FreeBSD onto ZFS, or mirrors, or GELI, or any of the other cool options. That’s not a fun book to write and would not be fun to read.

Some discussions at BSDCan give me hope for an improved installation process. I don’t care if it’s the current installer, or a port of PC-BSD’s installer, or a resurrected sysinstall.

I have no problem spending a chapter on planning an installation, or on things you should know before installing — just look at Absolute OpenBSD. But that chapter can’t be “Here’s FreeBSD disk management system, so you can boot off a live filesystem and manually edit disks and create zpools and GELIs and mirrors and and and…” Experienced FreeBSD users put up with this, but you can’t give this to a new user.

FreeBSD should have a decent partitioning scheme at boot. If the OpenBSD folks can manage that with their text-only installer, surely FreeBSD could do so. But at least it’s possible to partition the disk with the current installer.

So: if you’re a programmer and want a new version of the book, work on the installer.

If you’re not a programmer: bribe one.

I have some small books on FreeBSD on my schedule, but that’s a very different thing. Until the installer changes, Absolute FreeBSD 3 isn’t even on the schedule.

Posted on

“Absolute OpenBSD” Kindle edition: problems and on sale

I’ve heard from a few different readers that there are problems with the Kindle edition of Absolute OpenBSD. It’s by no means every copy in every format, but there are enough problem reports that it needs investigating.

I’ve notified the publisher. They are investigating. When I have an update, I will post it.

Generally, when a Kindle file has a problem, remove it from your device. When the new version appears, you can re-download it from Amazon.

And this is the point where I mention that Absolute OpenBSD is O’Reilly’s Deal of the Day. If you want the ebook, you can get it for 50% off.

Posted on

“Absolute OpenBSD” auction winner

The final total on the Absolute OpenBSD first copy auction was: $1145. The lucky (for various interpretations of lucky) winner is Bill Allaire, long-time OpenBSD supporter.

Bill has already sent Austin the money, which is winging its way to the OpenBSD Foundation as I write this. So he’s lived up to his end of the bargain.

I’m not going to ship him the book when it’s printed, however. Us writers are flaky and untrustworthy, and it’s time people realize and accept this. For another reason, though, there’s a small OpenBSD hackathon in Toronto at the end of May. I’ve been invited to come hang out on beer night.

I’m taking Bill’s book with me, so various OpenBSD developers can sign it and point out any errors. I’m sure they’ll also offer corrections and commentary because, well, you give a BSD developer a beer and he’ll tell you what he really thinks.

So, Bill not only gets the first copy off the press. He gets the most correct version. A book more awesome than anything anyone else will have. Don’t you wish you had outbid him?

Posted on

“Absolute OpenBSD” auction clears $1000

Apparently double-dog daring you people works.

The Absolute OpenBSD Foundation auction is currently at $1035.

You have another day and a half to bid. Do so.

I’m delighted. And, as promised, I’ll have an ebook sale as a result. Probably during BSDCan.

This week has been maniacal for reasons completely outside of the new Absolute OpenBSD, but I should start to catch up on all the queued email, tweets, and whatnot next week.

Posted on

First barrier breached

The Absolute OpenBSD auction has been going about 10 hours now. In less than those 10 hours, the price exceeded the amount raised for the FreeBSD Foundation.

Well done.

But I bet you slackers can’t possibly double it. No, I DOUBLE DOG-DARE YOU to double it.

How I love picking a fight in a good cause.

Posted on

First copy of “Absolute OpenBSD, 2nd ed” now on auction

You’ve asked me how to get Absolute OpenBSD early.

The answer is simple. You buy it. At auction. All proceeds to the OpenBSD Foundation.

The printer will take the first copy of Absolute OpenBSD off the press and overnight it to me. I will sign it, and label it on the title page as the first copy. I will include a Certificate of Authenticity stating that this is the one true first copy off the press. I will ship this book anywhere in the world, as fast as reasonable, at a cost of up to $100. (If you win the bid and want it shipped to Antarctica, it will take a little longer.)

To reassure the security-minded among: I also promise that this is the only copy that I will sign and label as the first copy.

Being able to do this gives me warm fuzzies. It makes me look like a nice person without me doing any real work. After all, No Starch Press provided the physical book and Austin Hook is running the auction. I just have to scribble my name and stuff an envelope.

We did this for the first copy of Absolute FreeBSD, and raised $600 for the FreeBSD Foundation. Frankly, I expect you OpenBSD folks to beat that handily.

If you do not beat that amount, I will be disappointed in the community.

Do not disappoint me.

You wouldn’t like me when I’m disappointed.

Posted on

Diagnosing “+Limiting icmp unreach response from…” with tcpdump

Anyone who has run a FreeBSD server for any length of time has seen these messages in their daily security emails. (You do read those, right?)

+Limiting icmp unreach response from 296 to 200 packets/sec
+Limiting icmp unreach response from 337 to 200 packets/sec
+Limiting icmp unreach response from 318 to 200 packets/sec
+Limiting icmp unreach response from 535 to 200 packets/sec
+Limiting icmp unreach response from 332 to 200 packets/sec
+Limiting icmp unreach response from 328 to 200 packets/sec

Way back in the Bronze Age, I learned that this mean “someone is port scanning.” The usual advice is to disable these messages by setting the sysctl net.inet.icmp.icmplim to 0. This silences the messages. I’m guilty of giving that advice myself.

What it really means is that something is sending your server UDP packets on a port that isn’t open. This could be a port scanner. It could also be a host legitimately trying to reach your host for a service it thinks you provide, or a service your host should be providing but isn’t.

I could go to my netflow collector and run a few commands to track down where these packets are coming from. In this case, the problem host is my netflow collector. I’m somewhat leery of using a tool to diagnose itself. An initial check shows that everything on the collector is running, so let’s see if it’s still happening with tcpdump.

I could run tcpdump -i em0 icmp and see all the ICMP traffic, but that’s inelegant. I don’t want to miss the traffic I’m looking for amidst a torrent of ICMP. And why have my brain filter traffic when ICMP will do it for me?

The first step is to identify exactly what we’re looking for. ICMP isn’t a monolithic protocol. Where TCP and UDP have ports, ICMP has types and codes. You can find a friendly list of types and codes here, or my readers can look in my Network Flow Analysis.

ICMP’s “port unreachable” message is type 3, code 3. Unlike TCP ports, the type and code are separate fields. Type 3 is “destination unreachable,” while the code indicates exactly what is unreachable — the port, the network, whatever. Type is ICMP field 0, while code is ICMP field 1. Tcpdump lets you filter on these just like the more familiar port numbers. Enclose more complicated filter expressions in quotes.

# tcpdump -ni em0 "icmp[0]=3 and icmp[1]=3"
10:01:03.287063 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.331388 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.356052 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.378256 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.411046 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.437458 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
10:01:03.457858 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36

The host 192.0.2.214 is constantly trying to reach my collector on port 11022. 192.0.2.214 is my busiest border router.

That’s a router. This is a netflow collector. Maybe it’s netflow traffic? Let’s see.

# tcpdump -ni em0 -T cnfp ip host 192.0.2.214 and udp port 11022
192.0.2.214.11022 > 10.250.250.10.11022: NetFlow v5, 1897575.270 uptime, 1363184870.488773000, #1285199613, 30 recs
started 1897571.570, last 1897571.570
...

Yep. Either my router or my collector is misconfigured. And my monitoring system is misconfigured, because it should have caught that the collector process isn’t running. Or I should have noticed that I wasn’t actually getting any flow files from the collector running on another port.

Now to go back in time, find that young punk who wrote Absolute BSD, and whup his butt.

Posted on

Some “Absolute OpenBSD 2/e” dates

No Starch intends to send AO2e to the printer on 22 March 2013. This would give a “bound book date” of approximately 12 April. Books would be in their hands roughly 19 April. They’re really good about shipping books to purchasers as soon as possible.

Note that DNSSec Mastery should be available in ebook form about then. Not only do I have two books coming in 2013, I have two books coming in April 2013.

All dates are subject to change based on the whim of the printer, phase of the moon, gasoline shortages, insurrections and iniquity and incivility, or any other reason whatsoever.