Episode: 3091
Title: HPR3091: fuguserv
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3091/hpr3091.mp3
Transcribed: 2025-10-24 16:36:08

---

This is Hacker Public Radio episode 3,091 for Monday 8 June 2020. Today's show is entitled Fugu Serve.
It is hosted by Sir Enflota 2 and is about 44 minutes long
and carries a clean flag. The summary is
Fuguita Open BSD server building a new Wi-Fi router server.
This episode of HPR is brought to you by An Honesthost.com.
Get 15% discount on all shared hosting with the offer code
HPR15. That's HPR15.
Better web hosting that's Honest and Fair at An Honesthost.com.
Fuguita Open BSD server building a new Wi-Fi router server.
Fuguita Open BSD server building a new Wi-Fi router server.
Fuguita Open BSD server building a new Wi-Fi router server.
Fuguita Open BSD server building a new Wi-Fi router server.
Fuguita Open BSD server building a new Wi-Fi router server.
Fuguita Open BSD server building a new Wi-Fi router server.
Well, it's been quite a while, gang, since I've made an audio.
I think a little over a year.
And as you know, I'm a big Open BSD user.
I like Open BSD because
it's much more secure than any other operating system that I've ever used.
used. It also seems to run better than any other operating system I've used. Now, it's
not the fastest operating system by any stretch. That would be a showdown probably between
FreeBSD and Linux. But it is certainly the most secure and, in my opinion, probably the
most stable or most accurate. And that's important to me. You know, the only other operating system
I'm currently using is TriscoL. And TriscoL has an amazing number of capabilities for a free
software operating system. But frankly, the Mante desktop and everything and how Linux
does things sometimes drives me nuts. It's easier to, for instance, edit videos and things
using TriscoL perhaps. But OpenBSD doesn't have access to webcams and stuff that people
use to make desktop videos. Usually, in my videos, I don't use a desktop cam anyway. I don't
put my face on my videos. That way, people continue to watch. But at any rate, I'm recording
this audio, by the way, using OpenBSD 6.7, which is just recently released. And it's the
i386 version of OpenBSD. And it's on a Dell Mini 10, which in itself is probably 12, 13 years old.
It has a tiny little 250 gigabyte hard drive, one gig of RAM. The entire thing is, frankly,
very small. It has like a 10 inch screen, diagonal screen, and a smaller, but not terribly
hard to use keyboard. It's actually got a pretty good feel to it and trackpad with a couple
of touch points. And OpenBSD seems to support it quite well. And as you can tell, I can record
audio with it. I'm using Audacity right now to make this recording. And I've got the
XSE desktop set up here. And a lot of people who are risers would poo-poo that they want
to use DWM or one of the other riser desktops. But I prefer some of the old traditional 90s
type desktops. In fact, this particular portable or mini notebook, it doesn't have a DVD
drive in it or anything. It's just basically four USB ports, I believe, or maybe three.
Yeah, three USB ports, REST, an even-it jack, mic recording jack, earphone jack. And what
else do we have here? Oh yeah, a video out. RGB, I think, video out. And of course, a power
plug connector. And what I love about the Dell Mini-10 is its tremendous battery life.
I mean, this thing will last for well over eight hours. I think I've had it on for as long
as 12 hours before it ran out of batteries. So I can literally take this thing off the
park and use it for three or four hours, writing stuff out in the sunlight, using an emax
or a lever office. And just enjoy the heck out of it. In fact, I'll take it with me everywhere.
Poolside or when I take a bath, believe it or not, I'll sit there and listen to podcasts
or watch videos. I've got Firefox on here. I also have the option of having Chromium
if I want. Those are the two web browsers that open VSD supports. Open VSD implements pledge,
which severely restricts the access of those two browsers so they can't just walk off
with your SSH keys or do something bad with Java that you don't want done. So it watches
out for you and it's a really good system. I just upgraded from 666 to 6709 on this laptop.
I've got five laptops running up in VSD. And I just acquired a new server. My old server
had been in use running up in VSD for 13 years now and it's starting to give out. I mean,
it needs to be rebuilt or something. It needs a new fan, it needs a new CPU, heat paced,
it needs to be scraped and cleaned out and refurbished and maybe put back on line later.
So what I did instead, which is the typical thing that most Americans do instead of rebuilding
it, I went out and bought a new one. I went to I think Penguin and bought one of their,
what do they call it, Penguin 9 desktops? I think it is. The number 9 version. It's got
eight gigabytes of RAM and a couple of cellar on processors, dual core cellar on processor.
And I put in a six terabyte hard drive in there and I pulled the rate array out of the
old server and put it in this box that had four drives. So I could easily transfer the
data and one thing you learn about running up in VSD with a fast file system is you want
to have an R-Sync backup of your main database in case the power goes out because sometimes
you lose files, you know, it's not like it runs ZFS or something. However, OpenVSD does plan
on implementing the Hammer 2 file system in the future once Matt Dillon over at Dragonfly
finishes Hammer 2 that's still under development. So we'll have a, the Hammer 2 file system
on OpenVSD in the next probably five, six years, certainly. Any rate, this is sort of a casual
recording. I'm not going to be doing a lot of editing. There may be some mistakes in it
as I open cans of Pepsi Zero to drink them in light cigarettes and whatnot. So it's not
this is not commercial quality for sure, but it was never intended to be. All right. Well,
you know, every time you lose power, typically when my old server go out, I'd have to wait until
I came back home again. Sometimes I'll be gone for three or four days or maybe a week working,
you know, in my, my normal course of employment. And if the power goes out, I'm going to have to
wait that long to restart the server because typically with a fast file system, it's always
the temp partition slash TMP, your temporary files that gets corrupted because the operating
system writes to it all the time. So I decided with this new system, I'm going to run Figuita
on it. And you can take a look at Figuita at FUGUITA.org, which is that is Kawamoto's website.
He's a Japanese man who makes Figuita. And it's based on Open BSD. And basically what
it is, it's Open BSD that runs from memory. It boots off either an ISO, a CD, a DVD ISO,
or a memory file stick that you can put on the USB. And it has memory storage and everything
else. And what I've done is I've set up my server to run off of Figuita now. So when
I get my updates, I'll just do them once a month. Kawamoto or Kaw, as he pronounces himself
in emails, he applies packages to Figuita and republishes this image as Open BSD.
Patches things. So once a month, I'll just download a new image from his website if there's
been changes. Typically once a month, or maybe once every two months, there will be a
patch from up with BSD for some security or maintenance issue that needs to be applied.
And downing the ISO and putting it to USB stick is easy. Figuita, as I say, it stores Figuita
all the ports that you add in the way of programs to hard drive storage, or USB storage
for reloading the next boot. So changing the image out is really just about as easy as
doing a SIS patch. If you had an installed version of Open BSD, you'd use SIS patch to patch
the unit. You don't have to download source trees from CVS and recompile entire operating
systems or bits and pieces of it, reinstall it and reboot. You can just run SIS patch
now. And with Figuita, it's just basically download a name. It should put it to USB stick.
And boot it up and repopulate it with configuration files and Etsy, your home directory, whatever
you might have in your root directory. And bar and save it off to the hard drive again
for automatic reboot. So when Figuita runs, as I say, Open BSD, it runs from memory. It
runs from memory. And when the power goes out, there's nothing to corrupt. I mean, on boot
up, it pulls the system into memory. And so the memory is all, everything's running in memory.
So the only thing that could get corrupted are any hard drives that are mounted. And
since all my hard drive volumes are over five terabytes in size, including the array,
they're all written in a more modern version of the fast file system that has a little bit
more redundancy to it. So you don't get your file system tore up and stuff destroyed as much
as you used to with the fast file system version one, version two is a bit more redundant. And as I
said, hammer two is coming. So when hammer two gets here, then I guess none of us will have to
worry about that ever again. I mean, you'll be able to flip the power on and off like a madman.
Anyway, with this new server, I have tested it. I've pulled the power out on it multiple times,
while it was riding to the hard drives. And it came right back up with just a minimal amount of
FSCK blather on the screen. I didn't lose anything. So it's functionally as good as any Linux would be
with, say, EXT3, I think would be a good equivalent. Not bad. I mean, you have some interaction on
the screen, but it's not the end of the world. Of course, it'd be great if we had a journal fast file
system, but that's another story for another day. I think they'll probably implement hammer two
before they worry about that. So at any rate, I have installed the guita on this new system,
and it has a 500 gig hard drive, it's this main hard drive, and then this six terabyte drive that
I said I'm using for my media storage. I have about a terabyte of information and I still were
on there. And I pulled the radar out of the old server and mounted it in the new one, so I could
copy the data over to this new drive and have some redundancy that way. It used to be, I just
kept a USB drive that was approximately four terabytes of size that I could plug into my laptop,
and I back up the server that way over the Wi-Fi, because if you do it in small increments,
it's just not really that big a deal. You know, you might back up for 30 minutes or something
while you're home, and then it's all done. So at any rate, the new server does have an atheros Wi-Fi
card in it with dual antennas, and it's got some pretty good coverage, and I'm using it
with my Linux laptops, and it serves the house quite well. It's got a good strong transmitter.
And I have it located in a room that's right next to where the telephone company brought in the
DSL since we live out in the magical forest, as you know. Out in the countryside, we don't have
cable out here. So anyway, I thought I would discuss what I did to set up the
Wi-Fi. And for that, I have to SSH over to the server,
and let me just move a terminal over here to a new spot. There we go.
And while SSH for the server, take a look at some files.
You can do a little typing here.
This Dell Mini 10 laptop I'm using with I-36, I-36 BSD is a little slow,
and it just takes a moment for it to get the server up, and the server is programmed. I've
gotten it set up to launch T-Mucks immediately, so I have a dedicated T-Mucks interface
that I can use to access the server. And we're in. So let's go through the configuration files.
Let's start with a DHCP client, if we can.
DH client, I guess, the DH client.
If it would help, if I could type. There we go.
When you run Figuilote, you'll notice, and I'll provide copies of all these files.
You'll find that there's a DH client.com file, C-O-N-F,
in your Etsy directory. And I have mine set up to take a lease off of my EM-Zero
interface, which happens to be my Ethernet port.
And I have in the file a couple of items commented out,
ignored domain name servers as I plan on running DNS proxy with it later,
as soon as I fix some configuration issues. And I also have a supersede domain name servers.
Set to my level host 127.0.0.1.
Both commented out because I'm still working on my DNS script proxy. I'm having a little trouble
with that. But I'll iron that out because they changed a few things in the last release that I
want to work around that I had running an old server. But for now, I'm just using the ISPs DNS
because it's faster. And any more, it seems like they're logging you on everything,
anyone, even if they say they're not logging. So I may not be implementing the DNS
script proxy because it seems like there's been a lot of bad actors come up and start up servers
on that particular network. Anyway, in here you'll see a line that says reject,
well, 192.168.1.1, but a colon. This is so that the DH client, when it comes up,
and it gets a lease off of my ISP, won't get a lease off of itself because it's going to have a
DHCP server of its own to serve out leases to all the laptops around this house and cell phones
and things that need internet access. And if you don't put that in there, then you'll
just end up getting a lease from yourself and you'll have no internet connection when you boot
up. So that's never something that you want to do.
Some of this stuff is a lot of examples. I won't be editing it.
So you'll get to see how I actually run it.
But there's also the DHCP-D-C-O-N-F file. And I'm going to provide an example of that.
This is our actual DHCP server file. And at the top it has declared the subnet that
we're running 192.168.1.0 with a net mask of 3255.0 at the end of that and a pointer to our
optional router 192.168.1.1 for outgoing. It has a range that it's going to supply of .40 through
.19. So those will be the, I think that we call this class C,
in-house IP numbers. And you'll see a list of different computers with their hardware internet
addresses and fixed addresses that it is assigned to various computers around the house.
You could use this as an example. For instance, there's my Dell Mini 10 that has a permanent IP
of 192.168.1.200 when I log in listed there. And I give it a name and a hardware
ethernet series of numbers to match the ethernet hardware identification for each Wi-Fi adapter.
And you can see I've got quite a few computers that log into this thing.
The next file we're going to look at is DHCPD.interfaces. And basically all that's in that file
is the Wi-Fi interface of the server, which is ATHN0. It's an atheros Wi-Fi hostAP adapter,
which is the one that I think Penguin seems to use the most. I've got two or three of their
computers around the house here. And they use that quite a bit.
Let's see if I can get this. I'm having a little trouble getting the terminal to release this.
You pause my recording for just a second. Oh, I worked this out. Okay, we're back now.
Now we're going to cover in the Etsy directory the hostname files in an OpenBSD.
You set up a hostname.interface name for every interface that you want to program.
And the first one we're going to look at is hostname.athan0, which covers our Wi-Fi interface. And this
is what brings the Wi-Fi card up into host mode. And you can see in here I have an iNet set up of
192.168.1.5, 355.0 for my range through 192.168.1.255. So it actually has a wider range than
DHCP actually covers, I believe, for the system. Media is auto select.
Media opt is hostAP. It's set to channel 4. It's got the WPA interface turned on.
Network ID is Fuguserve. And then my WPA key, which is my actual key for my Wi-Fi, I put that in here.
Which I'll change on the text that I put up on the website here.
For this recording and then the word up to bring the interface up.
The next file that we set up is hostname.bridge0. And this is our bridge interface.
And here we're adding an interface called vTether0, which is when I created a virtual interface.
EM0 has been added, ATHN0 is added block, non-IP, on vTether0, EM0, and ATHN0,
or block non-IP, I should say. And then up on that, the next file is hostname.em0. And there we have
a DHCP and iNet6 auto configuration. And then finally, the hostname.vTether0 file, which has a range
of iNet1921681.1, 3255s, and then 192168.1.255, I have for the entire 192 range that we're going to
be commingling here in our virtual interface. Now the pf.config is rather complicated.
At the top of it, we have interfaces defined vTether EM0 and ATHN0 combined.
And we have a list of broken interfaces that we're going to probably band somewhere down here in the script.
Yeah, we do bring in the script. We also declare a table called brute force that's a persistent table
that we're going to use to block out SSH attackers because SSH is the only port that's open on this
interface to the outside internet, outside will. And we start off by setting a block policy drop
on on everything. And then we set interface address, interface address.
We set skip on low, L0, we match in all scrub, no df, random id, max mfs, and 1440.
Now it would help if you got a book on the pf firewall. I'm not going to try to explain all that
in this audio. I mean, this took me quite a long time to collect from various places on the
internet and sort up with the book. And I'm still working on it. I mean, you could spend a lifetime
studying the pf firewall. But anyway, I just provide this as an example for what I set up.
And you could see I have commented out in the middle there my block on any UDP for port 53,
which is a part of my setup for DNS proxy that I'm working on.
Anyway, I've been using this firewall for 12 years at least. And that's one of the great
things about up in VSD is you know, their configuration files and stuff. They don't change really
that often. I mean, they improve the software, but they don't redesign everything
like Linux does to where you have to relearn everything into the sun to get anything to work.
As what happened with when they introduced system D or they went from IP routes,
IP tables, so on, so forth, you know, over time, you had to learn a whole new way of either
running firewalls or running your init system or something else, you know.
And I don't like that. Anyway, this particular configuration had been running
with the DNS proxy for like 12 years and working fine. And I'm just trying to iron some bugs out of
that that I'll get back with another audio in the future when I get it perfected. But
typically I like to run DNS proxy. And I'll discuss the changes that I made in the future
to improve the firewall. Anyway, I'm not going to go over this firewall too much because it would
be boring and you a lot of people would understand it. You need to get a book on PF, the PF firewall
and study this if you really want to follow me on it. But as you can see, this has been one that's
I've had in the development now for a good decade. And it's been running really fine,
in fact, it's running right now. And the way this is set up is if you
attack my firewall unsuccessfully or reach my max connections, you will be put in the brute force
table in band. And I have accidentally managed to band myself on a couple of occasions so I know it
works. Anyway, the command PFCTL RPF control is the way you take IP numbers in and out of that
table if you want to unbane yourself. But you'd have to be at the console to do it.
But at any rate and running this for a dozen years, no one has managed to
get into the server at all. We need to cover the there are some variables that need to be set and
syscontrol.config to enable forwarding. And I'll include a copy of my setup of that.
But important is the net dot i net dot IP dot forwarding equals one.
And they also have a net dot i net six dot IP six forwarding, which I have turned off because I'm
not doing IP six. And net i net IP redirect equals zero. And I got kernel buff cash per
cent at 50 percent. And net i net IP IFQ max length of a thousand twenty four net i net the
tcp dot mss dfl t equals 1440.
Mach depth dot allow.
App or allow aperture equals two. And Mach deck late action equals zero. All of these are
covered in the man pages. Open BSD has some fantastic man pages on syscontrol and all the
variables. And you can actually go through and pick out each one of these variables. But
the IP forwarding one definitely has to be set to one. And it wouldn't hurt if you tuned some
of the other ones. Anyway, I provided this as an example.
Now let's see the rc dot conf dot local. I have set up to launch several things as well.
And we've got check quotas equal to no dhcp flags set up for v to the zero.
Which means that's where it's going to launch the dhcpd server from. This will be
listening for my guess. NTV flags. In other words, the network time protocol has been launched.
There's my package scripts for dns proxy which is commented out at the moment.
Sound IO flags equals no snd IO flags equals no excuse me. And N bound flags equals
basically hash hash or quote code I should say.
And that starts inbound which reminds me we need to cover unbound and I'll
provide my example that it's fairly simple. It's under ver and bound hit c and bound conference
cnf and I'll provide that. And hopefully I didn't miss anything. I think that's about all you
have to have to get it going. Of course, if your server has different network interfaces,
you'll have to audit the pf scripts and the various host name files and perhaps dhcp files.
You'll have to edit all the files to cover the changes in your network cards.
But I just set this Fagulita server up the new one up today and I've been testing it.
I'm really happy with it. The performance is quite a bit better than the open BSD spinning
from a rusty hard drive. Even though I am using a rusty hard drive to stir my data,
the operating system is great and I've added a minimal set of packages to it.
Fagulita also, if you install it to a local hard drive there on the server for quick booting
for the USB key, you can go into the D section, the D partition which Fagulita should sit up
when it creates a new drive for you. It's part of the USB FADM command that you read about on
their website and you can go into the no-ass section and edit that file and uncomment out the
appropriate lines to get it to auto boot. So when the power goes out, what the server does is it'll
auto on and it brings Fagulita up from the first 500 gig hard drive. You know, it boots it up from
there and Fagulita has the option of creating either an old net bias, a standard bias
boot configuration or EFI, UEFI, I mean, or a hybrid which is a combination of the two which is
what I'm using. And this server will boot UEFI but I've got it set up to where it just boots
you know from standard bias because frankly I hate UEFI I do but it's nice to know that I have
the option of putting it on a UEFI server and it will boot from it and run. Now the other great
thing about this is since I have this configuration, everything all my programs, my SSH keys and everything
are set up. Excuse me, on a USB key dish, in other words it's an exact copy of what I have on
the server installed to the the main 500 gig drive, you know, or the working drive for the operating
system. I can take it to any other server, you know, somebody's off of somebody's house and
install this and just change a few configuration files and have them set up in a server in less than an
hour, you know, and show them how to maintenance it because like I said, maintenance in one of these
just as easy as downloading a new image from the Fagulita website as they provide patches
and just copying a few of these configuration files into it because like I said the configuration
files mine haven't changed in over 12 years with the exception of the DNS crit proxy because
they keep, you know, that they keep redesigning DNS crit proxy and they keep coming up with new
DNS crit proxy files, server files because servers come and go, you know,
and you have to keep following that. I mean that's been
sometimes a real constant source of irritation for me to keep that going and you know keep it
with performance, you know, performance is the issue I think for me.
But if you run it like I suggested and just use your your IP servers, natural DNS,
the thing runs like a bullet. I mean it's it's really very fast.
So anyway, I'll copy these files out to the website so you can just have a look at it and have
a go at it and like I said, you'll you won't have to worry about corrupting any of your file
system with Fagulita and FMBSD if the power goes out because when it the power comes back on,
the server will auto start which most of the new ones do now, you know, you don't have to be there
to push the power run button and it'll just load that stuff up from the first hard drive there,
the small hard drive that they give you or USB stick if you've got it set up to boot from USB stick,
put it into memory and then it'll be sitting there waiting for you to log on so you can mount
your main hard drive or your day deus and you know do a file corruption check on it and maybe
restore from a backup if you haven't have a backup array like I do, you know, I'm using my old
drives as the backup array right now so for the for the new drive. So if anything happens I can
just use an R sync backup and do a hash check on it to make sure that all the files are correct
which takes a little longer but that's good because you know someday some day soon we'll be
into the Hammer 2 file system and I won't even have to do that, I won't have to worry about it
and maybe I can just make backups to a USB drive again like I had been doing in
carry them with me in the card case the house merge down or something and it was a tornado wipes
up the house and kills my family and everything while I'm gone. Hopefully not but at any rate it works
great and my entire family loves it. The especially this new server has got a really great Wi-Fi card
to it. It's so much better than a damn store bought Wi-Fi router plus OpenBSD does packet inspection
everything else in addition to providing that fantastic firewall for you and you know I just
sleep a lot better and now I used to run slackware servers for years but and I'd run it with fail
to ban and you know fail to ban is almost like a weekly hassle to keep up with the latest attacks.
It is because there's there's people coming up with new things, ping up death and all these other
things that affect Linux. Even on the old Linux action shard member Chris Fisher running a
script where he gained root access and less than 30 seconds on his box and he just showed how that
script worked right there in the video and I understand that there's like six or seven script
flooding around there that will exploit the Linux kernel in the same manner. Not to mention the
fact that we still have the specter problem and OpenBSD resolved that by simply turning off the
symmetrical multiple the SMT SMT I guess it is within their kernel so I don't have to worry about that.
I don't have to it really is the most secure operating system in the world. I don't think anybody
makes a commercial operating system that comes close to it certainly not. I mean OpenBSD
also has currently a floating port system that's just like Arch Linux and that as soon as a new
version of a particular program comes out they'll throw it out there like particularly in the
server side and also with certain desktop applications they'll throw it out there. You know and they
release every May and every November I believe and so you get these updates to certain packages
during the entire time which is something you don't even get with your BuDu. So I think when they
get the hammer two file system in here I think more people will probably start using OpenBSD
because frankly for most of us it's a better system it just is and it has more modern software than
Debian for sure. So I've been slowly pushed away from Linux in the last 15 years going to OpenBSD
and I'm quite happy with what I'm seeing. They also have the ability to do a cis upgrade command
from the root which is how I upgraded this little Dell Mini 10. I'm talking to you off of
from OpenBSD 6667 so I don't even have to reinstall the entire operating system which does it for
you automatically like as if you were using your BuDu almost really quite better than it was
12 years ago where if you wanted to upgrade in play space you you had to download the CVS
copy of the source image and recompile your entire operating system and then go through and
of course edit all your configuration files which is another plus for Figuilata because you
did have to occasionally edit configuration files to get new options and it makes it so much easier
when I go to 6.7 version of Figuilata I'm on 6.6 right now with this server I'll just go through and
read each configuration file that call puts on there to see if there's any new options and go
through the man pages you know as I set up the new server you know I can I can do that in QMU
and actually boot up a copy of Figuilata 6.7 when it comes out and QMU and head it all
hand-ed it all that stuff and set up my own USB key right on the server and then reboot into
that USB key and reinstall to the hard drive and I could be on 6.7 in less than two hours you know
the biggest deals is making sure you have all your configuration files edited properly which is
one of the big complaints I think most people have about you BuDu that are power users especially
server is how it handles the updates to all the various server files because in Linux it's
it's the changes are much more severe you know you really have to keep on top of configuration
files when you go from say 16 to 4.18 to 4 or whatever you're going to 204 I mean you just
never know what they're going to do next and Debian is particularly deadly on that
but yeah I'm really very happy with this and I'm going to go ahead and include and wish you all a
happy day it's good to be able to make an audio again and we'll make one again soon hopefully bye for now
you've been listening to heckaPublicRadio at heckaPublicRadio.org
we are a community podcast network that releases shows every weekday Monday through Friday
today's show like all our shows was contributed by an hbr listener like yourself
if you ever thought of recording a podcast then click on our contributing to find out how easy
it really is heckaPublicRadio was founded by the digital dog pound and the infonomicum
computer club and it's part of the binary revolution at binwreff.com if you have comments on
today's show please email the host directly leave a comment on the website or record a follow-up
episode yourself unless otherwise status today's show is released on the creative comments
attribution share a light 3.0 license