From fastgoldfish at gmail.com  Wed Jul  3 02:42:24 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Tue, 2 Jul 2013 23:42:24 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
Message-ID: <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>

There is a bug in pfSense. I haven't figured out how to report it yet,
but here's the one-liner command I used to fix it:

setenv PACKAGESITE
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

Then you can run pkg_add normally, like this:

pkg_add -r tor

or even better:

pkg_add -v -r tor

The problem was that there are no packages for FreeBSD 8.1 in the
usual location where we would expect to find them, and where pfSense
looks and fails to retrieve the Tor package. You can see for yourself
that there's nothing for 8.1:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/

I did some looking around, and I found 8.1's packages here;

ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

So, to make pkg_add look there instead, I just did this (which I
mentioned at the beginning of this post):

setenv PACKAGESITE
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

I'm surprised such a fundamental problem hasn't been noticed before.
Maybe it has been noticed before, but there's no way to report the
bug, and so nobody bothered to fix it. That meant that only the
experienced users would be able to solve the problems themselves, and
newcomers like me would have to debug it and come up with a solution
from scratch. Voila! :)

On Thu, Jun 27, 2013 at 10:13 PM, fastgoldfish at gmail.com
<fastgoldfish at gmail.com> wrote:
> Enter an option: 8
>
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(1): pkg_add -r tor
> Error: Unable to get
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz:
> File unavailable (e.g., file not found, no access)
> pkg_add: unable to fetch
> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz'
> by URL
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(2): pkg_add -r tor-devel
> Error: Unable to get
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz:
> File unavailable (e.g., file not found, no access)
> pkg_add: unable to fetch
> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz'
> by URL
> [2.0.3-RELEASE][root at pfSense.localdomain]/root(3):
>
> Darn, I was hoping that would work.
>
> Whonix is quite a bit different from the other similar efforts.
> adrelanos seems to have found the magic balance between keeping it
> simple, and making it eminently effective. He has delivered a finished
> product that actually works, and works very well. It is able to
> survive a root-job without losing anonymity, in some circumstances. I
> have watched many other ideas come and go, and none of them reached
> level of usability and common-sense simplicity that Whonix has. I
> think that might be merely because it is an idea whose time has come.
>
> adrelanos is investigating the possibility of building his next
> version of the Whonix Gateway on pfSense. I'm not sure whether he'll
> do that or not, but I think I've gotten his attention focused on
> pfSense based on just a few of its many advantages that I'm aware of.
> One thing that has kept Whonix on Debian is its wide usage. From the
> point of view of adrelanos, he thinks that gives Debian more "peer
> review" for bugs and other flaws.
>
> Based on what I've learned about pfSense in this discussion, I think
> pfSense is probably better even in the popularity contest comparison
> because it's simpler and more specialized. That makes it an
> apples-to-oranges comparison with a general purpose system (Debian),
> and a refined network-specialist system (pfSense). pfSense is destined
> to come out on top in that kind of a comparison.
>
> And, like you said, the 100'000+ pfSense installs makes it much more
> likely that Tor will be used on a significant fraction of them.
>
> As best I can tell, it looks to me that pfSense can be used to force
> Tor as the only way in or out of a network by setting up a static
> route. The LAN interface is routed to Tor, and Tor is routed to the
> WAN interface. That's essentially what the Whonix Gateway does, after
> stripping out all of the superfluous unnecessary stuff from Debian, if
> I understand it correctly.
>
> For that use case, it would be nice to have a checkbox for "Isolate
> LAN on Tor" which sets up the routing, perhaps with a brief guided
> configuration step. From there, an entire network of machines and all
> of their applications, can be forcibly Torified such that none of the
> machines and applications on the LAN are aware of the public IP of the
> WAN, and so they cannot leak it, even if they get rooted. Then, users
> can happily use Flash, JavaScript, and all the other things they want,
> with the benefits of Tor that suit their use cases. There are several
> very different use cases that need to be spelled out so people
> understand what they're getting and what they're not getting.
>
> Finally, there's the very important ability to set up dedicated
> bridges, relays, and exits in a straightforward way, such that anyone
> running pfSense is ready to go. That will be very exciting, especially
> because it opens up the possibility of ISP's contributing to the Tor
> infrastructure, and maybe also offering their clients access to the
> Tor network with little or no configuration on the client's part. The
> clients would still need a solid understanding of what Tor can and
> can't do for them, but once educated, they'll be able to benefit from
> the advantages Tor can give them, while avoiding the pitfalls in
> realms where Tor is unsuited.
>
>
>
> On Thu, Jun 27, 2013 at 9:05 PM, George Rosamond
> <george at ceetonetechnology.com> wrote:
>> fastgoldfish at gmail.com:
>>> I found this, which looks to be straightforward:
>>>
>>> http://doc.pfsense.org/index.php/Developing_Packages
>>>
>>> I don't understand all that's going on with that. Does anyone know if
>>> there's a  "hello world" package to play with? I couldn't find one.
>>>
>>
>> 'hello world' for pfSense packages??   woah.
>>
>> More inline below.
>>
>>> On Wed, Jun 26, 2013 at 7:09 PM, fastgoldfish at gmail.com
>>> <fastgoldfish at gmail.com> wrote:
>>>> I sent a message to adrelanos, the person developing the Whonix
>>>> system, to make him aware of this discussion. I think pfSense may have
>>>> the potential to provide a much more powerful and flexible replacement
>>>> for the Whonix Gateway. pfSense could be used to serve needs that the
>>>> Whonix Gateway currently is not designed for, but pfSense can still
>>>> serve the very narrow set of use cases that the Whonix system is
>>>> currently the best tool for.
>>
>> I don't know a lot about Whonix, but I do know a bit about other similar
>> projects, and most have stopped moving forward in any real way.
>>
>> pfSense has huge advantages as a platform over these other systems:
>>
>> 1.  it has a significant install base that they don't
>>
>> 2.  pfsense didn't try to be all things to all people when it launched,
>> but it has scaled to do more in time, as appropriate, with a solid
>> framework.
>>
>>>>
>>>> Beyond that, pfSense can do things that we haven't even thought of
>>>> yet. one thing I've discussed with adrelanos is a Tor-friendly ISP
>>>> that could provide a Tor gateway that will forcibly torify all
>>>> communications. Some other very important use cases are:
>>>>
>>>> * Making it easy for someone to conceal the location of a Tor hidden
>>>> service, even if it gets rooted (which Whonix theoretically could do).
>>>>
>>>> * Making it easy for someone to run a Tor relay or bridge.
>>>>
>>>> And more!
>>>>
>>>> On Wed, Jun 26, 2013 at 3:57 PM, Brian Callahan <bcallah at devio.us> wrote:
>>>>> On 06/26/13 15:45, badon wrote:
>>>>>>
>>>>>> The mention of PBI's is interesting, because I just installed PCBSD too,
>>>>>> and I think that's what PCBSD uses.
>>>>>
>>>>>
>>>>> Makes sense, as both are based off FreeBSD ;-) The PBI is a PCBSD invention,
>>>>> but afaik the framework (though not necessarily the individual PBI packages)
>>>>> will work on any FreeBSD-based system, including vanilla FreeBSD.
>>>>>
>>>>>
>>>>>> There is already a PBI in PCBSD, but I'm not sure if that's suitable for
>>>>>> Pfsense or not.
>>>>>
>>>>>
>>>>> I would say "probably not" to this. But the mechanism for generating a
>>>>> suitable PBI for pfsense should be similar if not identical to PCBSD (if you
>>>>> know how to do that).
>>>>>
>>>>> Otherwise - consider this a bump to George for making a pfsense Tor PBI :)
>>
>> So, yeah, this has been on my list for a while, and I know there's
>> interest in it.
>>
>> I will be looking at it more seriously in the next week or so.  In the
>> meantime, try going to the pfsense shell and typing "pkg_add -r tor" or
>> tor-devel.  I think devel is fine.
>>
>> I'll need to go back to the xml configs and start reworking.
>>
>> Despite the long torrc file, there's only really a handful of config
>> options necessary, so a basic operational config isn't that hard.
>>
>> Adding hidden services, etc., might be later goals, but to me the goal
>> should be a simple bridge or relay that any user could just setup in a
>> few minutes.
>>
>> The number you can toss around is this:  if there were 100,000 known
>> pfSense installs in November 2011, 2% of them running a bridge or relay
>> would have an enormous impact on the Tor network, which only has about
>> 3700 public relays at the moment, plus somewhere under 2000 known bridges.
>>
>> Another important impact is on the current Linux monoculture.  The vast
>> majority of Tor nodes are Linux by a long shot.  Bumping up the FreeBSD
>> numbers, at least, would breakup that issue to an extent.
>>
>> g
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk


From fastgoldfish at gmail.com  Wed Jul  3 04:34:55 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Wed, 3 Jul 2013 01:34:55 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
Message-ID: <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>

It looks like the 8.1 version of FREEBSD packages contains an outdated
version of Tor, so I just change my setenv to this to get the
maintained 8.3 packages:

setenv PACKAGESITE
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/

I installed Tor from that, and nothing bad happened.

On Tue, Jul 2, 2013 at 11:42 PM, fastgoldfish at gmail.com
<fastgoldfish at gmail.com> wrote:
> There is a bug in pfSense. I haven't figured out how to report it yet,
> but here's the one-liner command I used to fix it:
>
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> Then you can run pkg_add normally, like this:
>
> pkg_add -r tor
>
> or even better:
>
> pkg_add -v -r tor
>
> The problem was that there are no packages for FreeBSD 8.1 in the
> usual location where we would expect to find them, and where pfSense
> looks and fails to retrieve the Tor package. You can see for yourself
> that there's nothing for 8.1:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
>
> I did some looking around, and I found 8.1's packages here;
>
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> So, to make pkg_add look there instead, I just did this (which I
> mentioned at the beginning of this post):
>
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>
> I'm surprised such a fundamental problem hasn't been noticed before.
> Maybe it has been noticed before, but there's no way to report the
> bug, and so nobody bothered to fix it. That meant that only the
> experienced users would be able to solve the problems themselves, and
> newcomers like me would have to debug it and come up with a solution
> from scratch. Voila! :)
>
> On Thu, Jun 27, 2013 at 10:13 PM, fastgoldfish at gmail.com
> <fastgoldfish at gmail.com> wrote:
>> Enter an option: 8
>>
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(1): pkg_add -r tor
>> Error: Unable to get
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz:
>> File unavailable (e.g., file not found, no access)
>> pkg_add: unable to fetch
>> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor.tbz'
>> by URL
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(2): pkg_add -r tor-devel
>> Error: Unable to get
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz:
>> File unavailable (e.g., file not found, no access)
>> pkg_add: unable to fetch
>> 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/tor-devel.tbz'
>> by URL
>> [2.0.3-RELEASE][root at pfSense.localdomain]/root(3):
>>
>> Darn, I was hoping that would work.
>>
>> Whonix is quite a bit different from the other similar efforts.
>> adrelanos seems to have found the magic balance between keeping it
>> simple, and making it eminently effective. He has delivered a finished
>> product that actually works, and works very well. It is able to
>> survive a root-job without losing anonymity, in some circumstances. I
>> have watched many other ideas come and go, and none of them reached
>> level of usability and common-sense simplicity that Whonix has. I
>> think that might be merely because it is an idea whose time has come.
>>
>> adrelanos is investigating the possibility of building his next
>> version of the Whonix Gateway on pfSense. I'm not sure whether he'll
>> do that or not, but I think I've gotten his attention focused on
>> pfSense based on just a few of its many advantages that I'm aware of.
>> One thing that has kept Whonix on Debian is its wide usage. From the
>> point of view of adrelanos, he thinks that gives Debian more "peer
>> review" for bugs and other flaws.
>>
>> Based on what I've learned about pfSense in this discussion, I think
>> pfSense is probably better even in the popularity contest comparison
>> because it's simpler and more specialized. That makes it an
>> apples-to-oranges comparison with a general purpose system (Debian),
>> and a refined network-specialist system (pfSense). pfSense is destined
>> to come out on top in that kind of a comparison.
>>
>> And, like you said, the 100'000+ pfSense installs makes it much more
>> likely that Tor will be used on a significant fraction of them.
>>
>> As best I can tell, it looks to me that pfSense can be used to force
>> Tor as the only way in or out of a network by setting up a static
>> route. The LAN interface is routed to Tor, and Tor is routed to the
>> WAN interface. That's essentially what the Whonix Gateway does, after
>> stripping out all of the superfluous unnecessary stuff from Debian, if
>> I understand it correctly.
>>
>> For that use case, it would be nice to have a checkbox for "Isolate
>> LAN on Tor" which sets up the routing, perhaps with a brief guided
>> configuration step. From there, an entire network of machines and all
>> of their applications, can be forcibly Torified such that none of the
>> machines and applications on the LAN are aware of the public IP of the
>> WAN, and so they cannot leak it, even if they get rooted. Then, users
>> can happily use Flash, JavaScript, and all the other things they want,
>> with the benefits of Tor that suit their use cases. There are several
>> very different use cases that need to be spelled out so people
>> understand what they're getting and what they're not getting.
>>
>> Finally, there's the very important ability to set up dedicated
>> bridges, relays, and exits in a straightforward way, such that anyone
>> running pfSense is ready to go. That will be very exciting, especially
>> because it opens up the possibility of ISP's contributing to the Tor
>> infrastructure, and maybe also offering their clients access to the
>> Tor network with little or no configuration on the client's part. The
>> clients would still need a solid understanding of what Tor can and
>> can't do for them, but once educated, they'll be able to benefit from
>> the advantages Tor can give them, while avoiding the pitfalls in
>> realms where Tor is unsuited.
>>
>>
>>
>> On Thu, Jun 27, 2013 at 9:05 PM, George Rosamond
>> <george at ceetonetechnology.com> wrote:
>>> fastgoldfish at gmail.com:
>>>> I found this, which looks to be straightforward:
>>>>
>>>> http://doc.pfsense.org/index.php/Developing_Packages
>>>>
>>>> I don't understand all that's going on with that. Does anyone know if
>>>> there's a  "hello world" package to play with? I couldn't find one.
>>>>
>>>
>>> 'hello world' for pfSense packages??   woah.
>>>
>>> More inline below.
>>>
>>>> On Wed, Jun 26, 2013 at 7:09 PM, fastgoldfish at gmail.com
>>>> <fastgoldfish at gmail.com> wrote:
>>>>> I sent a message to adrelanos, the person developing the Whonix
>>>>> system, to make him aware of this discussion. I think pfSense may have
>>>>> the potential to provide a much more powerful and flexible replacement
>>>>> for the Whonix Gateway. pfSense could be used to serve needs that the
>>>>> Whonix Gateway currently is not designed for, but pfSense can still
>>>>> serve the very narrow set of use cases that the Whonix system is
>>>>> currently the best tool for.
>>>
>>> I don't know a lot about Whonix, but I do know a bit about other similar
>>> projects, and most have stopped moving forward in any real way.
>>>
>>> pfSense has huge advantages as a platform over these other systems:
>>>
>>> 1.  it has a significant install base that they don't
>>>
>>> 2.  pfsense didn't try to be all things to all people when it launched,
>>> but it has scaled to do more in time, as appropriate, with a solid
>>> framework.
>>>
>>>>>
>>>>> Beyond that, pfSense can do things that we haven't even thought of
>>>>> yet. one thing I've discussed with adrelanos is a Tor-friendly ISP
>>>>> that could provide a Tor gateway that will forcibly torify all
>>>>> communications. Some other very important use cases are:
>>>>>
>>>>> * Making it easy for someone to conceal the location of a Tor hidden
>>>>> service, even if it gets rooted (which Whonix theoretically could do).
>>>>>
>>>>> * Making it easy for someone to run a Tor relay or bridge.
>>>>>
>>>>> And more!
>>>>>
>>>>> On Wed, Jun 26, 2013 at 3:57 PM, Brian Callahan <bcallah at devio.us> wrote:
>>>>>> On 06/26/13 15:45, badon wrote:
>>>>>>>
>>>>>>> The mention of PBI's is interesting, because I just installed PCBSD too,
>>>>>>> and I think that's what PCBSD uses.
>>>>>>
>>>>>>
>>>>>> Makes sense, as both are based off FreeBSD ;-) The PBI is a PCBSD invention,
>>>>>> but afaik the framework (though not necessarily the individual PBI packages)
>>>>>> will work on any FreeBSD-based system, including vanilla FreeBSD.
>>>>>>
>>>>>>
>>>>>>> There is already a PBI in PCBSD, but I'm not sure if that's suitable for
>>>>>>> Pfsense or not.
>>>>>>
>>>>>>
>>>>>> I would say "probably not" to this. But the mechanism for generating a
>>>>>> suitable PBI for pfsense should be similar if not identical to PCBSD (if you
>>>>>> know how to do that).
>>>>>>
>>>>>> Otherwise - consider this a bump to George for making a pfsense Tor PBI :)
>>>
>>> So, yeah, this has been on my list for a while, and I know there's
>>> interest in it.
>>>
>>> I will be looking at it more seriously in the next week or so.  In the
>>> meantime, try going to the pfsense shell and typing "pkg_add -r tor" or
>>> tor-devel.  I think devel is fine.
>>>
>>> I'll need to go back to the xml configs and start reworking.
>>>
>>> Despite the long torrc file, there's only really a handful of config
>>> options necessary, so a basic operational config isn't that hard.
>>>
>>> Adding hidden services, etc., might be later goals, but to me the goal
>>> should be a simple bridge or relay that any user could just setup in a
>>> few minutes.
>>>
>>> The number you can toss around is this:  if there were 100,000 known
>>> pfSense installs in November 2011, 2% of them running a bridge or relay
>>> would have an enormous impact on the Tor network, which only has about
>>> 3700 public relays at the moment, plus somewhere under 2000 known bridges.
>>>
>>> Another important impact is on the current Linux monoculture.  The vast
>>> majority of Tor nodes are Linux by a long shot.  Bumping up the FreeBSD
>>> numbers, at least, would breakup that issue to an extent.
>>>
>>> g
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at lists.nycbug.org
>>> http://lists.nycbug.org/mailman/listinfo/talk


From george at ceetonetechnology.com  Wed Jul  3 06:21:54 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Wed, 03 Jul 2013 06:21:54 -0400
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org> <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
Message-ID: <51D3FB42.50708@ceetonetechnology.com>

fastgoldfish at gmail.com:
> There is a bug in pfSense. I haven't figured out how to report it yet,
> but here's the one-liner command I used to fix it:
> 
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
> 
> Then you can run pkg_add normally, like this:
> 
> pkg_add -r tor
> 
> or even better:
> 
> pkg_add -v -r tor
> 
> The problem was that there are no packages for FreeBSD 8.1 in the
> usual location where we would expect to find them, and where pfSense
> looks and fails to retrieve the Tor package. You can see for yourself
> that there's nothing for 8.1:
> 
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
> 
> I did some looking around, and I found 8.1's packages here;
> 
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
> 
> So, to make pkg_add look there instead, I just did this (which I
> mentioned at the beginning of this post):
> 
> setenv PACKAGESITE
> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
> 
> I'm surprised such a fundamental problem hasn't been noticed before.
> Maybe it has been noticed before, but there's no way to report the
> bug, and so nobody bothered to fix it. That meant that only the
> experienced users would be able to solve the problems themselves, and
> newcomers like me would have to debug it and come up with a solution
> from scratch. Voila! :)

Manually installing packages isn't a normal function for pfSense.  They
make it clear that it's unsupported in the documentation.

And yes, at this point, FreeBSD doesn't keep packages synchronized with
ports, but that should be changing in the (nearer) future.

Also, if you go through the pfSense documentation, they explain finding
the packages based on the pfSense version of FreeBSD you are using.

But again, it's not a bug since it's not a supported feature.

g



From george at ceetonetechnology.com  Wed Jul  3 06:26:04 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Wed, 03 Jul 2013 06:26:04 -0400
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org> <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
Message-ID: <51D3FC3C.7020407@ceetonetechnology.com>

fastgoldfish at gmail.com:
> It looks like the 8.1 version of FREEBSD packages contains an outdated
> version of Tor, so I just change my setenv to this to get the
> maintained 8.3 packages:
> 
> setenv PACKAGESITE
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/
> 
> I installed Tor from that, and nothing bad happened.


(read both emails and replied to package versus port issue in that one).

Tor versions (whether stable or devel) aren't tied to any particular
FreeBSD version.  Using current versions of Tor on 7.x, 8.x, 9.x and
10.x shouldn't matter.

So I picked this project up again the other day.

I can run Tor find on a pfSense box, no issues.

I have most of the XML configuration done.

At this point, I need to get it to install smoothly as a pfSense package.

Once I have it operational I can let people test but that will happen
offlist.

If you're in NYC, fastgoldfish, we can discuss more at the meeting tonight.

g


From fastgoldfish at gmail.com  Wed Jul  3 06:31:27 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Wed, 3 Jul 2013 03:31:27 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <51D3FB42.50708@ceetonetechnology.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <51D3FB42.50708@ceetonetechnology.com>
Message-ID: <CAFqMioyZ=W9z=ZdtizuGdHZRCqh0=1E8_FNeabsDEAo2s8g4Dw@mail.gmail.com>

Where can I read more about packages being better synchronized with
ports in the future? Is that something formally planned or in
progress?

On Wed, Jul 3, 2013 at 3:21 AM, George Rosamond
<george at ceetonetechnology.com> wrote:
> fastgoldfish at gmail.com:
>> There is a bug in pfSense. I haven't figured out how to report it yet,
>> but here's the one-liner command I used to fix it:
>>
>> setenv PACKAGESITE
>> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>>
>> Then you can run pkg_add normally, like this:
>>
>> pkg_add -r tor
>>
>> or even better:
>>
>> pkg_add -v -r tor
>>
>> The problem was that there are no packages for FreeBSD 8.1 in the
>> usual location where we would expect to find them, and where pfSense
>> looks and fails to retrieve the Tor package. You can see for yourself
>> that there's nothing for 8.1:
>>
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/
>>
>> I did some looking around, and I found 8.1's packages here;
>>
>> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>>
>> So, to make pkg_add look there instead, I just did this (which I
>> mentioned at the beginning of this post):
>>
>> setenv PACKAGESITE
>> ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/
>>
>> I'm surprised such a fundamental problem hasn't been noticed before.
>> Maybe it has been noticed before, but there's no way to report the
>> bug, and so nobody bothered to fix it. That meant that only the
>> experienced users would be able to solve the problems themselves, and
>> newcomers like me would have to debug it and come up with a solution
>> from scratch. Voila! :)
>
> Manually installing packages isn't a normal function for pfSense.  They
> make it clear that it's unsupported in the documentation.
>
> And yes, at this point, FreeBSD doesn't keep packages synchronized with
> ports, but that should be changing in the (nearer) future.
>
> Also, if you go through the pfSense documentation, they explain finding
> the packages based on the pfSense version of FreeBSD you are using.
>
> But again, it's not a bug since it's not a supported feature.
>
> g
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk


From fastgoldfish at gmail.com  Wed Jul  3 06:49:28 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Wed, 3 Jul 2013 03:49:28 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <51D3FC3C.7020407@ceetonetechnology.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
 <51D3FC3C.7020407@ceetonetechnology.com>
Message-ID: <CAFqMioynWfvmMPhQKsQtnTMDw9ji=bSQpd_XHmyKdSF1K1yuxw@mail.gmail.com>

I'm not in New York City, unfortunately. Can you email me directly
about testing the pfSense package for Tor, if you prefer to discuss it
off-list? I'd love to give it a spin.

On Wed, Jul 3, 2013 at 3:26 AM, George Rosamond
<george at ceetonetechnology.com> wrote:
> fastgoldfish at gmail.com:
>> It looks like the 8.1 version of FREEBSD packages contains an outdated
>> version of Tor, so I just change my setenv to this to get the
>> maintained 8.3 packages:
>>
>> setenv PACKAGESITE
>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/
>>
>> I installed Tor from that, and nothing bad happened.
>
>
> (read both emails and replied to package versus port issue in that one).
>
> Tor versions (whether stable or devel) aren't tied to any particular
> FreeBSD version.  Using current versions of Tor on 7.x, 8.x, 9.x and
> 10.x shouldn't matter.
>
> So I picked this project up again the other day.
>
> I can run Tor find on a pfSense box, no issues.
>
> I have most of the XML configuration done.
>
> At this point, I need to get it to install smoothly as a pfSense package.
>
> Once I have it operational I can let people test but that will happen
> offlist.
>
> If you're in NYC, fastgoldfish, we can discuss more at the meeting tonight.
>
> g
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk


From george at ceetonetechnology.com  Wed Jul  3 15:03:40 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Wed, 03 Jul 2013 15:03:40 -0400
Subject: [nycbug-talk] Jordan Hubbard joins iXsystems...
Message-ID: <51D4758C.9040003@ceetonetechnology.com>

Wow.

http://www.ixsystems.com/resources/ix/news/apple-s-jordan-hubbard-joins-ixsystems.html

I don't know him personally, although he just appeared on the FreeBSD
arm list recently.  He role in FreeBSD has been enormous, even after he
went to Apple.

Pretty big deal.

g


From ike at blackskyresearch.net  Wed Jul  3 16:54:29 2013
From: ike at blackskyresearch.net (Isaac (.ike) Levy)
Date: Wed, 3 Jul 2013 16:54:29 -0400
Subject: [nycbug-talk] Lost My Charger, Tonight's Meeting
Message-ID: <1372884903-2416062.51480384.fr63KsKum031856@rs149.luxsci.com>

Hi All,

I lost my laptop charger, and need one for tonight's meeting-

Can anyone let me borrow a MacBook charger?  (not the newest one, any number of the old ones will work great)

Thanks!

Rocket-
.ike






From mark.saad at ymail.com  Wed Jul  3 17:05:14 2013
From: mark.saad at ymail.com (Mark Saad)
Date: Wed, 3 Jul 2013 17:05:14 -0400
Subject: [nycbug-talk] Lost My Charger, Tonight's Meeting
In-Reply-To: <1372884903-2416062.51480384.fr63KsKum031856@rs149.luxsci.com>
References: <1372884903-2416062.51480384.fr63KsKum031856@rs149.luxsci.com>
Message-ID: <CAMXt9NaSXjt1J41RKyb_i6ibAYJKw5wzaSQ8Qp0yVnokRR4isw@mail.gmail.com>

Ike
 I have you covered.


On Wed, Jul 3, 2013 at 4:54 PM, Isaac (.ike) Levy
<ike at blackskyresearch.net>wrote:

> Hi All,
>
> I lost my laptop charger, and need one for tonight's meeting-
>
> Can anyone let me borrow a MacBook charger?  (not the newest one, any
> number of the old ones will work great)
>
> Thanks!
>
> Rocket-
> .ike
>
>
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



-- 

Mark Saad | mark.saad at ymail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130703/7f30bacd/attachment.htm>

From ike at blackskyresearch.net  Wed Jul  3 17:08:59 2013
From: ike at blackskyresearch.net (Isaac (.ike) Levy)
Date: Wed, 3 Jul 2013 17:08:59 -0400
Subject: [nycbug-talk] Lost My Charger, Tonight's Meeting
In-Reply-To: <CAMXt9NaSXjt1J41RKyb_i6ibAYJKw5wzaSQ8Qp0yVnokRR4isw@mail.gmail.com>
References: <1372884903-2416062.51480384.fr63KsKum031856@rs149.luxsci.com>
 <CAMXt9NaSXjt1J41RKyb_i6ibAYJKw5wzaSQ8Qp0yVnokRR4isw@mail.gmail.com>
Message-ID: <1372885742-8474298.22567554.fr63L8nPr018641@rs149.luxsci.com>

On Jul 3, 2013, at 5:05 PM, Mark Saad <mark.saad at ymail.com> wrote:

> Ike
>  I have you covered. 

You rock sir.  Thanks!

Best,
.ike



> 
> 
> On Wed, Jul 3, 2013 at 4:54 PM, Isaac (.ike) Levy <ike at blackskyresearch.net> wrote:
> Hi All,
> 
> I lost my laptop charger, and need one for tonight's meeting-
> 
> Can anyone let me borrow a MacBook charger?  (not the newest one, any number of the old ones will work great)
> 
> Thanks!
> 
> Rocket-
> .ike
> 
> 
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
> 
> 
> 
> -- 
> 
> Mark Saad | mark.saad at ymail.com
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk




From fastgoldfish at gmail.com  Thu Jul  4 22:20:55 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Thu, 4 Jul 2013 19:20:55 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMioynWfvmMPhQKsQtnTMDw9ji=bSQpd_XHmyKdSF1K1yuxw@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
 <51D3FC3C.7020407@ceetonetechnology.com>
 <CAFqMioynWfvmMPhQKsQtnTMDw9ji=bSQpd_XHmyKdSF1K1yuxw@mail.gmail.com>
Message-ID: <CAFqMiox=VGBLOXMcuKXrt1MC8d+YVrGFZhJPna94GByBEh4W_g@mail.gmail.com>

I was referred to some more information about configuring
FreeBSD/pfSense for use with Tor, but most of it is over my head for
now:

http://lists.freebsd.org/pipermail/freebsd-questions/2009-March/194405.html

That was shared with me by idwer in Freenode's ##pfsense. It looks to
me that what is being described there is not merely a transparent
proxy, but instead actually a more thorough isolating proxy. The two
kinds are described here:

https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy

It looks like it's not so straightforward as I thought it would be.
Installing Tor on pfSense and setting up some trivial routing rules
isn't all there is to it, and it's a little out of my league for now.
When the proper pfSense package for Tor is available, the system
configuration prerequisites will already be handled. Then, maybe the
problem will be reduced to the simpler routing setup that I was
originally expecting.

I hope this info helps.

On Wed, Jul 3, 2013 at 3:49 AM, fastgoldfish at gmail.com
<fastgoldfish at gmail.com> wrote:
> I'm not in New York City, unfortunately. Can you email me directly
> about testing the pfSense package for Tor, if you prefer to discuss it
> off-list? I'd love to give it a spin.
>
> On Wed, Jul 3, 2013 at 3:26 AM, George Rosamond
> <george at ceetonetechnology.com> wrote:
>> fastgoldfish at gmail.com:
>>> It looks like the 8.1 version of FREEBSD packages contains an outdated
>>> version of Tor, so I just change my setenv to this to get the
>>> maintained 8.3 packages:
>>>
>>> setenv PACKAGESITE
>>> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/
>>>
>>> I installed Tor from that, and nothing bad happened.
>>
>>
>> (read both emails and replied to package versus port issue in that one).
>>
>> Tor versions (whether stable or devel) aren't tied to any particular
>> FreeBSD version.  Using current versions of Tor on 7.x, 8.x, 9.x and
>> 10.x shouldn't matter.
>>
>> So I picked this project up again the other day.
>>
>> I can run Tor find on a pfSense box, no issues.
>>
>> I have most of the XML configuration done.
>>
>> At this point, I need to get it to install smoothly as a pfSense package.
>>
>> Once I have it operational I can let people test but that will happen
>> offlist.
>>
>> If you're in NYC, fastgoldfish, we can discuss more at the meeting tonight.
>>
>> g
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk


From george at ceetonetechnology.com  Fri Jul  5 00:14:56 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Fri, 05 Jul 2013 00:14:56 -0400
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <CAFqMiox=VGBLOXMcuKXrt1MC8d+YVrGFZhJPna94GByBEh4W_g@mail.gmail.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org> <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
 <51D3FC3C.7020407@ceetonetechnology.com>
 <CAFqMioynWfvmMPhQKsQtnTMDw9ji=bSQpd_XHmyKdSF1K1yuxw@mail.gmail.com>
 <CAFqMiox=VGBLOXMcuKXrt1MC8d+YVrGFZhJPna94GByBEh4W_g@mail.gmail.com>
Message-ID: <51D64840.3040906@ceetonetechnology.com>

fastgoldfish at gmail.com:
> I was referred to some more information about configuring
> FreeBSD/pfSense for use with Tor, but most of it is over my head for
> now:
> 
> http://lists.freebsd.org/pipermail/freebsd-questions/2009-March/194405.html
> 
> That was shared with me by idwer in Freenode's ##pfsense. It looks to
> me that what is being described there is not merely a transparent
> proxy, but instead actually a more thorough isolating proxy. The two
> kinds are described here:
> 
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
> 
> It looks like it's not so straightforward as I thought it would be.
> Installing Tor on pfSense and setting up some trivial routing rules
> isn't all there is to it, and it's a little out of my league for now.
> When the proper pfSense package for Tor is available, the system
> configuration prerequisites will already be handled. Then, maybe the
> problem will be reduced to the simpler routing setup that I was
> originally expecting.
> 
> I hope this info helps.


Thanks Fish.

I can tell you that I have tabled it for the rest of the week, but have
Tor running fine on pfSense as a pkg install.

I think the initial goal is just to get pfSense running as a
relay/bridge/whatever for now.  The idea is to bump the number of Tor nodes.

And I mean, with the pfSense interface, add the pkg, click enable, and
deal with a handful of settings.  Let's lower the bar of entry while
providing real relay functionality.

Performing transparent proxying is a further "phase II" in my opinion.
That is a larger project for a variety of reasons, and not immediate in
need for other reasons.

First, just setup SOCKS on a Tor relay manually.. and configure clients
to use it.

Second, the problem with a number of "all-in-one" systems which attempt
to integrate Tor proxying is they really try to do too much without
scaling the functions.  Let's get the basics operational and 'out in the
wild' in production before we try to satisfy every need.  I'd like to
see a real user base for a pfSense Tor package that allows us to
recognize any potential issues.

BTW, it *may* be more appropriate to have these discussions on our
Tor-BSD list (lists.nycbug.org).

g



From fastgoldfish at gmail.com  Fri Jul  5 03:34:16 2013
From: fastgoldfish at gmail.com (fastgoldfish at gmail.com)
Date: Fri, 5 Jul 2013 00:34:16 -0700
Subject: [nycbug-talk] pfsense and tor
In-Reply-To: <51D64840.3040906@ceetonetechnology.com>
References: <51B60CB7.1030708@nomadlogic.org> <51B66857.1000901@devio.us>
 <51B681EB.3050800@ceetonetechnology.com>
 <loom.20130627T004511-695@post.gmane.org>
 <51CB71C8.4070601@devio.us>
 <CAFqMioyawy6avMY7x0-b_jAnxM-a=05bE_S5oGjWLbKmsYOWUw@mail.gmail.com>
 <CAFqMioy=Hz=s+TiWXiwOYP3A=bCNkJFxn4xHsd3WGXUWB4pTsA@mail.gmail.com>
 <51CD0BA4.5040109@ceetonetechnology.com>
 <CAFqMioyyJ=yZipAPZGL_4EgEpwrggC1a3Kj0cvR4-x68y6Lwmw@mail.gmail.com>
 <CAFqMiozrFdN96EziDHA4W4B-G+4-BAxGQDcJFTwxkgxu+J8gXw@mail.gmail.com>
 <CAFqMioxbDJZZuKKLRR+TrGsO3HYJiHzz2htFPGn4mw3u13Begg@mail.gmail.com>
 <51D3FC3C.7020407@ceetonetechnology.com>
 <CAFqMioynWfvmMPhQKsQtnTMDw9ji=bSQpd_XHmyKdSF1K1yuxw@mail.gmail.com>
 <CAFqMiox=VGBLOXMcuKXrt1MC8d+YVrGFZhJPna94GByBEh4W_g@mail.gmail.com>
 <51D64840.3040906@ceetonetechnology.com>
Message-ID: <CAFqMiowjy20M3V4j-HkFL_FxnKhuXMkay3w+rGq__yfAMofB9g@mail.gmail.com>

I'm a big fan of starting small, so I agree with just getting
everything working. That's what you are working on. When you're done,
maybe I'll eventually be able to figure out how to do more
sophisticated things with it, and I can send you my settings. Once the
XML is prepared for the basics, it should be easier for me to find a
spot to stick some other configuration parameters, if I get that far.

Also, I know adrelanos is curious about where this goes, so if I
succeed in making some progress, I might be able to persuade him to
collaborate to put some polish on it so it will be suitable for use as
the gateway in his Whonix project. He has said there is already one
other person who is doing something similar with PF in OpenBSD.
Basically, everybody is endlessly reinventing the wheel. pfSense seems
to be the right tool for he job, and I'm wondering why I didn't think
of it earlier.

The last line of investigation I followed before landing at pfSense
was Gargoyle router firmware that supports the kind of failsafe Tor
functionality everybody wants. It turns out that only a few hardware
routers are able to run Gargoyle with Tor, and ALL of them are
discontinued. Demand for them is so high that unscrupulous people are
selling fake router versions to exploit all the people trying to buy
them. Obviously, there's a LOT of people trying to do this if it is
attracting merchants of with questionable offerings.

Last I heard, Buffalo CB-GK10B's were being sold as Buffalo
WZR-HP-G300NH. The CB-GK10B units do not work with Gargoyle firmware.
A lot of people are asking about this info on various sites, so maybe
they'll find it on Gmane after I post this.

How do we move this discussion over to the Tor list? Modern forum
software would have no problem with that....so I'm wondering, why do
people still use obsolete mailing lists? Back in the 2000's some
businesses would still insist that they can only receive image data
(like a scan of a driver's license) via expensive and obsolete FAX
machines (circa 1930's I think), instead of the more modern email.
Now, it's the email that's obsolete.

All the noise about that Snowden fellow is probably the catalyst that
will push email onto the path of extinction now that people realize
how ridiculously easy it is for unintended recipients to read your
mail. Normally it's the technically-sophisticated people that lead the
way with that, but this time it's different - it's us still using the
clunky obsolete technology while the rest of the world has left us
behind.

I think I'm subscribed to the Tor list now, so whatever happens next,
I don't know. SMF is BSD-licensed forum software, and it's fine stuff,
FYI :) Also, Nabble does a good job of "forum-izing" mailing lists,
and I use that when list admins have set it up to be available. You
still can't move discussions around with it, though.

On Thu, Jul 4, 2013 at 9:14 PM, George Rosamond
<george at ceetonetechnology.com> wrote:
> fastgoldfish at gmail.com:
>> I was referred to some more information about configuring
>> FreeBSD/pfSense for use with Tor, but most of it is over my head for
>> now:
>>
>> http://lists.freebsd.org/pipermail/freebsd-questions/2009-March/194405.html
>>
>> That was shared with me by idwer in Freenode's ##pfsense. It looks to
>> me that what is being described there is not merely a transparent
>> proxy, but instead actually a more thorough isolating proxy. The two
>> kinds are described here:
>>
>> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
>> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
>>
>> It looks like it's not so straightforward as I thought it would be.
>> Installing Tor on pfSense and setting up some trivial routing rules
>> isn't all there is to it, and it's a little out of my league for now.
>> When the proper pfSense package for Tor is available, the system
>> configuration prerequisites will already be handled. Then, maybe the
>> problem will be reduced to the simpler routing setup that I was
>> originally expecting.
>>
>> I hope this info helps.
>
>
> Thanks Fish.
>
> I can tell you that I have tabled it for the rest of the week, but have
> Tor running fine on pfSense as a pkg install.
>
> I think the initial goal is just to get pfSense running as a
> relay/bridge/whatever for now.  The idea is to bump the number of Tor nodes.
>
> And I mean, with the pfSense interface, add the pkg, click enable, and
> deal with a handful of settings.  Let's lower the bar of entry while
> providing real relay functionality.
>
> Performing transparent proxying is a further "phase II" in my opinion.
> That is a larger project for a variety of reasons, and not immediate in
> need for other reasons.
>
> First, just setup SOCKS on a Tor relay manually.. and configure clients
> to use it.
>
> Second, the problem with a number of "all-in-one" systems which attempt
> to integrate Tor proxying is they really try to do too much without
> scaling the functions.  Let's get the basics operational and 'out in the
> wild' in production before we try to satisfy every need.  I'd like to
> see a real user base for a pfSense Tor package that allows us to
> recognize any potential issues.
>
> BTW, it *may* be more appropriate to have these discussions on our
> Tor-BSD list (lists.nycbug.org).
>
> g
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk


From george at ceetonetechnology.com  Wed Jul 10 12:53:35 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Wed, 10 Jul 2013 12:53:35 -0400
Subject: [nycbug-talk] [BSDCert-Announce] New BSDCG MultiBSD DVD Released -
 "Summer / Winter 2013 Edition"
Message-ID: <51DD918F.4020003@ceetonetechnology.com>

The new BSD Cert Group DVD is available.  I don't have the new one, but
these have always been well-produced, and allow you to hack on all the
BSDs without needing hardware to install on.

g


-------- Original Message --------
Subject: [BSDCert-Announce] [Repost to BSDCert-Announce] New BSDCG
MultiBSD DVD Released - "Summer / Winter 2013 Edition"
Date: Tue, 9 Jul 2013 22:18:17 -0400


*
* Apologies to everyone on the BSDCert and BSDCertAdmin lists
* for the repost! -Jim B.
*

Hello Everyone,

With summertime in full swing, we've found time to release
the newest edition of the BSD Certification Group Study DVD.
This edition features the latest releases of the four BSDs:

    DragonFly BSD 3.4.2  - http://www.dragonflybsd.org/release34/
    FreeBSD 9.1 - http://www.freebsd.org/releases/9.1R/announce.html
    NetBSD 6.1 - http://www.netbsd.org/releases/formal-6/NetBSD-6.1.html
    OpenBSD 5.3 - http://www.openbsd.org/53.html

As before,  all four projects are loaded on the same DVD with
a customized El Torito boot installer.  This edition features both
QEMU and VirtualBox software to enable you to set up virtual
machines to run any of the included systems.

The DVD comes packaged in its own hardcover case with an informative
insert.

All proceeds from the sale of the DVD go towards the BSD Certification
Group certification program including the BSD Associate exam
(available now), and the BSD Professional exam (in development).

You can order the DVD online at http://www.bsdcertification.org/store

The order page also contains a complete list of all materials on the DVD
including the four projects software and documentation, the latest
pkgsrc sources, BSDA and BSDP exam objectives, and a customized
study planner to help you study for your exam.


We're also putting together an informative video about how to
use the DVD.  A link to the video will be posted on the BSDCG
website as soon as it's ready.

Thanks to everyone who has helped support BSD Certification and
the BSD projects!

Best Regards,
Jim B.
_______________________________________________
BSDCert-Announce mailing list
BSDCert-Announce at lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/bsdcert-announce




From bcallah at devio.us  Wed Jul 24 23:19:51 2013
From: bcallah at devio.us (Brian Callahan)
Date: Wed, 24 Jul 2013 23:19:51 -0400
Subject: [nycbug-talk] An OpenBSD MIPS update
Message-ID: <51F09957.1060306@devio.us>

Hi talk --

For those of you who don't religiously read OpenBSD's CVS logs (and 
really, with its riveting log messages, I don't know why you wouldn't 
;-) ) I have an update from my April meeting.

At the end of my meeting, I spoke a bit about the porting effort of 
OpenBSD/octeon. I am proud to announce that a few nights ago I made the 
commit to promote OpenBSD/octeon to supported platform: 
http://marc.info/?l=openbsd-cvs&m=137454550029528&w=2

This is an excellent next step, but as always, work continues...

Thanks again to NYC*BUG for letting me share my passion for these MIPS 
machines with you.

~Brian


From vmiller at hostileadmin.com  Thu Jul 25 07:25:43 2013
From: vmiller at hostileadmin.com (Rick Miller)
Date: Thu, 25 Jul 2013 07:25:43 -0400
Subject: [nycbug-talk] vBSDcon Website Update
Message-ID: <CAHzLAVFwtXj8EebMCP+8sK=MV3057bSurb=9=1LCGoSmkuT9iA@mail.gmail.com>

Hi all,

vBSDcon has updated the website to include a full schedule, speaker
bios, presentation descriptions, etc.  For those interested, please
check it out at http://www.vbsdcon.com/.  Registrations are expected
to open in the coming weeks!

-- 
Take care
Rick Miller


From bcallah at devio.us  Thu Jul 25 14:37:24 2013
From: bcallah at devio.us (Brian Callahan)
Date: Thu, 25 Jul 2013 14:37:24 -0400
Subject: [nycbug-talk] OpenBSD on your Beagle{Board,Bone} and PandaBoard!
Message-ID: <51F17064.6050309@devio.us>

Hi again talk --

Alongside octeon being promoted to supported platform for 5.4, the 
beagle platform was also promoted. The beagle platform supports the 
BeagleBoard C4 and BeagleBoard xM, the BeagleBone and BeagleBone Black, 
and the PandaBoard and PandaBoard ES. There are three different install 
miniroots, so check INSTALL.beagle to see which one you need. Then it's 
as easy as dd the miniroot to an sd card and boot bsd.rd to get to the 
familiar install RAMDISK.


From george at ceetonetechnology.com  Thu Jul 25 14:40:51 2013
From: george at ceetonetechnology.com (George Rosamond)
Date: Thu, 25 Jul 2013 14:40:51 -0400
Subject: [nycbug-talk] OpenBSD on your Beagle{Board,
	Bone} and PandaBoard!
In-Reply-To: <51F17064.6050309@devio.us>
References: <51F17064.6050309@devio.us>
Message-ID: <51F17133.50502@ceetonetechnology.com>

Brian Callahan:
> Hi again talk --
> 
> Alongside octeon being promoted to supported platform for 5.4, the
> beagle platform was also promoted. The beagle platform supports the
> BeagleBoard C4 and BeagleBoard xM, the BeagleBone and BeagleBone Black,
> and the PandaBoard and PandaBoard ES. There are three different install
> miniroots, so check INSTALL.beagle to see which one you need. Then it's
> as easy as dd the miniroot to an sd card and boot bsd.rd to get to the
> familiar install RAMDISK.

Awesome.  I burned an image earlier and am testing out soon.

How is the USB support?

g



From bcallah at devio.us  Thu Jul 25 14:45:36 2013
From: bcallah at devio.us (Brian Callahan)
Date: Thu, 25 Jul 2013 14:45:36 -0400
Subject: [nycbug-talk] OpenBSD on your Beagle{Board,
	Bone} and PandaBoard!
In-Reply-To: <51F17133.50502@ceetonetechnology.com>
References: <51F17064.6050309@devio.us> <51F17133.50502@ceetonetechnology.com>
Message-ID: <51F17250.7090905@devio.us>

On 7/25/2013 2:40 PM, George Rosamond wrote:
> Brian Callahan:
>> Hi again talk --
>>
>> Alongside octeon being promoted to supported platform for 5.4, the
>> beagle platform was also promoted. The beagle platform supports the
>> BeagleBoard C4 and BeagleBoard xM, the BeagleBone and BeagleBone Black,
>> and the PandaBoard and PandaBoard ES. There are three different install
>> miniroots, so check INSTALL.beagle to see which one you need. Then it's
>> as easy as dd the miniroot to an sd card and boot bsd.rd to get to the
>> familiar install RAMDISK.
>
> Awesome.  I burned an image earlier and am testing out soon.
>
> How is the USB support?
>

According to INSTALL.beagle, USB is only supported (so far) on the 
PandaBoards.

~Brian


From spork at bway.net  Thu Jul 25 18:43:38 2013
From: spork at bway.net (Charles Sprickman)
Date: Thu, 25 Jul 2013 18:43:38 -0400
Subject: [nycbug-talk] SaltStack and Ansible experience?
Message-ID: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>

While looking through the wikipedia list of configuration management software[1], I noticed a few new entrants that appear to have some momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair amount of support for the *BSDs.  Both are python based.

For example, looking at SaltStack's list of modules[4], I see support for lots of FreeBSD features: using pkgng (like full support - upgrading a package, fetching current package options, making a backup of an installed package), poudriere (trigger a bulk build, list/create jails and ports trees), and jails.

Anyone here use either of these?  Ideally I'd like something a bit lighter, but SaltStack is intriguing so far.  I also need to see what Puppet currently looks like, but the few BSD-centric reviews I've seen of SaltStack and Ansible both note that support for at least FreeBSD is better than in Puppet-land and that both projects are happy to take patches.

Thanks,

Charles

[1] - http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software
[2] - http://www.ansibleworks.com/configuration-management/
[3] - http://docs.saltstack.com/
[4] - http://docs.saltstack.com/ref/modules/all/index.html


From pete at nomadlogic.org  Thu Jul 25 18:49:43 2013
From: pete at nomadlogic.org (Pete Wright)
Date: Thu, 25 Jul 2013 15:49:43 -0700
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
References: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
Message-ID: <51F1AB87.1030400@nomadlogic.org>

On 07/25/13 15:43, Charles Sprickman wrote:
> While looking through the wikipedia list of configuration management software[1], I noticed a few new entrants that appear to have some momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair amount of support for the *BSDs.  Both are python based.
>
> For example, looking at SaltStack's list of modules[4], I see support for lots of FreeBSD features: using pkgng (like full support - upgrading a package, fetching current package options, making a backup of an installed package), poudriere (trigger a bulk build, list/create jails and ports trees), and jails.
>
> Anyone here use either of these?  Ideally I'd like something a bit lighter, but SaltStack is intriguing so far.  I also need to see what Puppet currently looks like, but the few BSD-centric reviews I've seen of SaltStack and Ansible both note that support for at least FreeBSD is better than in Puppet-land and that both projects are happy to take patches.
>

I am a pretty big fan of Ansible - and the primary dev behind it was 
also they guy responsible for cobbler and func (and worked at puppetlabs 
in a key position for a while as well).

i've been a long time user of cobbler and func in small and *very* large 
environments and have been quite happy with the quality of code and its 
extensibility.  ansible seems to have the same DNA and community that 
was built around cobbler, so i strongly suggest giving it a serious look.

-p


-- 
Pete Wright
pete at nomadlogic.org
twitter => @nomadlogicLA



From billtotman at billtotman.com  Thu Jul 25 18:55:02 2013
From: billtotman at billtotman.com (Bill Totman)
Date: Thu, 25 Jul 2013 18:55:02 -0400
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <51F1AB87.1030400@nomadlogic.org>
Message-ID: <CE1724B9.A323%billtotman@billtotman.com>

On 7/25/13 6:49 PM, "Pete Wright" <pete at nomadlogic.org> wrote:


>On 07/25/13 15:43, Charles Sprickman wrote:
>> While looking through the wikipedia list of configuration management
>>software[1], I noticed a few new entrants that appear to have some
>>momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair
>>amount of support for the *BSDs.  Both are python based.
>>
>> For example, looking at SaltStack's list of modules[4], I see support
>>for lots of FreeBSD features: using pkgng (like full support - upgrading
>>a package, fetching current package options, making a backup of an
>>installed package), poudriere (trigger a bulk build, list/create jails
>>and ports trees), and jails.
>>
>> Anyone here use either of these?  Ideally I'd like something a bit
>>lighter, but SaltStack is intriguing so far.  I also need to see what
>>Puppet currently looks like, but the few BSD-centric reviews I've seen
>>of SaltStack and Ansible both note that support for at least FreeBSD is
>>better than in Puppet-land and that both projects are happy to take
>>patches.
>>
>
>I am a pretty big fan of Ansible - and the primary dev behind it was
>also they guy responsible for cobbler and func (and worked at puppetlabs
>in a key position for a while as well).
>
>i've been a long time user of cobbler and func in small and *very* large
>environments and have been quite happy with the quality of code and its
>extensibility.  ansible seems to have the same DNA and community that
>was built around cobbler, so i strongly suggest giving it a serious look.
>
>-p
>
>
>-- 
>Pete Wright
>pete at nomadlogic.org
>twitter => @nomadlogicLA
>
>_______________________________________________
>talk mailing list
>talk at lists.nycbug.org
>http://lists.nycbug.org/mailman/listinfo/talk


The May NYC*BUG was about Ansible (it was very good by way):

http://www.nycbug.org/?action=home&id=10335



-bt




From thenorthsecedes at gmail.com  Thu Jul 25 18:58:28 2013
From: thenorthsecedes at gmail.com (Eric Lee)
Date: Thu, 25 Jul 2013 15:58:28 -0700
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <51F1AB87.1030400@nomadlogic.org>
References: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
 <51F1AB87.1030400@nomadlogic.org>
Message-ID: <CAKkHkn3tCwDyt2VqqQ=nPrQwrSdUvZv7CSmzM0h10SuiqWDCEA@mail.gmail.com>

On Thu, Jul 25, 2013 at 3:49 PM, Pete Wright <pete at nomadlogic.org> wrote:
> On 07/25/13 15:43, Charles Sprickman wrote:
>>
>> While looking through the wikipedia list of configuration management
>> software[1], I noticed a few new entrants that appear to have some momentum,
>> Ansible[2] and SaltStack[3].  Both appear to have a fair amount of support
>> for the *BSDs.  Both are python based.
>>
>> For example, looking at SaltStack's list of modules[4], I see support for
>> lots of FreeBSD features: using pkgng (like full support - upgrading a
>> package, fetching current package options, making a backup of an installed
>> package), poudriere (trigger a bulk build, list/create jails and ports
>> trees), and jails.
>>
>> Anyone here use either of these?  Ideally I'd like something a bit
>> lighter, but SaltStack is intriguing so far.  I also need to see what Puppet
>> currently looks like, but the few BSD-centric reviews I've seen of SaltStack
>> and Ansible both note that support for at least FreeBSD is better than in
>> Puppet-land and that both projects are happy to take patches.
>>
>
> I am a pretty big fan of Ansible - and the primary dev behind it was also
> they guy responsible for cobbler and func (and worked at puppetlabs in a key
> position for a while as well).
>
> i've been a long time user of cobbler and func in small and *very* large
> environments and have been quite happy with the quality of code and its
> extensibility.  ansible seems to have the same DNA and community that was
> built around cobbler, so i strongly suggest giving it a serious look.
>
> -p
>
>
> --
> Pete Wright
> pete at nomadlogic.org
> twitter => @nomadlogicLA
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

I am making my one post a year to +1 Ansible. It's very small, very
simple and extensible. At my day job I use it to deploy node.js, JVM
and Ruby apps via Jenkins and it's always performed admirably. There
is a large setup example here: https://github.com/edx/configuration

The documentation is comprehensive and the community is very active as well.

-e


From marcus.james at gmail.com  Thu Jul 25 18:58:27 2013
From: marcus.james at gmail.com (James Marcus)
Date: Thu, 25 Jul 2013 18:58:27 -0400
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <51F1AB87.1030400@nomadlogic.org>
References: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
 <51F1AB87.1030400@nomadlogic.org>
Message-ID: <CAM54t=YcpfByby9oDzut9LLgoytf6Ai5dLNnuS5k5_QoreHFQQ@mail.gmail.com>

I'm a giant Ansible fan, but I only use it with Linux.

On Thursday, July 25, 2013, Pete Wright wrote:

> On 07/25/13 15:43, Charles Sprickman wrote:
>
>> While looking through the wikipedia list of configuration management
>> software[1], I noticed a few new entrants that appear to have some
>> momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair amount
>> of support for the *BSDs.  Both are python based.
>>
>> For example, looking at SaltStack's list of modules[4], I see support for
>> lots of FreeBSD features: using pkgng (like full support - upgrading a
>> package, fetching current package options, making a backup of an installed
>> package), poudriere (trigger a bulk build, list/create jails and ports
>> trees), and jails.
>>
>> Anyone here use either of these?  Ideally I'd like something a bit
>> lighter, but SaltStack is intriguing so far.  I also need to see what
>> Puppet currently looks like, but the few BSD-centric reviews I've seen of
>> SaltStack and Ansible both note that support for at least FreeBSD is better
>> than in Puppet-land and that both projects are happy to take patches.
>>
>>
> I am a pretty big fan of Ansible - and the primary dev behind it was also
> they guy responsible for cobbler and func (and worked at puppetlabs in a
> key position for a while as well).
>
> i've been a long time user of cobbler and func in small and *very* large
> environments and have been quite happy with the quality of code and its
> extensibility.  ansible seems to have the same DNA and community that was
> built around cobbler, so i strongly suggest giving it a serious look.
>
> -p
>
>
> --
> Pete Wright
> pete at nomadlogic.org
> twitter => @nomadlogicLA
>
> ______________________________**_________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/**mailman/listinfo/talk<http://lists.nycbug.org/mailman/listinfo/talk>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130725/8cf45184/attachment.htm>

From bob at redivi.com  Thu Jul 25 19:03:15 2013
From: bob at redivi.com (Bob Ippolito)
Date: Thu, 25 Jul 2013 16:03:15 -0700
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <CE1724B9.A323%billtotman@billtotman.com>
References: <51F1AB87.1030400@nomadlogic.org>
 <CE1724B9.A323%billtotman@billtotman.com>
Message-ID: <CACwMPm9g=hfBp-dBH6JvNUegYCqdEn=-2EPYmzJ4vWtnuc9oZA@mail.gmail.com>

I started playing around with Ansible yesterday. I like it so far (compared
to prior experience with Puppet). Haven't tried to do BSD-centric things
with it, but seems easy enough to extend if you need to. I looked at
SaltStack as well, but the fact that they decided to build a broken
cryptosystem themselves worries me. I have heard good things about it
otherwise.


On Thu, Jul 25, 2013 at 3:55 PM, Bill Totman <billtotman at billtotman.com>wrote:

> On 7/25/13 6:49 PM, "Pete Wright" <pete at nomadlogic.org> wrote:
>
>
> >On 07/25/13 15:43, Charles Sprickman wrote:
> >> While looking through the wikipedia list of configuration management
> >>software[1], I noticed a few new entrants that appear to have some
> >>momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair
> >>amount of support for the *BSDs.  Both are python based.
> >>
> >> For example, looking at SaltStack's list of modules[4], I see support
> >>for lots of FreeBSD features: using pkgng (like full support - upgrading
> >>a package, fetching current package options, making a backup of an
> >>installed package), poudriere (trigger a bulk build, list/create jails
> >>and ports trees), and jails.
> >>
> >> Anyone here use either of these?  Ideally I'd like something a bit
> >>lighter, but SaltStack is intriguing so far.  I also need to see what
> >>Puppet currently looks like, but the few BSD-centric reviews I've seen
> >>of SaltStack and Ansible both note that support for at least FreeBSD is
> >>better than in Puppet-land and that both projects are happy to take
> >>patches.
> >>
> >
> >I am a pretty big fan of Ansible - and the primary dev behind it was
> >also they guy responsible for cobbler and func (and worked at puppetlabs
> >in a key position for a while as well).
> >
> >i've been a long time user of cobbler and func in small and *very* large
> >environments and have been quite happy with the quality of code and its
> >extensibility.  ansible seems to have the same DNA and community that
> >was built around cobbler, so i strongly suggest giving it a serious look.
> >
> >-p
> >
> >
> >--
> >Pete Wright
> >pete at nomadlogic.org
> >twitter => @nomadlogicLA
> >
> >_______________________________________________
> >talk mailing list
> >talk at lists.nycbug.org
> >http://lists.nycbug.org/mailman/listinfo/talk
>
>
> The May NYC*BUG was about Ansible (it was very good by way):
>
> http://www.nycbug.org/?action=home&id=10335
>
>
>
> -bt
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130725/02a0c78c/attachment.htm>

From kula at tproa.net  Thu Jul 25 18:58:48 2013
From: kula at tproa.net (Thomas Kula)
Date: Thu, 25 Jul 2013 18:58:48 -0400
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
References: <CFA06BB0-8EF2-414A-A07F-A45963FFFF5D@bway.net>
Message-ID: <20130725225847.GB1108@gozer.tproa.net>

On Thu, Jul 25, 2013 at 06:43:38PM -0400, Charles Sprickman wrote:
> While looking through the wikipedia list of configuration management software[1], I noticed a few new entrants that appear to have some momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair amount of support for the *BSDs.  Both are python based.
> 
> For example, looking at SaltStack's list of modules[4], I see support for lots of FreeBSD features: using pkgng (like full support - upgrading a package, fetching current package options, making a backup of an installed package), poudriere (trigger a bulk build, list/create jails and ports trees), and jails.

I use SaltStack at work and absolutely love it. I haven't used it for
any *BSD stuff yet, although at an upcoming hackathon I plan on spending
some time looking at the state of NetBSD support for SaltStack. 

The community around it is pretty awesome and it's rapidly adding pretty
nice features. I picked it up and was able to do useful work with it
much more rapidly than I ever did with cfengine or Puppet. I'm fond of
the fact its written in Python as well.


-- 
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/


From spork at bway.net  Fri Jul 26 04:35:53 2013
From: spork at bway.net (Charles Sprickman)
Date: Fri, 26 Jul 2013 04:35:53 -0400
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <CACwMPm9g=hfBp-dBH6JvNUegYCqdEn=-2EPYmzJ4vWtnuc9oZA@mail.gmail.com>
References: <51F1AB87.1030400@nomadlogic.org>
 <CE1724B9.A323%billtotman@billtotman.com>
 <CACwMPm9g=hfBp-dBH6JvNUegYCqdEn=-2EPYmzJ4vWtnuc9oZA@mail.gmail.com>
Message-ID: <86BF6176-656D-43D8-9150-06E10BE58C33@bway.net>

On Jul 25, 2013, at 7:03 PM, Bob Ippolito wrote:

> I started playing around with Ansible yesterday. I like it so far (compared to prior experience with Puppet). Haven't tried to do BSD-centric things with it, but seems easy enough to extend if you need to. I looked at SaltStack as well, but the fact that they decided to build a broken cryptosystem themselves worries me. I have heard good things about it otherwise.

Can you elaborate on that last part?

Is it this issue?

https://github.com/saltstack/salt/issues/2239

In my use case, that's not a likely threat, but for those using it to manage multiple locations over a public network or to manage things in "the cloud" I imagine it's more problematic.

Charles

> 
> 
> On Thu, Jul 25, 2013 at 3:55 PM, Bill Totman <billtotman at billtotman.com> wrote:
> On 7/25/13 6:49 PM, "Pete Wright" <pete at nomadlogic.org> wrote:
> 
> 
> >On 07/25/13 15:43, Charles Sprickman wrote:
> >> While looking through the wikipedia list of configuration management
> >>software[1], I noticed a few new entrants that appear to have some
> >>momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair
> >>amount of support for the *BSDs.  Both are python based.
> >>
> >> For example, looking at SaltStack's list of modules[4], I see support
> >>for lots of FreeBSD features: using pkgng (like full support - upgrading
> >>a package, fetching current package options, making a backup of an
> >>installed package), poudriere (trigger a bulk build, list/create jails
> >>and ports trees), and jails.
> >>
> >> Anyone here use either of these?  Ideally I'd like something a bit
> >>lighter, but SaltStack is intriguing so far.  I also need to see what
> >>Puppet currently looks like, but the few BSD-centric reviews I've seen
> >>of SaltStack and Ansible both note that support for at least FreeBSD is
> >>better than in Puppet-land and that both projects are happy to take
> >>patches.
> >>
> >
> >I am a pretty big fan of Ansible - and the primary dev behind it was
> >also they guy responsible for cobbler and func (and worked at puppetlabs
> >in a key position for a while as well).
> >
> >i've been a long time user of cobbler and func in small and *very* large
> >environments and have been quite happy with the quality of code and its
> >extensibility.  ansible seems to have the same DNA and community that
> >was built around cobbler, so i strongly suggest giving it a serious look.
> >
> >-p
> >
> >
> >--
> >Pete Wright
> >pete at nomadlogic.org
> >twitter => @nomadlogicLA
> >
> >_______________________________________________
> >talk mailing list
> >talk at lists.nycbug.org
> >http://lists.nycbug.org/mailman/listinfo/talk
> 
> 
> The May NYC*BUG was about Ansible (it was very good by way):
> 
> http://www.nycbug.org/?action=home&id=10335
> 
> 
> 
> -bt
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130726/364a89e6/attachment.htm>

From bob at redivi.com  Fri Jul 26 11:51:23 2013
From: bob at redivi.com (Bob Ippolito)
Date: Fri, 26 Jul 2013 08:51:23 -0700
Subject: [nycbug-talk] SaltStack and Ansible experience?
In-Reply-To: <86BF6176-656D-43D8-9150-06E10BE58C33@bway.net>
References: <51F1AB87.1030400@nomadlogic.org>
 <CE1724B9.A323%billtotman@billtotman.com>
 <CACwMPm9g=hfBp-dBH6JvNUegYCqdEn=-2EPYmzJ4vWtnuc9oZA@mail.gmail.com>
 <86BF6176-656D-43D8-9150-06E10BE58C33@bway.net>
Message-ID: <CACwMPm_QhJzMtGi9RvbS7xNQSFfOyrnRACQVZkkjp3OsG9+YcA@mail.gmail.com>

On Friday, July 26, 2013, Charles Sprickman wrote:

> On Jul 25, 2013, at 7:03 PM, Bob Ippolito wrote:
>
> I started playing around with Ansible yesterday. I like it so far
> (compared to prior experience with Puppet). Haven't tried to do BSD-centric
> things with it, but seems easy enough to extend if you need to. I looked at
> SaltStack as well, but the fact that they decided to build a broken
> cryptosystem themselves worries me. I have heard good things about it
> otherwise.
>
>
> Can you elaborate on that last part?
>
> Is it this issue?
>
> https://github.com/saltstack/salt/issues/2239
>
> In my use case, that's not a likely threat, but for those using it to
> manage multiple locations over a public network or to manage things in "the
> cloud" I imagine it's more problematic.
>
> Charles
>

It's an example of bad decision making to try and build your own crypto
system without the right expertise. Even with the right expertise, it's
probably still a poor decision.

You're right that it's not a "likely threat" to get attacked even if
there's no transport security at all, but that's not a good excuse these
days.


>
>
>
> On Thu, Jul 25, 2013 at 3:55 PM, Bill Totman <billtotman at billtotman.com<javascript:_e({}, 'cvml', 'billtotman at billtotman.com');>
> > wrote:
>
>> On 7/25/13 6:49 PM, "Pete Wright" <pete at nomadlogic.org<javascript:_e({}, 'cvml', 'pete at nomadlogic.org');>>
>> wrote:
>>
>>
>> >On 07/25/13 15:43, Charles Sprickman wrote:
>> >> While looking through the wikipedia list of configuration management
>> >>software[1], I noticed a few new entrants that appear to have some
>> >>momentum, Ansible[2] and SaltStack[3].  Both appear to have a fair
>> >>amount of support for the *BSDs.  Both are python based.
>> >>
>> >> For example, looking at SaltStack's list of modules[4], I see support
>> >>for lots of FreeBSD features: using pkgng (like full support - upgrading
>> >>a package, fetching current package options, making a backup of an
>> >>installed package), poudriere (trigger a bulk build, list/create jails
>> >>and ports trees), and jails.
>> >>
>> >> Anyone here use either of these?  Ideally I'd like something a bit
>> >>lighter, but SaltStack is intriguing so far.  I also need to see what
>> >>Puppet currently looks like, but the few BSD-centric reviews I've seen
>> >>of SaltStack and Ansible both note that support for at least FreeBSD is
>> >>better than in Puppet-land and that both projects are happy to take
>> >>patches.
>> >>
>> >
>> >I am a pretty big fan of Ansible - and the primary dev behind it was
>> >also they guy responsible for cobbler and func (and worked at puppetlabs
>> >in a key position for a while as well).
>> >
>> >i've been a long time user of cobbler and func in small and *very* large
>> >environments and have been quite happy with the quality of code and its
>> >extensibility.  ansible seems to have the same DNA and community that
>> >was built around cobbler, so i strongly suggest giving it a serious look.
>> >
>> >-p
>> >
>> >
>> >--
>> >Pete Wright
>> >pete at nomadlogic.org <javascript:_e({}, 'cvml', 'pete at nomadlogic.org');>
>> >twitter => @nomadlogicLA
>> >
>> >_______________________________________________
>> >talk mailing list
>> >talk at lists.nycbug.org <javascript:_e({}, 'cvml',
>> 'talk at lists.nycbug.org');>
>> >http://lists.nycbug.org/mailman/listinfo/talk
>>
>>
>> The May NYC*BUG was about Ansible (it was very good by way):
>>
>> http://www.nycbug.org/?action=home&id=10335
>>
>>
>>
>> -bt
>>
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org <javascript:_e({}, 'cvml',
>> 'talk at lists.nycbug.org');>
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org <javascript:_e({}, 'cvml',
> 'talk at lists.nycbug.org');>
> http://lists.nycbug.org/mailman/listinfo/talk
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20130726/78d3b37d/attachment.htm>

From ike at blackskyresearch.net  Fri Jul 26 14:56:26 2013
From: ike at blackskyresearch.net (Isaac (.ike) Levy)
Date: Fri, 26 Jul 2013 14:56:26 -0400
Subject: [nycbug-talk] An OpenBSD MIPS update
In-Reply-To: <51F09957.1060306@devio.us>
References: <51F09957.1060306@devio.us>
Message-ID: <1374873304-7726957.48480111.fr6QLEKX4031285@rs149.luxsci.com>

On Jul 24, 2013, at 11:19 PM, Brian Callahan <bcallah at devio.us> wrote:

> For those of you who don't religiously read OpenBSD's CVS logs (and really, with its riveting log messages, I don't know why you wouldn't ;-) ) I have an update from my April meeting.
> 
> At the end of my meeting, I spoke a bit about the porting effort of OpenBSD/octeon. I am proud to announce that a few nights ago I made the commit to promote OpenBSD/octeon to supported platform: http://marc.info/?l=openbsd-cvs&m=137454550029528&w=2
> 
> This is an excellent next step, but as always, work continues...
> 
> Thanks again to NYC*BUG for letting me share my passion for these MIPS machines with you.

Spectacular?  Thanks for the post Brian!

If I wanted to keep abreast of OpenBSD ARM/embedded/beagle/pi things, but I haven't been on OpenBSD lists for a while- (like 6+ years), what list would you recommend I lurk on?

Best,
.ike





From bcallah at devio.us  Fri Jul 26 19:55:11 2013
From: bcallah at devio.us (Brian Callahan)
Date: Fri, 26 Jul 2013 19:55:11 -0400
Subject: [nycbug-talk] An OpenBSD MIPS update
In-Reply-To: <1374873304-7726957.48480111.fr6QLEKX4031285@rs149.luxsci.com>
References: <51F09957.1060306@devio.us>
 <1374873304-7726957.48480111.fr6QLEKX4031285@rs149.luxsci.com>
Message-ID: <51F30C5F.1050202@devio.us>

On 7/26/2013 2:56 PM, Isaac (.ike) Levy wrote:
> On Jul 24, 2013, at 11:19 PM, Brian Callahan <bcallah at devio.us> wrote:
>
>> For those of you who don't religiously read OpenBSD's CVS logs (and really, with its riveting log messages, I don't know why you wouldn't ;-) ) I have an update from my April meeting.
>>
>> At the end of my meeting, I spoke a bit about the porting effort of OpenBSD/octeon. I am proud to announce that a few nights ago I made the commit to promote OpenBSD/octeon to supported platform: http://marc.info/?l=openbsd-cvs&m=137454550029528&w=2
>>
>> This is an excellent next step, but as always, work continues...
>>
>> Thanks again to NYC*BUG for letting me share my passion for these MIPS machines with you.
>
> Spectacular?  Thanks for the post Brian!
>
> If I wanted to keep abreast of OpenBSD ARM/embedded/beagle/pi things, but I haven't been on OpenBSD lists for a while- (like 6+ years), what list would you recommend I lurk on?
>

There's an arm at obsd mailing list that's low-volume but you'll know what 
people are working on (and bug reports).

Of course, you could always take it for a spin on your own hardware - 
that'll force you to keep up with things ;-)

~Brian