A minor hotfix update to the 10.1.2 ISO’s has been released today. This includes fixes to advanced installation using raidz, cache and log devices, as well as a fix to the text-installer when booted in UEFI mode. Users who have already installed 10.1.2 will not need to download, and can instead online-update to install any fixes.
I had recently seen some chatter on IRC about 4K monitor support. One of the people discussing stated that PC-BSD didn’t support 4K monitors, which was curious to me, since I hadn’t tried it yet. This week I did something about that, and ended up getting two 4K monitors and a new video card (With triple DisplayPort) to do some testing.
— The Hardware —
2x – ASUS PB287Q 28-Inch Screen LED-Lit 4K Monitor (Amazon)
Zotac GeForce GTX 960 2GB GDDR5 PCI Express 3.0 HDMI DVI DisplayPort (Amazon)
— The Setup —
The setup process was thus:
1. Remove the old monitors and video card
2. Connect the new monitors and video card
3. Go into monitor menus – Enable DisplayPort 1.2 mode
4. Boot up, selecting the “Run Display Wizard” option at the boot-loader.
5. Click “Accept”
That’s it! The display wizard properly detected both 4k monitors, and set them up in a proper dual-head configuration. Logging into KDE resulted in it detecting the new monitors, and automatically re-configuring the display to take advantage of the new resolution. At this point the system was fully usable, font-scaling even worked properly for Firefox and such.
Having 4K setup I did find a few minor issues, which are already being fixed in time for PC-BSD 10.1.2 next week, such as changing the mouse cursor to something which supports larger sizes / resolutions better. The only real hiccup was figuring out that the monitor ships with DisplayPort set to 1.1 mode, only giving 30hz mode out of box. Changing that in the monitors menus to DisplayPort 1.2 mode, enabled 60hz, giving a silky-smooth desktop experience at 4K resolutions. Not sure if that is something typical of all 4K monitors, or just this model in particular, but if you can’t go beyond 30hz, you may want to check that in your monitor documentation.
Anyway, I hope this information is of use to anybody else who is thinking of taking the 4K plunge. Of course I would love additional feedback from other users who are running 4K, to see if there are other tweaks we can make for optimal support out of box. Let us know on the bug tracker, mailing lists or new forums!
If you’ve been an EDGE user in the past few weeks, or following our Roadmap items for the upcoming 10.1.2 release, you may have noticed a number of new security and privacy related items. I wanted to take a moment to clarify what some of these new features are and what they will do.
— PersonaCrypt —
The first of the new features is a new CLI utility called personacrypt. This command will allow the creation and usage of a GELI backed encrypted external media for your users $HOME directory. We are using it internally to keep our user profiles on USB 3.0 – 256GB hybrid SSD / flash memory stick (Coarsair flash Voyager GTX specifically). This is tied into the PCDM login manager, and user manager, so when you create a new user account, you can opt to keep all your personal data on any external device. The device is formatted with GPT / GELI / ZFS, and is decrypted at login via the GUI, after entering your encryption key, along with the normal user password.
Additionally, the personacrypt command uses GELI’s ability to split the key into two parts. One being your passphrase, and the other being a key stored on disk. Without both of these parts, the media cannot be decrypted. This means if somebody steals the key and manages to get your password, it is still worthless without the system it was “paired” with. PersonaCrypt will also allow exporting / importing this key data, so you can “pair” the key with other systems.
— Tor Mode —
We’ve added a new ability to the System Updater Tray, so you can with a single-click, toggle between running in Tor mode, and regular “Open” mode. This switch to Tor mode, will do the following:
1. Launch the Tor daemon, and connect to the Tor network
2. Re-write all the IPFW rules, blocking all outgoing / incoming traffic, except for traffic to and from the Tor daemon
3. Re-route all DNS / TCP requests through Tor using its transparent proxy support
This allows applications on the system to now connect to the internet through Tor, without needing explicit SOCKS proxy support.
Obviously this alone isn’t enough to keep your identity safe on the Internet. We highly recommend that you read through their excellent FAQ and wiki articles on the subject.
— Stealth Mode —
One of the features we just added to personacrypt is something we are calling “stealth” mode. It is integrated into PCDM, and does the following:
During the login, if stealth mode is selected, the users $HOME directory will be mounted with a GELI backed ZVOL with GELI’s onetime key encryption. This $HOME directory is setup with the default /usr/share/skel data, and is pretty much a “blank” slate, allowing you to login, and run apps as if on a fresh system each time. At logout the dataset is destroyed, or should the system be rebooted, the onetime key is lost, rendering the data useless. Think of it as a web browser’s “private” mode, except for your entire desktop session.
— LibreSSL —
We’ve made the switchover to convert our ports to use LibreSSL by default instead of the base systems OpenSSL. (Thanks to Bernard Spil for his work on this). Our hope is that LibreSSL will help make the system security better, and reduce the number of OpenSSL exploits that our packages may be vulnerable to.
— Encrypted Backups —
The Life-Preserver utility has had the ability for a while now to replicate your system to another box running FreeBSD, such as FreeNAS. This backup is done via ZFS send/recv using SSH, but the data on the remote end was stored un-encrypted and could be read by whomever was administrating the remote box. To provide an extra measure of security to backups, we are in the process of adding support for fully-encrypted backups, using GELI backed iSCSI volumes. This allows us to use ZFS send/recv over the wire, with all the data leaving the box already being encrypted via GELI. Your data on the remote side is fully-encrypted, and only accessibly with the key file you have stored on the client side. This is still in active development and should show up in the EDGE repo in the upcoming weeks, along with some additional details on usage.
We hope you’ve enjoyed this sneak-peek of whats happening with PC-BSD development right now. As always, we love people to test these features in our EDGE repo, and let us know of issues via our bug tracker:
Setting up a FreeBSD / TrueOS home router with IPFW
(Updated 1/13/2015 with in-kernel NAT example!)
Over the Christmas holidays I had some spare time and was ready to take the plunge and retire an old Asus router. It had begun getting rather slow, due to the increasing number of devices connected to our network, and of course I wanted peace of mind using a FreeBSD system I could be sure was up to date with security fixes. I used PC-BSD’s server release, TrueOS 10.1, because I wanted to use ZFS with boot-environments to ensure upgrading and replacing disks would be risk-free down the road. The following details how I setup TrueOS on the new box.
Many users have asked us about the recent OpenSSL Heartbleed bug. This only applies to users of PC-BSD 10.0, users of 9.x and earlier will not be effected.
A patch has gone out this morning to correct the issue, which includes the following FreeBSD security advisories:
By running the graphical “System Updater” you can apply the bug fixes, or via “freebsd-update” at the command-prompt. After applying this fix, please reboot and the systems version should now show 10.0-RELEASE-p9
Kris gets to sit down with a blogger at Texas Linux Fest and discuss a bit about PC-BSD.