What is the purpose of toor user on FreeBSD?

When people ask me how I can provide such a service, they mostly inly think about the hardware and the costs. Trust me, that’s the least of the problems! Running such a service is more about avoiding and handling service abuses. Free services tend to be abused by people and this is the most difficult part - protection!

But let’s have a short look at the things…

Passion (why?):
The passion and idea behind this project is probably the most interesting part. I can clearly remember the time back in the days when I started in tech and had even then an outdated, slow and rarely working system. It was pure pain to work with it, but luckily it did somehow its job. However, doing more difficult thinks were mostly impossible: Higher loads led into shutdowns - I had to undervolt the system, write kernel modules for undervolting support (which were really appreciated in the community) but also all other resources didn’t gave me the possibility to run more exiting things. Renting a „cheap“ server (back in that day virtual server were not really known and the first implementations based on chroots like OpenVZ were coming years later) was impossible to me. So, learning in real-life scenarios was mostly impossible to me and made everything more difficult. I really know and remember these times where I had to deal somehow with limitations. This is good but also bad. The good thing is, you become really creative into finding solutions and get really nit picky about improving things. The other thing is, it makes your life really hard. With BoxyBSD I want to provide passionated and interested people the opportunity to get at least a system where they can learn and educate. They get a fully usable VM where they can configure, run and use the system how they like (unless they’re not violating the ToS). They have a public IPv6 address (and even a whole additional /64 network) to also learn and practice more complex network solutions. They can run servers, learn how things for their future. Often they quickly find out why a PTR is needed for sending mails (sure, you can also define your reverse DNS at BoxyBSD) but also why firewalling ICMP6 isn’t a great idea (at least you want to have RA & ND active). Things you mostly learn the hard wary in real life setups. But BoxyBSD is also about more - it’s also about supporting the #opensource community. BoxyBSD also sponsors opensource projects like #Freeway, #Telescope & #GameOfTrees. And everything at zero costs!

Resources (how?):
Resources are probably the thing that mostly pops up in the mind of people when hearing about this service and yes - it of course requires a lot of resources since I’m providing full VMs for each user without any over provisioning in memory or disk which are too volatile in this project. But the resources are often already present. In this case, I already have my own labs based on #Proxmox and #bhyve which are built in a fully productional way. This gives me the possibility to provide resource left overs to this project. Also, there are sponsors like Moritz from NerdscaveHosting who sponsors nodes which are dedicated used to this project. Next to this, the question is about another resource - time! The whole infrastructure if fully automated by simply choosing the desired OS and pressing „create VM“ everything else in handled fully automatically. A desired node is obtained by my side project (ProxLB - in a customised version to also support bhyve hosts), the VM created and a the IP address returned. That’s it - easy!

Protection (the real issue):
The real issue is about people that’s going to abuse the service. This was something I had to learn the hard way. In the first iteration it was simply fully #FreeBSD #Jails based with a very simple interface where you just inserted your SSH pub key and immediately got returned an address of a Jail (if you’re interested, that was the first version: https://www.youtube.com/watch?v=geOS4LTCwok). This was a way too easy and people immediately used it for sending spam mails. I had to take some actions but also didn’t want to block whole ports to make services unusable. Therefore, I had some other ideas which worked out very well, like forcing to use a relay with rate limiting. Today, BoxyBSD grew up, is running ob full fledged VMs providing users and developers the possibility to modify kernel and to have more deep possibilities to learn and test. By only providing images for #FreeBSD, #OpenBSD and #NetBSD (and #illumos / #OpenSolaris) the community and targeted people is smaller than usual. Also software that is written by Scriptkiddies often does not work out of the box on BSD based systems and needs (honestly only small) adjustments. But that’s also often already a reason not to abuse such services. It still may occur that someone is unintentionally doing bad things, generating a lot of traffic (like two weeks ago where someone made 2Gbps traffic for over 12 hours) but usually, this isn’t any problem. Proactive monitoring already notifies me (that’s the only thing where I need to step in) and validate to take actions if someone might be harmed or services affected.

In the end, I like to see that the community is more like a family where things are being used like their own ones. People even come in touch with me and letting me know that they don’t need the VM anymore and to free up the resources for other ones - that’s something I really love to see! Sometimes they come simply back when they need something again and get their new VM. I really love the BSD community and especially the #BSDCafe (https://bsd.cafe) and #BSDNetwork (https://bsd.network). Things can be simple!

PS: At the #FrOSCon you can grab some #BoxyBSD stickers. Just poke me when you see me :)

Ressources:
Call Recording: https://www.youtube.com/watch?v=XEHL4skVq3U&t
BoxyBSD Jail: https://www.youtube.com/watch?v=geOS4LTCwok
Papers: https://cdn.gyptazy.ch/tech-talks/BoxyBSD-A_free_VM_hosting_service_for_education_and_research/BoxyBSD-A_free_VM_hosting_service_for_education_and_research.html
Website: https://boxybsd.com