is it possible to hotplug passthrough usb devices to and from bhyve vms?

i think it'd need to be the pci address of the whole usb controller

but it should

😩️

this is a problem

it's hard to have a hypervisor if you can't ...hypervise

i can passthrough the entire usb bus, but then i can't input to the host

You could add a PCIe USB controller that you dedicate to the VM.

that was my first thought, but the one controller i do have is partially broken so i can't get it to power on

Hi, since I'm not getting the help I need in the pfsense channel, can I ask here? (I'm sorry if that's not a legit thing)

Does pfsense still use FreeBSD? I thought they were switching to linux.

It still use FreeBSD 12.3 for the latest version

But my issue is probably more related to pfsense than FreeBSD

CrtxReavr: pfSense is very much FreeBSD based, and there are no plans that I'm aware of (and I contract for Netgate...) to change that.

The upcoming 23.01 release will be based on FreeBSD main too.

alright i got it to work on one of the "good day" runs, but damn, all the graphics are corrupted

TIL wayland doesn't like the gpu being in passthrough mode, presumably

ixmpp: sorry man, don't know if any hypervisor will do that

it works in theory

if only we lived in theory

I'm unsure how pfSense *could* switch to Linux, given, uh, pf

yea.... no

How do I fix "DAD" issues? I'm getting this in the dmesg. em0: DAD detected duplicate IPv6 address 2001:470:1f07:26c::: NS in/out/loopback=0/1/0, NA in=1

em0: DAD complete for 2001:470:1f07:26c:: - duplicate found

I added fe80::1 as an alias to em0.... stupid me

then I deleted it but now I have a "duplicated" and it causes all sorts of issues.

i would expect it to clear up if there truly is no duplicate address on the network

It's been ~5 hours, I rebooted multiple time but unbound refuse to bind on 2001:470:1f07:26c: since I did this

<reserves obvious sarcasm>

and that ip is in ifconfig ?

at this moment?

ixmpp: in theory there is no difference between theory and practice, while in practice there is.

rtprio yes, but only one time. I'm not sure how it's duplicated

i do like that quote

curl --cert-status -o /dev/null -vsS git.sr.ht/~dch/ports give me a weird error

Title: ~dch/ports - sourcehut git

* SSL certificate problem: unable to get local issuer certificate

dch: do you have Mozilla's bundle installed?

Is your time accurate to within the margin of error for SSL/TLS?

debdrup: yes, although this is a CURRENT laptop so maybe some sloppy upgrading on my part

time is ok, and these sites work just fine in my browser

*firefox

Welp, then I'm out of ideas. :P

debdrup: they were both good ideas :-)

i will look for that script that regenerates tls certs that allan jude added a while back

certctl?

hmm probably

thanks!

certctl -v list is the same on both working and nonworking

is there a channel for helping porters?

yes

#bsdports on EFnet

there is #freebsd-ports here on libera too

and mmm #freebsd-ports on libera too

dch: thanks you very much

dch: do other Letsencrypt certs work ?

rtprio: its weird, browser works for everything, only commandline / curl

I think its all LE certs

I will do a fresh beinstall.sh soon

and then it will probably all work again

when dealign with le acme.sh seems to do well with some tweaks

this is something missing in my / I think

can you pastebin the output?

Title: Snippet | IRCCloud

^rtprio

* CAfile: /usr/local/share/certs/ca-root-nss.crt

* CApath: none

dch is ca_root_nss installed ?

rtprio: yep

does curl --cacert /usr/local/share/certs/ca-root-nss.crt work ?

Title: Snippet | IRCCloud

rtprio: and with the forced caroot it works

let me delete & reinstall it

nope, thats not sufficient

but we're close

curl --cacert /etc/ssl/cert.pem freebsd.org -o /dev/null -4vsS works

Title: The FreeBSD Project

i.e. the softlink is fine

uh

so...

reverting to curl-7.86.0 works

hmmm

and curl-7.87.0 does not

i'm on 7.87

me too on my desktop, and this only breaks on my laptop

let me beinstall.sh and see if that fies it

what is beinstall.sh

oh boy are you in for some fun

Title: beinstall

/usr/src/tools/build/beinstall.sh

how is that different than make installworld installkernel distrdistribution DESTDIR=/mnt

rtprio: it does the plumbing the upgrade and the boot environment all for you

huhh

and if something fails all is nicely rolled back

HI.

Inside a FBSD Jail - is there a way to leak public internet IP address if the only internet connection is to an localhost port?

what do you mean?

wall $(dig +short myip.opendns.com @resolver1.opendns.com)

is that leaky enough?

The point is to not leak my address

And I said the only connection should be to localhost

Is there some sort of history file that stores IP addresses on FBS?

FBSD*

a) yes there is a way

Really? How

b) it depends on what software you run

How? Lol

c) i'm not sure how it matters

c) it matters a lot

b) how? The whole point of me using FreeBSD jails is to strictly control networking access

a) how

how does it depend on the software?

Yeah

Software depends on internet access in order to reveal IP address, right?

Think about it this way - what if I got some malware inside of an FBSD jail, and networking is strictly controlled?

Has anyone worked with bhyve and Windows 98 - is it even possible?

both ways you phased the question is vague enough to be yes or no

PredatorONormies: i don't know man, what software are you running?

rtprio, Quark

How does it matter what software?

Like I said - imagine a fucking malicious person inside of the jail

how hard can that be?

:(

why you bully me

I need a jail for untrusted use

yes, a malicious person inside a jail can figure out your public ip address.

PredatorONormies: settle down please nobody's sassing you here

rtprio, how?

PredatorONormies: a simple curl jsonip.com will show the external NAT IP

PredatorONormies: try that dig command i pasted

llua I just want to know if it's even possible to get Windows 98 working on bhyve. I've cloned a disk with dd and want to see if I can make it boot.

if you want to be hidden, then use tor or tor + vpn

PredatorONormies: in my experience just answering the question is not that great in getting people to understand. which is why i ask, "what software, and why is it a problem"

AReal486: i wasn't responding to you

but quark is static files how are they going to root you that way

oh, that was perfect timing then

indeed

curl: (6) Could not resolve host:

Like I said - only networking connection should be localhost

/r/homelab is full of people trying to hide their ip address and i simply cannot understand the attack surface

dch, see? It doesn't

AReal486: I can't imagine anybody has ever tried, wiki.freebsd.org/bhyve/Windows doesnt show it

Title: bhyve/Windows - FreeBSD Wiki

how are you going to serve any web files if it's only on localhost?

PredatorONormies: ok, if you don't have *any* network access then ofc it won't work

rtprio, the proxy per-say is outside of jail xD

dch, BAKA

PredatorONormies: but if you have network access then I will find your IP, curl is convenient, netcat is also functional

I am bad at explaining myself

AReal486: i don't expect it to work, but let me see if i have that iso

PredatorONormies: if you can't stop throwing insults around I have better things to do

I do ip4.addr="lo0|127. (some local IP)"

dch, what insulted you?

And I disabled IPv6 access

networking

AReal486: maaaybe if you install sysutils/uefi-edk2-bhyve-csm as well, it might work?

well you still have some local ip and with an ip there is a chance for it to... escape

Anything else I should know about? :/ Like I asked - I did in the past connect with a real straight (no bunny-hopping) internet connection so I might fear there is somewhere a log file with the IP address

rtprio, lol how?

PredatorONormies: I think we're assuming this:

PredatorONormies: we don't know enough of your layout to give you an answer

the IP doesn't directly connect to internet (on the outside of jail, where localhost connection mounts to next0

internet <> router <> jail host running some proxy <> jail with loopback IP

;-;

dch, probably yes

and you have something exploited that escapes to the jail only

I thought htat was obvious

exploited?

welcome to the internet

something malicious, let's call it

lol?

can't we just use hand signals?

so we have a compromised process in the jail

oky

and what exactly are you worried about here that it does?

there are a few possible things it could do

let's focus on the easiest one to exploit

from the jail, I can think of at least 5 ways I could identify the external IP of your router, presumably all behind NAT.

Like I said - in the past I connceted like this for some reasons I forgot: internet <> router <> jail, and perhaps there is public IP address LOGGED somewhere within that jail?

FIVE?

I'm not even warmed up

let me hold your beer

so inside the jail, running e.g. nginx or something like that?

something like that

and you want to know if inside the jail itself, the public gateway (i.e. router) address would be visible?

but let's say even that got somehow compromised

what

yeah

aka public IP address that can deanonymize me

so yes this is very easy

:( how

the jail has network access, and is receiving inbound traffic, and has a compromised process inside it

not direct network access, remember

proxy aka firewall

You ever heard of Tor?

*sigh*

Tor as in the system invented by US intelligence?

kp, perhaps I was confusing pfSense with OpenNAS?

even tor is not a perfet scape goat anyway

you can poison it with enough nodes offering relay

enough trusted peers within its web that is, saying a .onion is somewhere

CrtxReavr, I imagine far to many

and who controls the root keys for decrypting stuff

there are no root keys

its peer to peer for every link

true

so three points of attack, the algoritm, the key and the person

I do definately not trust tor in any way since I don't know all of them

Even if you're using (and trust) tor, you should still be using encrypted protocols over it.

that is a a way yes

in modern security as with old security the easiest is generally the person

spear phishing and its ilk often have the greatest chance of success

always

or just his dustbin

data/dumpster diving :D haha I remember that from years ago I bet it still would be true of modern organisations

it is

you may not get keys, but there is plenty of user ids to be had

I seen a bit of spam recently I thought was quite innovative

pwds

^ obviously stuffed blocked out for sanity reasons

and no one visit any url seen there

ah that is quite inventive

was sent to my work email address which is a tech firm

got one lately from "the water works"

oh what was they offering

in order to sync our new accounting system please log in and key in your current water usage

etc

log in being the part they where after

ooooh that is quite like the one our HR manager got, the persons resposible looked up who worked for ou company and emailed her asking up date payment/bank details to them as they changed banks

i DK we have a common public login system

weird when you start appreciating the efforts of the scammers/spammers

though innovation is innovation wherever it appears I suppose

:-)

in fact all you have to guess in order to send a login request to someone is probably the user id today :-)

pretty sure they will all become awesome at marketing, development or automation shortly :D

"do you wish to login - swipe right"

there is one swipe between you and personal bankruptcy I suppose

ok .. that is a bit populistic

but - a password would be nice

Hi People

> <BarnabasDK> Tor as in the system invented by US intelligence? < Yes

Title: Tor Project | Anonymity Online

> <daemon> even tor is not a perfet scape goat anyway < Probably, yeah

> <daemon> you can poison it with enough nodes offering relay < That's why I prefer I2P :)

daemon, do you have some advice?

advice on what>

I'm trying to host a site from within a FBSD Jail, and have it be as secure from leaking my IP as possible

You seem to be familiar with Tor

what about Jails?

dch seems to have given up

yse I am I host several tor services but that is nothing to do with jails

you could simply install tor within the jail and offer a hidden service

run nginx or ngircd or w/e you want

bind it to localhost and point the tor hidden service at it

I run Quark xD remember it?

I do, daemon

I do not know what quark is

I run Tor outside of jails, on the host

and the site within a jail

we worked on Quark just recently

you guys are still on about this?

remmber that redirect bug?

Of course

it's not a small deal to me

PredatorONormies, no I helped you with a buffering issue involving stdio

I did not even look up what quark is

anyhowe

if you run a website or ircd or something within a jail

daemon, that, yes

xD

all you do is create a bridge for that jail to be attached to that is not reachable via the outside internet

y

you run tor on the host and point a hidden service to the internal ip of the service of the internal bridge

dch> internet <> router <> jail host running some proxy <> jail with loopback IP

This, right?

the service is not connectable via the outside internet only via a tor hidden onion

Yeah

dch said there are at least 5 ways he could at the time remember, with which one can deanonymize from within the jail

depends how insane you want to be

I connected with the jail directly to the internet before, would there be any self public IP logged anywhere?

a generic non vnet jail

daemon, pretty insane?

yeah that sounds about right

right.. I think I don't have a vnet? But I have some vnet devfs rules so IDk

there are two types of jails

ones based on VIMAGE and ones that are not

the ones that are not share there localhost, with the host system

VIMAGE?

this is like chroot in linux

VIMAGE style jails have their own IP stack

oh

if you wanted even more isolation there is also bhyve which is an actual hypervisor

in jail.conf I did `ip4="lo0|127..."`

sounds like insecure bloat

I am not prepared to teach you the difference between those three ^ as it would take hours and I am busy trying to get drunk

wraping a RAGING dog in toilet paper

> trying to get drunk < sounds familiar xD

however

PredatorONormies: ok, not sure where you get that info from

I drink wine so slow that I cannot really get drunk

because otherwise I'd have to go pee rly often

rtprio, what info from?

Title: VIMAGE: Setup Guide | The FreeBSD Forums

this is old

xD

but I believe still accurate

PredatorONormies: your info on bhyve

rtprio, no info

daemon, rejected

Does forums.freebsd.org ban the Tor network?

connect with it and see

we can't do everything for you

I did, rejecte

Many websites seemingly do not allow you to access them via tor due to protection from DDOS provided via things like cloudflare

That's not what I meant

the tor network is massive

someone I "knew" just did a firewall rule to block the Tor network

and this same error appeared

I know

certain nodes may be banned certain ones may not be

you can't just block the tor network

newer ones aren't, I know.

You can the majority of it

100's of exit nodes leave and re-appear every minute

all exit nodes are public, by which I mean their IP addresses

for the services they wish to allow you to connect to yes

Yeah I know, but I won't be sitting here for 2 hours just to try and load a fucking page lol

PredatorONormies: based on this whole converstation i'm not sure you have a very soild grasp of ip networks

??

well then get a cell/mobile phone paid for in cash and a pay2go data plan, in conjunction with a cash laptop from facebook and use that from a field

problem solved

XD

what about satellites? (a joke, obviously)

also boot the laptop from a live usb

im starting to wonder what the hell you are trying to hide from

No need

I don't use ShitScripts

daemon, the governments, of course.

what's a shitscript?

toilet paper? I mean maybe?

JavaScript, TypeScript, any kind of manipulation one can done on the user computer.. obviously I'm not talking about something like just HTML (which isn't really a programming langauge)

lol

well html is a markup language - its in th name :)

i have no idea what you're on about, or what javascript has to do with... hiding your ip from the government or what

hyper-text-markup-language, did I guess right?

im going for a smoke

rtprio, it has all the DO about it

rtprio, you obviously aren't educated about the concept of browser attacks

daemon, have fun.. I hope we can talk some more.

you have no idea what i'm educated in, but what do browser attacks have to do with hosting some shitty httpd in a jail

rtprio, who said they do?

Is this the right channel for this discussion?

nope

moving on

Yeah

> <PredatorONormies> I don't use ShitScripts < I cannot figure out why I said this '<PredatorONormies> I don't use ShitScripts'

whoops

I need a slap on the face to wake the fuck up

nice name

maybe a slap will change your mind about fool's folly of "hiding my ip address"

It's not a fool's folly. The dangers I have might not seem real to you because you cannot imagine how dangerous governments are. Why would you? You seem to be a normie. Let me guess, you think you got nothing to hide, right?

stay on topic

you continued it again

ok man, then good luck figuring it out

it's not paranoia if they're actually after you

It isn't paranoia if you know what their rules are and you're breaking them :) not to mention worse happening to other people

maybe Ross Ulbricht can help you

Laugh all you want, before you burn for your mistakes, by the hands you trusted in.

That almost sounded cool

almost as cool as almost running illegal services on tor and serving life in prison

> If you feed a dog, the dog will protect its feeder, regardless of him being

good or bad

- unknown, unknown

well this graylog 4.3.9 -> 5.0.2 upgrade is turning into a fairly diabolical experience

needs to upgrade mongodb 3 times to get to mongo 5.0

and now elasticsearch isn't supported so I need to migrate all the things to opensearch 2.0

(recall the elastic vs AWS drama and subsequent fork)

dch: why does graylog need MongoDB?

meena: for config

config & data are separated

if only theyd used something else than mongo

dch: after three upgrades of MongoDB you'd want to fake it with PostgreSQL?

pkg can haz i3 4.22?

polyex, is it can be bogzila tiem nao?